Cyber asset attack surface management (CAASM) or external attack surface management (EASM) solutions are designed to quantify the attack surface and minimize and harden it. The goal with CAASM tools is to give the adversary as little information about the security posture of the business as possible while still maintaining critical business services.
If you’ve ever watched a heist film, step one in executing the score of the century is casing the place: observing security measures, measuring response times, and mapping out escape routes. This process is similar to both attacking and protecting enterprise IT resources: Gain knowledge of publicly visible resources on the internet, learn what makes up the technology stack, and find vulnerabilities and weaknesses.
Basics of the attack surface management
The attack surface is the entirety of corporate resources – also known as assets – accessible from the internet in some form. This could be applications hosted on-premises with ports opened through the corporate firewall, SaaS applications hosted in the cloud, or any number of cloud-hosted resources with a public presence. The attack surface includes things like open ports and protocols, SSL and cryptographic standards being used, applications being hosted, and even the server platforms hosting the application.
The units that make up the attack surface are referred to as assets. They are the IP address or domain name, coupled with the technology stack that makes up the application or service.
Vulnerabilities are configuration deficiencies or unpatched software that leave the door open for an attack by malicious users to compromise one or more systems.
While attack surface management is primarily focused on assets on the public-facing internet, assets within the bounds of a corporate data center or cloud networks can also put a business at risk if not properly monitored and managed. Because these assets are not available to outside entities the ability to monitor them requires either a software agent or the ability for the monitoring service to reach into your network.
Servers and applications often have a soft underbelly when viewed from within the corporate network. Any monitoring tool must evaluate a wider range of services and, in many cases, test the services as both an anonymous user and one that’s authenticated to the network.
CAASM and EASM tools for attack surface discovery and management
Periodic scans of the network are no longer sufficient for maintaining a hardened attack surface. Continuous monitoring for new assets and configuration drift are critical to ensure the security of corporate resources and customer data.
New assets need to be identified and incorporated into the monitoring solution as these could potentially be part of a brand attack or shadow IT. Configuration drift could be benign and part of a design change, but also has the potential to be the result of human error or the early stages of an attack. Identifying these changes early allows for the cybersecurity team to react appropriately and mitigate any further damage.
Here are 12 tools to help discovering and managing risks.
Axonius Cyber Asset Attack Surface Management
Axonius offers a robust CAASM suite that touches all the key factors for monitoring the attack surface. It starts with an asset inventory which is updated automatically and fleshed out with context from both internal data sources and resources Axonius has access to outside a user’s network. It can also perform monitoring based on security controls from policy sets such as PCI or HIPAA, identifying configurations or vulnerabilities that equate to policy violations, allowing the user to take action to resolve the finding. Pricing on AWS marketplace for the entire Axonius cloud starts at $90,000 per year for 500 assets.
Bugcrowd EASM
Bugcrowd acquired Informer’s EASM product in May 2024 and has integrated it into its security platform. It automates asset discovery across web applications, APIs, and other aspects of the public-facing business IT stack. These assets are monitored continuously, with any risks identified being prioritized in real time. Informer offers add-on services to perform manual risk validation and even pen testing. The workflow-based response system facilitates incorporating multiple teams into incident response by integrating with existing ticketing and communication applications. Once identified threats have been mitigated, retesting can be initiated immediately to validate the configuration change or system update has fully remediated the risk.
CrowdStrike Falcon Exposure Management
CrowdStrike has transformed Falcon Surface from a standalone EASM tool into a core part of Falcon Exposure Management, adding AI-native code to proactively identify and eliminate enterprise risk. The software goes beyond alert identification to use adversary-driven AI to deliver real risk reduction. It can correlate exposures with business context, validating exploitability, and enabling direct remediation in Falcon. Enterprises can get an outside-in view of their attack surface and discover internet-connected assets using a variety of techniques, including active, passive, and API-based scans. Using a proprietary and continuously running internet mapping technology, its engine can determine location information and see real-time changes. Customers are seeing up to 98% fewer critical vulnerabilities and 75% smaller external attack surfaces. Specific pricing is not available, and this tool is not part of its enterprise software bundle. It can be purchased as a subscription license on a per managed endpoint basis, with unmanaged asset coverage included at each tier. The above link also has an interactive demo.
CyCognito Attack Surface Management
CyCognito’s CAASM product provides continuous monitoring and inventory of assets whether they reside on-premises, in the cloud, with a third-party, or through a subsidiary. Business context such as ownership and relationships between assets can be added to facilitate the triage process and aid in prioritizing response to risk. This context and intelligent prioritization (evaluating things like ease of exploitation and asset classification) helps focus on the most critical risks to the network. CyCognito also tracks configuration drift on assets, enabling the view of change history and identifying new risks to the corporate infrastructure. Pricing on AWS marketplace is $30,000 per year for 250 assets.
JupiterOne Cyber Asset Attack Surface Management
JupiterOne bills its CAASM solution as a way to seamlessly aggregate cyber asset data into a unified view. Context is added automatically where appropriate, and asset relationships can be defined and optimized to enhance vulnerability analysis and incident response. Custom queries allow the cybersecurity team to answer complex questions, while asset inventory can be browsed using an interactive visual map, enabling evaluation of incident scope and prioritization of response. Your existing investments into security tools can be leveraged using integrations, turning JupiterOne into a holistic centralized view into your corporate security posture. Pricing on AWS marketplace is based on company size and starts at $24,000 per year for up to 500 employees.
