How does EASM differ from vulnerability scanning?

Traditional vulnerability scanners run inside the network against known assets. EASM works from the outside, discovering assets the organisation may not know about -- shadow IT, forgotten subdomains, development servers -- and assessing their exposure before attackers find them.

What does an EASM tool detect?

EASM tools typically scan for open ports, exposed admin panels, TLS certificate issues, missing security headers, known CVEs, DNS and email misconfiguration, and forgotten or shadow subdomains.

How long does EASM take to deploy?

Most EASM platforms deploy in under 24 hours. They require only a root domain to begin scanning, with no agents, network changes, or firewall rules needed. Initial results are typically available within hours.

Do small businesses need EASM?

Any organisation with internet-facing assets benefits from EASM. Small businesses often have proportionally more unmonitored assets because they lack dedicated security teams. EASM automates the discovery process that would otherwise require manual reconnaissance.

What is the difference between EASM and ASM?

ASM (attack surface management) is the broader category. EASM specifically focuses on the external attack surface -- assets visible from the public internet. Internal ASM covers assets behind the firewall. Most commercial ASM tools focus on the external surface.

How much does EASM cost?

EASM tools range from free tiers for basic scanning to enterprise plans at several thousand pounds per month. Pricing typically scales by number of monitored domains, scan frequency, and feature set.

What Is External Attack Surface Management?

Q: What is external attack surface management?

External attack surface management (EASM) is the continuous discovery, monitoring, and assessment of all internet-facing assets an organisation owns. It works from the attacker's perspective, scanning from outside the network perimeter to find exposed services, misconfigurations, and vulnerabilities.

What is external attack surface management?

An organisation’s external attack surface is the sum of every digital asset reachable from the public internet. This includes websites, APIs, mail servers, DNS records, cloud services, SaaS integrations, and any other system that accepts inbound connections or is resolvable via DNS.

The challenge is that most organisations do not have a complete inventory of these assets. Teams create subdomains for staging environments, spin up cloud instances for testing, deploy third-party tools with default configurations, and integrate SaaS platforms that create DNS records — all without informing the security team. According to ESG Research, 2024, 69% of organisations have experienced a cyberattack that began with an unknown, unmanaged, or poorly managed internet-facing asset.

EASM addresses this visibility gap. Rather than relying on an internal asset register, it scans from the outside — the same perspective an attacker has — and builds a live inventory of everything that is exposed.

How does external attack surface management work?

The EASM process follows a continuous cycle of four stages:

1. Discovery. The platform starts with one or more root domains and discovers associated assets through multiple techniques:

DNS enumeration — brute-forcing and passive collection of subdomains (staging.example.com, api.example.com, old-blog.example.com)
Certificate transparency log analysis — querying public CT logs for every SSL/TLS certificate ever issued for the domain
WHOIS and registration data — identifying related domains and IP ranges
Passive DNS aggregation — collecting historical DNS resolution data from threat intelligence feeds

2. Fingerprinting. Each discovered asset is probed to determine what software it runs, what services it exposes, and how it is configured. This includes:

Port scanning to identify open TCP/UDP services
HTTP header analysis to detect web server software and frameworks
TLS configuration inspection for certificate validity, cipher strength, and protocol versions
Login page fingerprinting to identify admin panels and management interfaces

3. Risk assessment. Discovered assets are evaluated against multiple risk categories. Findings are classified by severity and mapped to remediation guidance.

4. Continuous monitoring. The cycle repeats automatically — typically daily or weekly — to detect new assets, track changes, and identify newly disclosed vulnerabilities affecting known software.

How SurfaceLoop handles this

SurfaceLoop runs this full cycle continuously across your root domains. Discovery starts within minutes of entering your domain, and initial results are typically available within two to four hours. No agents, network changes, or firewall rules are required — SurfaceLoop scans entirely from the outside.

See External Attack Surface Management feature →

What does EASM detect?

The specific risk categories vary between platforms, but most EASM tools cover the following:

Risk Category	What It Covers	Example Findings
Open ports and services	TCP/UDP ports accepting connections	SSH on port 22, database on 3306, RDP on 3389
Exposed web panels	Admin interfaces reachable from the internet	phpMyAdmin, Jenkins, cPanel, Grafana dashboards
TLS certificate issues	Certificate validity and configuration	Expired certificates, weak ciphers, self-signed certs
Security headers	HTTP response header configuration	Missing CSP, HSTS, X-Frame-Options
Known CVEs	Vulnerabilities in detected software versions	Outdated Apache, unpatched WordPress plugins
DNS and email security	SPF, DKIM, DMARC, and DNS configuration	Missing DMARC policy, permissive SPF records
Subdomain discovery	Forgotten, shadow, and takeover-vulnerable subdomains	Dangling CNAME records, development environments

According to Mandiant’s M-Trends 2025 report, the initial access vector in 38% of intrusions they investigated involved exploiting internet-facing applications — exactly the exposure categories EASM is designed to detect.

What is the difference between EASM and vulnerability scanning?

