Key Strategies for Tackling External Attack Surface Visibility

Managing today’s attack surface is both critical and complex, as the pace of change reshapes IT environments faster than most organizations can adapt. Dynamic ecosystems filled with constantly shifting assets, the rise of shadow IT, and the growing adoption of cloud and hybrid infrastructures make maintaining an accurate asset inventory daunting. 

Add IoT devices, bring-your-own-device (BYOD) policies, and manual processes vulnerable to human error, and many organizations struggle to achieve the full visibility needed to defend against evolving cyber threats. Without a clear, accurate asset inventory, identifying potential vulnerabilities and keeping up with compliance requirements becomes nearly impossible. 

Recognizing the weight of these challenges, we tapped into NetSPI’s Partner Network to explore how today’s security teams are approaching asset inventory management. 

Meet the Contributors

This roundup includes insights from these NetSPI Partners:

• Thomas Cumberland, Tier 3 Senior Analyst at Cyber Sainik
• Michael Yates, CISO at All Lines Tech  
• Sean Mahoney, Vice President at Netswitch Technology Management 
• Kendra Vicars, Risk and Compliance Manager at Legato Security 

1. How have you seen external attack surface management evolve in the last few years?

Security leaders say EASM has undergone a significant transformation in recent years, driven by the shift to cloud and hybrid environments, the rise of remote work, and increasingly sophisticated threats. One common thread is clear—the demand for continuous, automated solutions has skyrocketed as traditional methods, like firewalls and occasional scans, are no longer sufficient.

“More and more organizations have transitioned to cloud or hybrid environments, which has increased the demand for external attack surface management. Previously implementing a firewall and performing periodic vulnerability scans was seen as sufficient, but now that networks live in the cloud and many more workers are remote, there has been a demand for more robust solutions such as Secure Access Service Edge (SASE).”
– Thomas Cumberland, Tier 3 Senior Analyst at Cyber Sainik 

“Since the beginning of 2020, the external attack surface has become the primary exposure point for all organizations. Amateur attackers are showing how simple it is to gain access to an organization’s private network or cloud solutions through remote services. As organizations pay closer attention to their remote service authentication and authorization risks, attackers are turning to the next weak point, the entire external surface. Add in the continuous rise of zero-day vulnerabilities, continuous attack surface management is the key to reducing massive amounts of risk and exposure.” 
– Michael Yates, CISO at All Lines Tech

“Netswitch has seen over the past 2-3 years, external attack surface management evolving from a niche that few organizations focused on to a more widely accepted part of our Security And Risk Assessments. This shift is driven by cloud and hybrid environments, increased supply chain risks, more adaptive threats, and a growing need to meet regulatory pressures. Organizations are now asking for continuous, automated tools to monitor and secure their external surfaces.” 
– Sean Mahoney, Vice President at Netswitch Technology Management

“What used to be a rather manual process, requiring knowing which tools to leverage, and which websites to check, attack surface management has become a more automated and real-time process that allows for leveraging a multitude of tools in one single click. By having near real-time alerting, organizations are more aware of their public facing presence, and are able to take a proactive approach, rather than a reactive one.

With more and more assets moving to the cloud over the last few years, many organizations are unaware of what employees have stood up or decommissioned, and therefore, potential holes in their security exist. Now, by entering a domain name and known IP addresses, ASM tools are able to identify potential assets in a matter of minutes. Not only can the solutions show you the assets identified, but can provide a plethora of asset information, including certificate information, vulnerabilities, open ports, identify weak encryption algorithms, geolocation information, and much more.” 
– Kendra Vicars, Risk and Compliance Manager at Legato Security

2. Can you break down the tech stack and process your team uses for EASM today?

Dynamic ecosystems filled with constantly shifting assets make maintaining an accurate inventory challenging. Here’s what security leaders are doing today to manage their attack surface visibility:

“Our organization takes a custom approach to each client, beginning typically with a vulnerability assessment and then recommending solutions based on their needs. We typically perform a discovery scan on the entire IP space owned by the organization to determine all external assets in scope, followed by a more focused vulnerability scan, and in some cases even perform penetration testing such as exploiting vulnerabilities to determine impact.
Most assessments only require a moderate amount of remediation to secure, but sometimes more aggressive solutions are recommended, up to and including architecture or organizational changes. We also typically perform periodic follow-up assessments to ensure that the attack surface remains stable and secure.” 
– Thomas Cumberland, Tier 3 Senior Analyst at Cyber Sainik

“We currently use an external attack surface management platform that allows us to look for public-facing vulnerabilities, open ports, and suggested domains. It queries registrant information to identify any outliers that we may not be aware of belonging to our customers. We configure alerting around certificate expirations/upcoming expirations, new vulnerabilities, and other pertinent information tailored to our customers’ needs.”
– Kendra Vicars, Risk and Compliance Manager at Legato Security

3. How often do your customers perform external attack surface discovery for their organizations? 

Effective attack surface management hinges on foundational practices like the ones highlighted below. These strategies adapt to organizational needs, balancing resource availability, risk tolerance, and public-facing presence.  

“We recommend incorporating External Attack Surface Management (EASM) into regular security assessments, with frequency determined by resources and risk tolerance.

