Your attack surface is constantly changing - your risk management strategy should, too.

As a cybersecurity or IT professional you’ll know that the industry’s alphabet soup is a running joke. But in truth, the ‘soup’ is necessary. The threat landscape literally changes every day, and so must the tools and techniques we use to defend against it.

According to a recent report from Accenture, 63% of high-growth companies have adopted a work-from-anywhere model. Workplace definitions are changing, while hyper-expanding risk surfaces.

Traditional data protection used to focus on a business’s perimeter and the assets (hardware and software) that operated within its “walls”. Yet today’s borderless workplaces mean the perimeter no longer exists and instead creates almost a limitless attack surface. Every asset is critical for the sensitive data it collects, stores and shares.

What is Attack Surface Management (ASM) - and how has it changed?

All IT and security teams are responsible for understanding their organization’s internal and external attack surface as part of ongoing data loss prevention strategy.

Our reliance on connected systems, cloud applications and distributed work environments has changed the way IT and security teams think about and classify digital business assets. Traditionally, IT assets included hardware like desktops, printers, routers and switches. Today, assets include all of the hardware and software a business has, and that its employees use inside and outside its walls.

As businesses add new assets, they stretch their overall attack surface, increasing cyber risk and the likelihood of a data leak or security breach. Without visibility to digital assets and sensitive data, businesses increase their risk profile.

Know the Lingo

Attack surface strategy is the process of understanding use cases that apply to your business based on the assets it uses, and the data that those assets collect, store and share.


Attack surface assessment (ASA) are tools used to help businesses identify and rank attack surface use cases and their importance based on risk scoring.


Attack surface management (ASM) uses a combination of people, processes (industry best practices) and technology to manage and mitigate cyber risk and the threats that target a business's internal and external digital assets.


What tech does Attack Surface Management Use?

The marketplace is full of technology options that address the cybersecurity layer cake. Each technology is designed to achieve a different set of outcomes. Identifying and prioritizing which outcomes are most important to your business can help you choose technology that fits the nature of your business and the resources you have available to manage it.

When it comes to ASM, Gartner has identified three emerging technologies that support broader ASM strategy: 

(1) Cyber Asset Attack Surface Management (CAASM) for internal assets focus
(2) Digital Risk Protection Services (DRPS) for enterprise brand protection and compliance
(3) External Attack Surface Management (EASM) for external assets focus
CAASM technology proposes to fix a challenge that many businesses face: gaining and maintaining full visibility to all assets used by the business – and through a single pane of glass.

Of the three ASM pillars, CAASM provides some internal and external overlap. Depending on your business’s use cases, it could be a good place to start when considering ASM solutions as CAASM aims to establish your business’s risk benchmark and audit the assets and data your business has.

At a granular level, every asset, whether hardware, software or cloud-based is as valuable as the data it contains. And in today’s world, every asset collects, shares and stores sensitive structured and unstructured data types that elevate cyber risk.

Does Your Business Need CAASM?

Download our Buyer's Guide to CAASM and decide for yourself

Explore how Attack Surface Management (ASM) has changed and why new technologies like Cyber Asset Attack Surface Management (CAASM) are necessary for better security hygiene and a stronger security posture.

Inside you’ll find CAASM use cases, best practice principles and a technology review to help you identify whether CAASM is right for your business.