Microsoft Defender External Attack Surface Management
Microsoft Defender EASM provides discovery of unmanaged assets and resources, including those deployed by shadow IT and assets residing in other cloud platforms. Once assets and resources are identified, Defender EASM probes for vulnerabilities at every layer of the technology stack, including the underlying platform, app frameworks, web applications, components, and core code. It can quickly remediate vulnerabilities in newly discovered resources by categorizing and prioritizing vulnerabilities in real time as they’re discovered. It integrates with Microsoft’s Security Copilot and Exposure Management to obtain snapshots of the attack surface. Defender EASM has enhanced and more actionable data dashboards. It is priced at a penny per month per managed asset.
Outpost24 EASM
Outpost24 acquired Belgian software company Sweepatic and has incorporated its EASM tool into its collection of threat intelligence, data leakage and pen testing modules. Its EASM software is available both directly or as a managed service and can collect data either passively using DNS and other TCP/IP details or with direct connections to cloud providers such as AWS and Azure along with other major software players such as ServiceNow, Slack, Axonius and Atlassian’s Jira. Pricing starts at $17,000 per year and is based on the number of assets under management and other factors such as integration with its other security modules.
Palo Alto Networks Cortex Xpanse
Xpanse is part of Palo Alto’s XSIAM product suite but can be purchased separately. There is a slightly smaller feature set on the standalone product. It came out of a 2020 acquisition, and it has been tightly integrated into the Palo Alto universe of XSOAR and other XSIAM modules, including playbook automations and remediations. It also supports integration with third-party tools such as Qualys, Jira, and ServiceNow. The product comes with an impressive array of pre-built detection rules, widgets to assist in constructing queries and discovery routines, and numerous data dashboards that can be customized for particular audiences.
Rapid7 Surface Command
Surface Command is just one of numerous modules offered by Rapid7 that include vulnerability and incident management and cloud native security. It unifies threat exposure, detection, and response, designed to provide a continuous birds-eye view of vulnerabilities from endpoint to cloud to close security gaps and prevent attacks. It is designed to eliminate blind spots and to help accelerate response and remediation. It also includes agentic AI features that are designed for security operations staff to guide threat response. It is priced on a complex calculator based on the average number of monitored assets and free trials are available.
RiskProfiler.io EASM
RiskProfiler uses a single platform that manages all external threats including dark web, digital monitoring, tracking emerging hacking campaigns, vulnerabilities and supply chain attacks. These threats are tied together with agentic AI tools to provide a unified threat corpus. The product has 13,000 rules pre-installed that bridges both open source and their own proprietary algorithms. One module analyzes vendor third-party risk assessments as part of its threat intelligence. It comes with a customizable management dashboard to show various views. Priced on the number of assets under management and which modules are deployed (such as choosing continuous assessments versus discrete scheduled ones) and whether it is purchased directly or through a managed services partner.
SOCRadar AttackMapper
SOCRadar is a general-purpose threat intelligence tool that attempts to give users an attacker’s-eye view of assets through AttackMapper. It uses agentic-based threat intel to set up smart workflows, also performs dynamic monitoring against assets in real-time, identifying new or changed assets and analyzing those changes for potential vulnerabilities. SOCRadar correlates their findings with known vulnerabilities and attack methods to bring context to the decision making and triage process. AttackMapper does more than monitor endpoints and software vulnerabilities, as things like SSL weaknesses and certificate expiration, and even DNS records and configuration are fair game. Even website defacement can be identified by AttackMapper to protect brand reputation, and there are other modules for dark web and blockchain monitoring, data leak protection and domain takedowns. There is a free edition, and paid versions start at $8,000/year and are based on the size of the digital footprint.
Tenable ASM
Tenable’s ASM tool is part of its integrated One exposure management platform that can collect data to help visualize attack paths, evaluate vulnerabilities, and understand the larger threat landscape. Tenable’s unified approach provides security teams with an up-to-date inventory and exposure context needed to confidently identify, prioritize and eliminate risk. It can easily categorize assets using 200 fields of metadata, severity ranking and comprehensive filtering to make informed decisions. It can monitor infrastructure changes to gain an up-to-date view of your assets as your attack surface changes.
Questions to ask potential vendors:
“The days of imagining your attack surface as static and easily tracked are gone. The state of your attack surface changes in sometimes imperceptible ways,” wrote Palo Alto Networks’ Unit42 in a 2023 threat report. This means potential ASM buyers need to understand how these changes happen and how they can neutralize them. Here are some questions to ask your team and the vendors about their ASM offerings:
Do we need a cyber or external-based ASM tool? It depends whether you are looking for the enemy within or without and the proportion of your on-premises infrastructure.
How much automation is used and how effective is it? Does the ASM tool discover all your vulnerable assets, including digital certificates, exposed user credentials, and other internet-facing servers and services? What metadata and other details, such as open TCP/IP ports and network shares, are part of this discovery?
Once vulnerabilities are found, how are they remediated? Are they automatically fixed or is some human action required?
Does the ASM tool perform continuous monitoring, and how are these changes reported?
What vulnerabilities are shared and how are they shared or integrated with other SOC tools?
Are there different dashboards for management and other consumers of ASM results to make the tool more actionable and useful to these different audiences, such as the cloud security team and security auditors?
Finally, make sure you understand the vendor’s pricing. Most have complex usage-based pricing that is more of a custom quote and very few offer public and transparent pricing.
No Responses