Attack Surface

An attack surface is the complete set of points where an attacker could try to enter, extract data from, or disrupt a system. It includes every exposed port, service, application, API, domain, certificate, credential, and configuration that is reachable by an adversary. The larger and less-understood the attack surface, the more opportunities exist for compromise. In practice, the term is split into the external attack surface (anything reachable from the public internet) and the internal attack surface (assets reachable only after an attacker is already inside the network).

Why it matters

You cannot defend what you do not know exists. Most breaches start with an asset the security team forgot about or never inventoried: a staging server with default credentials, a subdomain pointing at a deprovisioned SaaS account, an expired certificate, or a database left open to the internet. Attack surface grows continuously as teams ship new services, spin up cloud resources, and register domains, while old assets are rarely decommissioned cleanly. Reducing and continuously monitoring the attack surface is the foundation of external attack surface management (EASM).

How it works

An attack surface is the sum of many distinct exposure categories. Common ones include:

• Network exposure — open ports and the services behind them, such as an internet-facing database or cache.
• DNS and email — missing DNSSEC, weak DMARC/SPF policies, and dangling records vulnerable to subdomain takeover.
• Certificates and transport — expired or expiring TLS certs, weak ciphers, and protocol downgrades.
• Web layer — missing HTTP security headers, exposed sensitive files like .env, and known CVEs.
• Cloud and brand — public storage buckets and typosquat domains impersonating your brand.

Each item is reachable, fingerprintable, and ranked by impact — severity comes from what happens on compromise, not how easy the issue was to find.

A concrete example

A company runs api.example.com on a cloud VM. Over time the team opens port 6379 for a Redis cache "temporarily," lets the WHOIS-visible staging subdomain keep pointing at a retired Heroku app, and ships an admin panel without a Content-Security-Policy header. None of these were intended to be public, yet all three are now part of the external attack surface — an unauthenticated cache, a one-click subdomain takeover, and a clickjacking-friendly admin page. Individually small, together they form a realistic breach path.

How FortWatch maps your external attack surface

FortWatch discovers your public-facing assets and runs 11 automated scanners across them — port monitoring, CVE detection, SSL/TLS, DNS hygiene, HTTP headers, exposed sensitive files, subdomain takeover, cloud buckets, and brand monitoring. Each finding gets a severity (critical, high, medium, low) and AI-generated remediation, so the work is prioritized by impact rather than volume. Because the surface changes constantly, FortWatch scans continuously instead of relying on point-in-time checks — see continuous scanning vs. annual pentests.