External Attack Surface Management: Why Attackers Know Your Infrastructure Better Than You Do

The penetration tester found your forgotten subdomain in 11 minutes. Your team had not touched it in three years. It was still running an unpatched version of Apache Struts.

In 2017, Equifax lost 147 million records through CVE-2017-5638, an Apache Struts vulnerability that had a patch available for two months before the breach. The vulnerable server sat in a corner of their infrastructure where no one on the security team was monitoring it. The asset existed. It was internet-facing. It was not on the list of things anyone was responsible for patching.

Your internal vulnerability scanner audits the assets you know about. External Attack Surface Management tools audit what the internet sees when it looks at your organization.

Attackers work the second list.

What Is External Attack Surface Management

External Attack Surface Management (EASM) is the continuous process of discovering, cataloging, and monitoring every internet-facing asset tied to your organization, whether or not that asset appears in your internal inventory.

The distinction between EASM and traditional vulnerability scanning matters because traditional scanning starts with a known list of IP addresses and hostnames. You point the scanner at the assets in your CMDB and it tells you what is wrong with them. If an asset is not in the list, it does not get scanned. It does not get patched. It does not get monitored.

EASM works in the opposite direction. It starts from the outside, the way an attacker does, and asks: “What can the internet see that belongs to this organization?” The answer is larger than what most IT teams expect.

Common discovery methods include:

• DNS enumeration and subdomain brute-forcing. Recursive queries against DNS records reveal subdomains that may not appear in any internal documentation.
• Certificate transparency (CT) log analysis. Every SSL/TLS certificate issued by a public certificate authority is logged in publicly searchable CT logs. That includes certificates for dev environments, staging servers, proof-of-concept demos, and internal tools that were never meant to be internet-facing.
• Autonomous System Number (ASN) mapping. Identifying the IP ranges registered to your organization and then scanning those ranges for services.
• WHOIS and reverse-WHOIS lookups. Finding domains registered to your organization by matching registrant data across the entire domain registration database.
• Banner grabbing and service fingerprinting. Identifying the software version, operating system, and configuration of every exposed service.

Tools like Censys, Shodan, SecurityTrails, and commercial platforms from Mandiant, CrowdStrike, and Palo Alto Networks automate this discovery at scale. The output is a map of what your organization exposes to the internet, including the assets your team forgot they deployed.

The Gap Between Your Inventory and Your Actual Exposure

The average enterprise has 30 to 40 percent more internet-facing assets than its IT team tracks. That gap comes from three sources.

Abandoned Infrastructure

A test server on a subdomain registered by an engineer who left two years ago is still your attack surface. So is the staging environment that was supposed to be temporary but never got decommissioned. So is the marketing microsite launched for a 2022 campaign that no one thought to shut down.

These assets accumulate without anyone noticing. No ticket gets filed when they become stale. No alert fires when their software falls behind on patches. They sit in the infrastructure unmonitored until someone with a scanner and bad intentions finds them.

The Equifax breach is the textbook case, but it is far from unique. Abandoned infrastructure contributed to the 2020 SolarWinds compromise, where attackers used a forgotten build server as part of their supply chain attack. It contributed to the 2023 MOVEit breach, where organizations running unpatched instances of the file transfer software lost data because nobody on their team knew those instances existed.

Shadow IT

Shadow IT is any technology resource provisioned outside the IT department’s approval and management process. A department head signs up for a SaaS platform using a corporate credit card. A developer spins up a cloud instance for a proof of concept and forgets about it. A sales team integrates a third-party API with the CRM without a security review.

Each of these actions expands the organization’s external footprint without updating the asset inventory. Your security team cannot protect what it does not know exists. The people who provisioned those resources were solving for speed, not permanence, and security was not part of the decision.

Shadow IT is a structural consequence of procurement speed. If it takes six weeks to get a cloud instance through the approved process and six minutes to spin one up on a personal AWS account, the business will choose six minutes. Your security program has to account for that gap.

Certificate Transparency Exposure

Certificate transparency logs are a double-edged tool. They were created to prevent fraudulent certificate issuance, and they work well for that purpose. But they also create a publicly searchable index of every certificate your organization has ever requested from a public CA.

An attacker can query CT logs and immediately get a list of every subdomain you have ever provisioned a certificate for. That list includes the subdomains you decommissioned but forgot to remove from DNS. It includes internal names that leak information about your infrastructure architecture. It includes the dev and staging servers that were supposed to be internal-only but got a public certificate because someone needed HTTPS for a demo.

CT log reconnaissance takes less than a minute. Most modern external reconnaissance workflows start here.

Why Traditional Vulnerability Management Falls Short

Traditional vulnerability management is a critical program. But it has a blind spot that EASM addresses.

The traditional model assumes you know what you own. The process looks like this:

1. Maintain an asset inventory (the CMDB).
2. Deploy scanners that authenticate against those assets.
3. Identify vulnerabilities on known assets.
4. Prioritize and patch based on severity and business criticality.
5. Report compliance metrics.

