External Attack Surface Management (EASM): A Practitioner's Guide
Your perimeter is larger than you think. Shadow IT, cloud sprawl, forgotten staging servers, developer-exposed services, and acquired company infrastructure all contribute to an external attack surface that grows faster than manual asset inventories can track. External Attack Surface Management (EASM) continuously scans the internet from an attacker's perspective, discovering every asset associated with your organization and assessing each for exposures before attackers find them first.
What EASM Discovers
EASM platforms use the same techniques as attackers to discover assets: DNS enumeration, certificate transparency log analysis, autonomous system (AS) number lookups, WHOIS data, and internet-wide scanning. From your organization's known seeds (primary domain, IP ranges, company name), the platform discovers:
Subdomains and hostnames
Enumeration of all subdomains associated with your domains using DNS brute force, certificate transparency logs (crt.sh), and passive DNS data. Discovers forgotten subdomains pointing to decommissioned infrastructure, development environments, and shadow IT.
IP addresses and ranges
All IP address ranges registered to your AS numbers and associated with your organization through WHOIS and ARIN/RIPE records. Includes cloud-allocated IP addresses that may not be in your internal IPAM.
Open ports and services
Port scanning of all discovered IPs to identify what services are exposed: web servers, databases, remote access services (RDP, SSH), management interfaces, and application-specific ports.
Technologies and versions
Fingerprinting of software versions running on discovered services, enabling correlation with known CVEs. A web server running an outdated version of Nginx is a specific, actionable finding.
TLS certificates
Certificate enumeration revealing new domains, expired certificates, certificates with weak signing algorithms, and certificates issued by unexpected certificate authorities.
Exposed credentials and secrets
Scanning of public code repositories, paste sites, and data breach databases for credentials associated with your domains. API keys, passwords, and tokens exposed publicly.
Acquired and subsidiary assets
Assets from previously acquired companies that were never integrated into your security program. EASM discovers these through brand and company name correlation.
EASM vs. Vulnerability Scanning
Traditional vulnerability scanners (Nessus, Qualys) scan assets you already know about using authenticated access. EASM discovers assets you did not know existed and assesses them from an unauthenticated, external perspective. These are complementary, not redundant: EASM finds the unknown assets and unknown exposures; vulnerability scanning provides deep authenticated assessment of known assets. A mature exposure management program uses EASM for discovery and external exposure assessment, and authenticated scanners for internal vulnerability depth.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Platform Landscape
The EASM market has consolidated rapidly through acquisition:
Palo Alto Cortex Xpanse
Enterprise market leader following the acquisition of Expanse. Continuous internet scanning with broad asset coverage, change detection, and integration with Prisma Cloud and Cortex XDR. Strong for large enterprises wanting EASM integrated with their existing Palo Alto security stack.
Microsoft Defender EASM
Microsoft's entry into EASM following the acquisition of RiskIQ. Broad internet data coverage, deep integration with Microsoft Sentinel and Defender XDR. Strong for Microsoft-centric organizations. Relatively accessible pricing compared to enterprise-only alternatives.
Censys ASM
Built on Censys's internet-wide scanning infrastructure (one of the two largest internet scanners alongside Shodan). High data freshness and accuracy. Good for organizations that want to leverage raw scanning data quality alongside managed discovery workflows.
CrowdStrike Falcon Surface
EASM integrated with CrowdStrike's Falcon platform and threat intelligence. Asset discovery combined with threat actor campaign data showing which actors are actively targeting specific exposure types in your industry.
Detectify
Developer-friendly EASM with strong web application focus. Crowdsourced security researcher contributions for discovering novel exposure types. Better for organizations with large web application portfolios than for broad network infrastructure discovery.
Operationalizing EASM Findings
EASM generates a continuous stream of findings that must integrate with your existing security operations. Common workflow patterns:
New asset alerts
When EASM discovers a new internet-facing asset not in your inventory, generate an alert for the asset owner to confirm whether it is authorized, properly configured, and should remain exposed. Unauthorized assets should be immediately investigated.
Exposure change detection
When an existing known asset changes state (a new port opens, a service version changes, a certificate expires), generate a change alert. Unexpected changes may indicate unauthorized modification or compromise.
