External Network Penetration Testing and Attack Surface Management (ASM) are related but distinct offensive security measures. Each one has a time and place where it’s most effective, but when the two are paired together, security teams experience an extremely proactive approach to their cybersecurity program that ensures improvement over time

What is External Network Penetration Testing?  

External Network Penetration Testing provides a point-in-time test that dives deep into a defined scope. External Network Testing means an offensive security consultant is dedicated to analyzing selected assets for a specific amount of time. Think of this focused analysis for 40 hours a week for two weeks. That’s a lot of time to dig into findings!  

This amount of research typically results in a high number of results that are vetted into prioritized actions. The outcome can strain security teams because of the need to triage remediation efforts in a short period of time. External Network testing is a thorough method of evaluating vulnerabilities and reporting on whether they’re publicly exploitable. 

A limitation with External Network Testing is that it’s only focused on what’s in scope. The scope of the test is limited to the assets a client defines, and the scope of assets a client defines is limited to what a client knows is out there. If clients misunderstand their attack surface, it can lead to gaps in the scope of an External Network Penetration Test. Ensuring a strong and holistic understanding of your attack surface allows you to get more return on your investment for penetration testing. 

In addition, External Network Penetration Testing provides thorough research, but only for a specific point-in-time. Unfortunately, threat actors aren’t limited to scope or timelines like External Network Testing is, making Attack Surface Management a smart supplement to External Network Testing.

When to Use External Network Penetration Testing 

If you have proper asset mapping and a solid understanding of your attack surface, then External Network Penetration Testing is an ideal offensive security measure to test the security of your assets. 

ExPen vs. ASM


  • The ExPen is designed to report more findings to the security team
    • It will report information findings
  • These findings need to be triaged by the internal security team to determine which to prioritize
  • The ExPen is useful for getting a baseline point in time view of the environment but requires more manual work on the part of the internal security team


  • ASM will report less findings than the ExPen
  • ASM is designed to filter out alerts and only report vulnerabilities the team has confirmed they can exploit
  • This reduces the amount of triaging work for the internal security team
  • ASM is useful for getting a continuous view of the environment and can see changes as they happen in real time

What is Attack Surface Management?  

Attack Surface Management provides continuous discovery, inventory, testing, and prioritization of known and unknown assets and exposures on global external attack surfaces. While it doesn’t go as deep as External Network Penetration Testing, it does look at attack surfaces broadly and through a continuous lens. It provides an always-on view of high-impact, high-priority findings. 

One of the most common scenarios we face with clients is finding unknown assets. This is also one of the biggest benefits of ASM. Not only can many different assets exist on an external attack surface, but also these assets change over time, making point-in-time pentesting good, but continuous analysis better.  

First and foremost, ASM is focused on discovering what’s out there so we can bring better visibility into the entire external attack surface. Once we have that visibility and know the assets that exist, we look at exposures including vulnerabilities. ASM goes deeper by showing the products and certificates that exist on those assets, if those certificates are expiring soon, the DNS records, and the open ports on those assets. 

Typical ASM platforms result in alert overload, which is why NetSPI focuses on noise reduction with our technology. We take the results from our Attack Surface Management platform a step further by adding the human component. Our ASM operations team uses automated and manual methods to discover assets, monitor exposures, and determine the level of risk they may pose. This information is relayed to a security team for remediation, and then passed along to a pentester to validate the remediated exposure. 

When to Use Attack Surface Management 

Attack Surface Management is ideal for teams who need insight into their external attack surface and enhance the process for mapping their attack surface on a continual basis. 

Better Together: Attack Surface Management and External Network Penetration Testing  

Salt and pepper, Peanut butter and jelly, ASM and External Network Testing.  

Attack Surface Management shines with its always-on nature that regularly updates scan results with the latest changes. When we tie ASM to our External Network Testing, we’re more closely simulating the activity that attackers are taking throughout the year. ASM provides coverage in-between External Network Testing, which allows security teams to be more proactive with their approach, instead of waiting three, six or 12 months before performing a regular External Network Test. 

A common scenario in which ASM and External Network Testing benefit each other is when companies make recurring changes to their attack surfaces during the holidays. For example, many retailers will stand up new infrastructure for holiday specials. When the special ends and they take down that infrastructure, does it all get commissioned and decommissioned properly? This insight can be automated with ASM. 

The best mix of these offensive security strategies is to use ASM for constant monitoring, and then use the insights to perform an External Network Testing periodically, such as once per quarter. This strategy also has the potential to validate that security enhancements are resulting in continued improvements, which can help security leaders when it comes to resourcing modern security measures.