Attack Surface Management

Discover and reduce attack surface.

Discover

The biggest gap in most security programs is not vulnerability management; it is asset inventory. Teams patch the vulnerabilities they know about on the systems they know exist, and the breach comes through a system nobody remembered was on the internet. Attack surface management starts with the discovery problem: finding out what is actually exposed.

What discovery actually involves:

• External-facing assets.: Domain names, subdomains, IP addresses, cloud resources with public endpoints, third-party SaaS that authenticates against your IDP, GitHub repositories, S3 buckets, container registries. Anything an outsider can reach without your help.
• Often more than expected.: The first time a team runs ASM tooling against their own environment, they typically find 30 to 80% more assets than they had documented. Old test environments still running. Forgotten staging deployments. Acquired company infrastructure nobody migrated. Shadow IT signups by individual teams. The map of "what we have" is almost always incomplete.
• Tools auto-discover.: Modern ASM platforms (Detectify, Bishop Fox, Microsoft Defender External Attack Surface Management, Palo Alto Cortex Xpanse) crawl from a seed (your domain, your cloud account) and find every connected asset. They use the same discovery techniques attackers use, applied defensively.
• Continuous, not annual.: Discovery is a continuous practice. New assets appear constantly: a developer spins up a test environment, an acquired company's infrastructure connects, a third-party integration adds a callback URL. The ASM tooling reruns the discovery on a weekly or daily cadence to catch additions.
• Internal discovery matters too.: External attack surface is the priority but internal discovery (lateral movement paths, internal services with weak authentication, credentials with broader access than necessary) is the next layer. Once external is clean, internal becomes the next investment.

You cannot defend what you do not know about. The first move in any serious security program is finishing the inventory.

Classify

Once you know what assets exist, the next move is classifying them by criticality. Treating every asset as equally important means you over-invest in defending things nobody cares about and under-invest in the ones an attacker would target.

• By criticality.: Production data plane, customer-facing APIs, payment systems, identity providers, source control, build infrastructure. These are the high-value targets. Internal admin tools, dev environments, marketing sites are lower-value. The classification reflects what an attacker would actually want.
• Test exposure of each.: For each asset, run an active assessment. What ports are open? What services respond? Are the services patched? What authentication do they require? The output is a per-asset risk score combining criticality and current exposure.
• Prioritize remediation by score.: The output is a ranked list. The asset with high criticality and high current exposure goes to the top of the remediation queue. The asset with low criticality and low exposure can wait. The list changes weekly as new assets are discovered and existing ones are remediated.
• Track over time.: The total attack surface score is a metric. The trajectory matters: a team that is closing assets faster than they are creating them is improving. A team where the score grows quarter over quarter is accumulating risk. The number goes on the security team's dashboard.
• Decisions documented.: When an asset is left exposed deliberately (a public-facing API that is supposed to be public), the decision is documented. The next ASM scan does not flag it as new; it sees the documented exception. This prevents the team from re-investigating the same asset every cycle.

Classification turns the inventory from a list into a prioritized remediation queue. Without it, the team is firefighting whatever the latest scan flagged, regardless of whether it matters.

Reduce

The endgame of attack surface management is reducing the surface. Every asset that does not need to exist should not exist; every asset that does exist should be hardened. Less surface means fewer paths for attackers and less work for defenders.

• Retire unused assets.: The lowest-hanging fruit is killing assets nobody is using. The forgotten test environment, the abandoned third-party integration, the deprecated subdomain that is still resolving. Each retirement removes a potential attack path with zero functional cost.
• Harden the remainder.: For assets that need to exist, apply standard hardening: HTTPS-only, short cert lifetimes, strong cipher suites, no unnecessary headers, IP allowlisting where possible, MFA on any management interface. Each hardening reduces the asset's exploitability.
• Less surface equals less risk.: The math is direct: an attacker probes the surface; smaller surfaces have fewer probable entry points. A team that has reduced their externally-reachable services from 200 to 60 has cut their probable breach surface by similar magnitude.
• Continuous reduction.: Surface reduction is not a one-time project. New services launch, new integrations land, new vendors get adopted. The discipline is to apply the discovery and reduction loop continuously: discover the new things, classify them, retire what should not exist, harden what should.
• Cost-effective security.: Surface reduction is one of the highest-leverage security investments because it does not require defending against unknown attacks. It just removes the possibility of those attacks. The work is straightforward; the protection is durable.

Attack surface management is the discovery, classification, and reduction discipline that turns an unknown attack surface into a managed one. Nova AI Ops integrates with ASM platforms, surfaces the per-asset risk scores into the operations dashboard, and tracks the surface trajectory so the team can see whether the practice is actually moving the surface area downward over time.