Attack Surface Management (ASM)

Attack Surface Management (ASM) is the continuous process of discovering, inventorying, and assessing every internet-facing asset an organization exposes — domains, subdomains, IPs, open ports, certificates, DNS records, cloud storage, and the services running on them — so that security gaps can be found and fixed before an attacker exploits them. External ASM (EASM) focuses specifically on what is reachable from the public internet, mapping your perimeter the same way an outside adversary would.

Why it matters

Most organizations cannot confidently list every asset they expose. Shadow IT, forgotten staging servers, expired certificates, misconfigured cloud buckets, and decommissioned subdomains accumulate over time. Attackers don't target what you think you own — they target what you've forgotten. ASM closes that visibility gap by treating discovery as a recurring activity rather than a one-time audit, which is why continuous scanning beats annual pentests for catching changes between assessments.

How it works

A typical ASM workflow runs in repeating stages:

1. Discovery — enumerate assets from seed domains using DNS, certificate transparency logs, and reverse lookups. See subdomain enumeration via CT logs.
2. Inventory — catalog each asset's services, ports, and technologies.
3. Assessment — scan for misconfigurations, weak TLS, missing headers, exposed files, and known CVEs.
4. Prioritization — rank issues by real impact, not raw volume. See how to prioritize vulnerabilities.
5. Remediation and monitoring — fix, then re-scan continuously to catch new exposure.

A concrete example

A team spins up staging.example.com on a cloud host, opens port 6379 for a Redis cache, and skips authentication because it's "just staging." Months later the project is shelved but the host stays online. An ASM scan flags the subdomain via CT logs, detects the open Redis port, and confirms it answers unauthenticated commands — an exposure that can lead to full server compromise. Without ongoing discovery, that asset would never have appeared on a manually maintained inventory.

What ASM looks at on your external surface

ASM spans many categories that each carry their own risk: open ports and exposed services, certificate and TLS posture, DNS hygiene (SPF, DKIM, DMARC, DNSSEC, dangling records), HTTP security headers, sensitive files like exposed .env secrets, subdomain takeover from dangling DNS, and public cloud buckets. No single category is the headline — they sit on the same severity scale, judged by impact if compromised.

How FortWatch helps

FortWatch is an external ASM platform that runs 11 automated scanners against your public-facing assets — covering port exposure, CVEs, SSL/TLS, DNS hygiene, HTTP headers, sensitive files, subdomain takeover, cloud buckets, and brand monitoring. Each finding gets a severity rating and AI-assisted remediation guidance, and scans repeat continuously so newly introduced exposure surfaces quickly rather than at the next manual review.