This works for the assets in the inventory. The problem is that the inventory is incomplete. New assets get created faster than the CMDB gets updated. Old assets stay in the CMDB long after they are decommissioned, and assets that were never in the CMDB to begin with are invisible to the entire process.

EASM does not replace vulnerability management. It feeds it. The output of an EASM program is a continuously updated list of external assets that the vulnerability management program can then scan, prioritize, and remediate. Without EASM, the vulnerability management program operates on an incomplete picture. With it, the picture gets closer to complete.

Building an EASM Program That Works

EASM is a program, not a tool purchase. It has four operational components.

Continuous Discovery

One-time discovery is better than no discovery. But attack surfaces change fast. New subdomains get created, new cloud instances spin up, new SaaS integrations go live. A point-in-time scan becomes stale within days.

Continuous discovery means running external reconnaissance on a schedule, daily or weekly at minimum, and comparing each scan to the previous one. New assets get flagged for triage. Assets that disappear get investigated (they may have been moved, not removed). Changes in exposed services or software versions get routed to the vulnerability management team.

Ownership Assignment

Most EASM programs fail here. Discovery is straightforward. Assignment requires political will.

Every external-facing asset needs a human name next to it. A specific person accountable for patching, monitoring, and decommissioning that asset when it is no longer needed.

An asset with no owner does not get patched. An asset that does not get patched does not get monitored. And an unmonitored asset is how the penetration tester finds it in 11 minutes.

Ownership assignment also forces a decision: is this asset still needed? Many organizations discover through EASM that 20 to 30 percent of their external assets can simply be removed. The cheapest way to secure an asset is to eliminate it.

Risk Scoring and Prioritization

Not every exposed asset carries the same risk. A static marketing page running on a current version of Nginx behind Cloudflare is low risk. A forgotten Jenkins server running a 2019 build with default credentials and no WAF is critical.

Risk scoring should account for:

• Software age and known vulnerabilities. Is the software version associated with any published CVEs?
• Authentication state. Does the service require credentials, or is it open?
• Data sensitivity. Could this asset provide access to PII, financial records, or intellectual property?
• Network position. Does this asset have connectivity to internal systems, or is it isolated?
• Exposure duration. How long has this asset been in its current state without a security review?

Automated risk scoring from EASM tools gives you a starting priority. Human review adds the business context that automation cannot.

Integration With Existing Security Operations

EASM findings should flow into the tools your security team already uses. That means:

• New asset discoveries create tickets in your ITSM platform for ownership assignment.
• Newly identified vulnerabilities on external assets feed into your vulnerability management workflow alongside internal scan results.
• High-risk findings generate alerts in your SIEM or SOAR platform for immediate investigation.
• Decommission decisions go through your change management process to ensure assets are properly removed, not just powered off.

EASM operating in isolation becomes another dashboard your team ignores. Integrated into existing workflows, it becomes part of the operational rhythm.

The Real Cost of an Unmanaged Attack Surface

IBM’s 2024 Cost of a Data Breach report puts the average breach cost at $4.88 million. Breaches involving shadow IT or unmanaged assets land at the higher end of that range because they take longer to detect (the asset is not monitored) and longer to contain (the team has to figure out what the asset is before they can respond to it).

The operational drag is measurable too. Security teams that spend their cycles chasing unknown assets are not spending those cycles on the threats they already know about. Incident response for an asset no one owns takes longer to detect, longer to triage, longer to contain, and longer to remediate.

Compliance frameworks from PCI DSS to HIPAA to the SEC’s cybersecurity disclosure rules assume that organizations know what they own. “We did not know that server existed” is an explanation. Regulators and courts do not treat it as a defense.

How Grab The Axe Approaches External Attack Surface Management

At Grab The Axe, EASM is a standard component of our cybersecurity assessments. We do not start with your asset inventory. We start with what the internet sees.

Our process maps your external footprint, identifies unowned and unmanaged assets, and delivers a prioritized finding set with clear ownership recommendations. We pair EASM discovery with penetration testing to show you what is exposed and what an attacker can do with what they find.

The deliverable is a closed loop: discover, assign, remediate, verify.

Start With What the Internet Already Knows

Your organization’s external attack surface exists whether you manage it or not. Subdomains, cloud instances, SaaS integrations, forgotten test servers: all of it is visible to anyone running the same tools your adversaries use. Your security team should see it first.

Take our free Human Attack Surface Score assessment to get a baseline measure of your organization’s exposure, or schedule a conversation with Grab The Axe to start mapping your external footprint with the same tools and techniques the threat actors are already using against you.

When your organization last ran an external asset discovery, who owned the list of what was found?

Director of Software Engineering

Chris Armour

The Breaker & Builder.

Operating on the philosophy that 'you can't build a secure system if you don't know how to break it,' Chris leads our engineering division. A top 1% National Cyber League competitor, he hardens our digital infrastructure against the very exploits he has mastered.

View Author Page →