CVE correlation
When a new CVE is published for software detected on your external assets, generate an immediate prioritized finding. This is significantly faster than waiting for your authenticated scanner to run its next scheduled cycle.
SIEM integration
Feed EASM findings into your SIEM for correlation with internal telemetry. An EASM finding that a specific server is running vulnerable software, combined with an EDR alert showing unusual activity on that server, is a high-priority incident.
Reducing Your Attack Surface
EASM's highest value is not just detection but driving actual attack surface reduction. Findings should feed a formal remediation backlog: assets requiring decommissioning, services that should not be internet-facing, certificates requiring renewal, software requiring patching, and credentials requiring rotation. Track attack surface reduction as a metric: the total count of internet-facing assets, the count of assets with known critical exposures, and the mean time to remediate external exposures. Organizations that treat EASM as a monitoring tool without a remediation program see findings accumulate without security improvement.
The bottom line
Your external attack surface is what attackers see first. EASM gives you that view continuously, finding assets and exposures your internal tools miss. The value is not in the dashboard: it is in the remediation workflows you build to act on what EASM finds before attackers do.
Frequently asked questions
How is EASM different from Shodan?
Shodan is a search engine for internet-connected devices that anyone can query. EASM platforms use the same underlying scanning techniques as Shodan but layer organization-specific asset discovery, continuous monitoring, change detection, and workflow integration on top. An EASM platform automatically discovers assets belonging to your organization, tracks them over time, and alerts you to changes. Shodan requires manual queries and provides point-in-time snapshots without automated organization correlation or workflow integration.
How long does initial EASM asset discovery take?
Initial discovery from seed inputs (primary domain, known IP ranges) typically completes within 24 to 72 hours for most organizations. Large enterprises with complex subsidiary structures and many IP ranges may take a week for comprehensive initial discovery. The first scan almost always reveals assets the security team did not know about: expect between 10 and 40 percent more internet-facing assets than your internal inventory shows.
What are the most common high-risk EASM findings?
The most commonly discovered high-risk exposures are: exposed RDP (port 3389) on internet-facing servers, administrative interfaces (routers, firewalls, NAS devices) with default or no credentials, expired TLS certificates that browsers will warn users about, subdomains pointing to decommissioned cloud resources (subdomain takeover risk), development and staging environments with weaker security controls than production, and exposed database ports (MongoDB on 27017, Redis on 6379) without authentication.
What is subdomain takeover and how does EASM help detect it?
Subdomain takeover occurs when a DNS record for a subdomain (e.g., staging.company.com) points to a cloud service (Heroku, GitHub Pages, AWS S3) that has been decommissioned without removing the DNS record. An attacker can claim the abandoned cloud resource and serve content from your subdomain, enabling phishing or credential theft under your brand. EASM detects this by identifying subdomains where the DNS record points to an unclaimed cloud resource, which is a specific fingerprint these platforms look for during scanning.
How does EASM handle cloud and SaaS assets?
Modern EASM platforms discover cloud assets through multiple methods: DNS enumeration finds cloud-hosted subdomains, certificate transparency logs reveal assets using your domains on cloud infrastructure, and integrations with cloud provider APIs (with appropriate permissions) discover assets directly. SaaS application discovery is less mature in most EASM platforms: SaaS apps that do not expose custom subdomains may not be discovered by internet scanning. CASB platforms better address SaaS asset discovery, while EASM covers infrastructure and web asset discovery.
Should we fix every EASM finding?
No. Risk-based prioritization applies: critical exposures (unauthenticated databases, exposed management interfaces, actively exploited CVEs on internet-facing services) require immediate remediation. Informational findings (exposed version banners, open ports for legitimate services) require acknowledgment and documentation but not necessarily remediation. Define acceptance criteria for different finding types, require documented risk acceptance for medium and low findings left unmediated, and focus remediation capacity on the highest-impact exposures first.
Sources & references
- Gartner Market Guide for External Attack Surface Management 2025
- Mandiant Attack Surface Management Research
- Censys Internet-Wide Scanning Research 2025
- Palo Alto Networks Cortex Xpanse Documentation
- CISA Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESAR)
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.