– Sean Mahoney, Vice President, Netswitch Technology Management

“Some customers are performing this discovery twice a month, while others have daily discovery enabled, depending on the size of the public facing presence. Known domains and IPs that are confirmed to belong to our customers are catalogued in the ASM asset inventory, with suggested domains populating in a separate section of the tools. These suggested domains are analyzed and reviewed to determine if they do belong to our customers, and if so, are added to the asset inventory within the solution.
To stay apprised of your public facing presence, we recommend leveraging available tools to perform on-going/near real time analysis.”
– Kendra Vicars, Risk and Compliance Manager at Legato Security

“Frequency of discovery and assessments vary depending on customer needs, but typically we recommend at least a monthly assessment. Some of our more at-risk customers receive weekly assessments and reports. In theory, assets are inventoried based on scan results and are tracked in a spreadsheet by hostname, IP address, device description, etc., and maintained by both us and the customer. In practice, most customers do not have enough IT resources to keep these lists up to date, so the list is maintained to the best of our ability and provided back to the customer for their reference.” 
– Thomas Cumberland, Tier 3 Senior Analyst at Cyber Sainik 

4. What type of findings have you helped your customers catch when focusing on EASM?

Proactive attack surface assessments reveal hidden risks like shadow IT, misconfigurations, and overlooked vulnerabilities. With tools like NetSPI EASM, organizations can uncover exposures, resolve gaps, and strengthen their security posture.

“We’ve actually helped customers find shadow IT, misconfigured clouds, exposed dev systems, and unpatched software. API vulnerabilities is another area that the speed at which we ID these is most helpful.” 
– Sean Mahoney, Vice President at Netswitch Technology Management

“We have identified unusual open ports that were out of the norm for the most common ones, which the customers were not looking for or monitoring. We have identified unmanaged assets that the organizations believed to be decommissioned or brought down, but were, in fact, still up and running. And through deeper probing of identified assets, we have found critical severity vulnerabilities that were otherwise not reported on and left un-remediated for a substantial period of time.” 
– Kendra Vicars, Risk and Compliance Manager at Legato Security

“Most assessments do not find critical issues. Typical findings are misconfigurations involving deprecated settings such as weak encryption algorithms, old versions of TLS/SSL, or certificate issues such as self-signed or expired certificates.

We have had uncommon instances of discovering administrative pages accessible to the general internet and ports and services unintentionally left open. Most of these findings have been in the environment for months with the client unaware until we perform an assessment for them.

The more severe instances customers typically fix right away. Some of the medium-level findings take longer to remediate, as these are often symptoms of using older applications or hardware that do not (easily) support the newest security standards, and clients are often hesitant to spend money fixing an issue that is considered a “medium” severity.”
– Thomas Cumberland, Tier 3 Senior Analyst at Cyber Sainik 

“We utilize our enterprise risk platform for organizations with medium to low external risk and exposure. For all others, we utilize NetSPI. We can verify our management of their known attack surface through our enterprise risk management platform.  New exposures are identified regularly and addressed.” 
– Michael Yates, CISO at All Lines Tech

5. How much time do your customers typically spend on these activities?

NetSPI’s Partners explain that smaller teams often spend limited time on external attack surface management, relying on MSSPs or vulnerability management services for support. Effort levels vary by an organization’s size and maturity, with more mature enterprises dedicating more resources, while smaller or less mature organizations remain reactive and depend on outside expertise. 

“Our more mature customers, because they have well defined processes, may spend 5-10 hours/week on EASM coordination. But because we work with a lot of smaller and non-profits, they are not mature in their processes, so we see them being reactive, often times, twice as many resources.”
– Sean Mahoney, Vice President at Netswitch Technology Management

“Most of the teams we have worked with are fairly small; typically less than 5 people, and often less than 3. As such, they do not tend to spend much time on these activities as they are usually busy with other business activities. It is not uncommon for security staff to serve dual roles as IT staff, which consumes most of their time.

I would estimate most smaller businesses spend only a few hours a month on external attack surface management, unless they have delegated the remediation to an MSSP on their behalf.” 
– Thomas Cumberland, Tier 3 Senior Analyst at Cyber Sainik

“Our mid-market to SMB customers do not spend much time on these activities as we manage them on a continuous basis. Our enterprise customers and those with higher exposures spend some time managing their attack surface, though not enough. The emergence of attack surface management solutions and services like NetSPI are an important step to reducing risk before it is realized.”
– Michael Yates, CISO at All Lines Tech

“We have worked with customers of all sizes, from small business to enterprise level. Our customers are able to offboard much of the ASM process to our vulnerability management team, who handles most of the review and analysis for them.

Some time is required by the customer to either secure a public-facing asset, remediate a vulnerability, or to confirm whether a new suggestion does belong to their organization. Otherwise, our vulnerability management team will perform most of the leg work and provide high-level monthly (or more as needed) reporting to keep the organization apprised of findings and activities.” 
– Kendra Vicars, Risk and Compliance Manager at Legato Security 

6. Where does external attack surface visibility fall among all the other priorities your customers face? What is the top priority this year?

External attack surface visibility ranks differently in priority across organizations, influenced mostly by size and maturity. Enterprises tend to prioritize it more because of an abundance of high exposure risks. Increasingly, companies are turning to third-party experts to support their vulnerability management. 

“Because your public facing presence is available to the entire world, we do find that external attack surface management is a high priority for many of our customers. The top priority we are seeing in the last year has been heavy emphasis on reducing the public exposure, including assets and open ports, as well as identifying and addressing critical and high severity critical facing vulnerabilities.” 
– Kendra Vicars, Risk and Compliance Manager at Legato Security

“Netswitch makes every effort to place EASM as top three priority for our customers, especially our customers in financial services, healthcare, and hospitality. In these orgs, external exposure directly correlates with the likelihood of a breach. However, it often competes for resources with other priorities such as insider threat detection, IP security, or meeting compliance requirements.”
– Sean Mahoney, Vice President at Netswitch Technology Management