The distinction is fundamental. Vulnerability scanners answer: “Are our known assets patched and configured correctly?” EASM answers: “What assets do we actually have exposed, and are any of them risky?”

Dimension	Vulnerability Scanning	EASM
Perspective	Inside the network (authenticated)	Outside the network (unauthenticated)
Input	Known asset inventory	Root domain only
Discovery	No — scans only listed targets	Yes — finds unknown assets
Depth	Deep — checks patches, configs, compliance	Broad — checks exposure and accessibility
Agents	Usually requires agents or credentials	No agents or network access needed
Frequency	Scheduled (weekly/monthly)	Continuous
Best for	Patch management and compliance	Shadow IT discovery and exposure reduction

Organisations need both. A vulnerability scanner cannot find assets it does not know about. An EASM platform cannot perform the deep, authenticated checks a vulnerability scanner does. They close each other’s blind spots.

What is the difference between EASM and penetration testing?

Penetration testing and EASM serve different purposes at different cadences:

Dimension	Penetration Testing	EASM
Nature	Manual, human-led	Automated, continuous
Cadence	Annual or quarterly	Daily or weekly
Scope	Targeted systems or applications	Entire external surface
Output	Exploitation proof and attack narratives	Asset inventory and risk classification
Goal	Prove impact, test defences	Maintain visibility, reduce exposure
Cost	High (per engagement)	Lower (subscription)
Best for	Validating security controls	Ongoing attack surface hygiene

A common pattern is to use EASM continuously for broad visibility and supplement it with annual or quarterly penetration tests for depth. EASM often provides the reconnaissance data that makes penetration tests more efficient — testers start with a complete asset inventory rather than spending engagement time on discovery.

Which organisations need EASM?

EASM is relevant across sectors and sizes, but certain characteristics make it particularly valuable:

Multi-cloud and hybrid environments — assets spread across AWS, Azure, GCP, and on-premises infrastructure are difficult to inventory manually
Organisations with multiple business units — each unit may manage its own domains, subdomains, and cloud accounts independently
Companies with M&A activity — acquired companies bring unknown infrastructure that may not be integrated into the parent’s security programme
Regulated industries — financial services, healthcare, and critical infrastructure organisations face compliance requirements that mandate asset visibility
Managed service providers — MSPs managing infrastructure for multiple clients need visibility across all client attack surfaces
Any business with a web presence — according to Reposify’s 2024 External Attack Surface Report, organisations with 50 to 200 employees had an average of 140 internet-facing assets, most of which were not documented in formal asset inventories

The question is rarely “do we need EASM?” but rather “how many unknown assets are we currently exposing?” The answer is almost always more than expected.

How do you evaluate EASM tools?

When comparing EASM platforms, consider these evaluation criteria:

Discovery methods. How does the platform find assets? Look for multiple complementary techniques: DNS enumeration, certificate transparency analysis, port scanning, passive DNS, WHOIS correlation, and web crawling. No single technique finds everything.

Risk category coverage. Which categories does the platform assess? Confirm it covers the seven core areas: open ports, web panels, TLS, security headers, CVEs, DNS/email, and subdomains. Some platforms focus narrowly on one or two categories.

Scan frequency and freshness. How often does the platform re-scan? Daily scanning catches changes before attackers do. Weekly is acceptable for most organisations. Monthly is insufficient for dynamic environments.

Accuracy and noise. Does the platform produce actionable findings or drown you in false positives? Ask vendors for false positive rates and how findings are validated.

Integration. Can the platform feed findings into your existing workflow — SIEM, ticketing systems (Jira, ServiceNow), Slack, email alerts? Integration reduces the friction between discovery and remediation.

Time to value. How quickly can you go from signing up to receiving actionable results? Platforms that require lengthy onboarding or complex configuration delay the security benefit.

Pricing transparency. Is pricing based on domains, assets, users, or scan volume? Understand how costs scale as your attack surface grows.

According to Gartner, 2025, by 2027 organisations that deploy EASM as part of their exposure management programme will be three times less likely to suffer a breach from an unknown internet-facing asset than those that rely solely on traditional vulnerability management.

How does EASM fit into a broader security programme?

EASM does not replace existing security tools — it makes them more effective:

Asset discovery feeds vulnerability management. EASM discovers assets that should be added to vulnerability scanner target lists. Without this feed, unknown assets remain unscanned and unpatched.
Exposure data informs penetration testing. Penetration testers receive a current, comprehensive asset inventory rather than an outdated spreadsheet. This maximises the value of engagement time.
Monitoring complements SOC operations. New assets, changed configurations, and newly exposed services are potential indicators of compromise or misconfiguration. EASM findings can be routed to the SOC for investigation.
Compliance evidence for auditors. EASM provides continuous evidence that the organisation knows its external assets and is monitoring them — a requirement under frameworks like ISO 27001, Cyber Essentials Plus, and SOC 2.

The most effective approach is to integrate EASM into existing workflows rather than treating it as a standalone tool. When EASM findings flow into the same ticketing, alerting, and reporting systems that security teams already use, remediation happens faster and nothing falls through the cracks.

Frequently asked questions