Kriativ-tech Volume 1, Issue 11, Edição Nº 11 – 14-12-2025
Authors
Ivo Ricardo Dias Rosa, Invited Assistant Professor, ISTEC Lisboa - Instituto Superior de Tecnologias Avançadas Lisboa, Portugal
Media
To cite this article
Ivo Ricardo Dias Rosa Attack surface management (ASM): Strategic pillar of modern cybersecurity operations
Abstract
In an increasingly dynamic digital landscape, the expansion of the attack surface has become one of the foremost challenges for modern cybersecurity. Traditional perimeter-based defense models are no longer sufficient in the face of distributed digital assets, widespread cloud adoption, and the proliferation of connected devices. In this context, Attack Surface Management (ASM) emerges as a strategic pillar, enabling organizations to adopt a proactive stance in identifying, monitoring, and mitigating cyber risks. This article explores the core principles of ASM, outlining key categories of the attack surface and addressing both EASM (External Attack Surface Management) and CAASM (Cyber Asset Attack Surface Management) approaches. Strategic benefits—such as continuous visibility, integration with Security Operations Centers (SOCs), and risk-based prioritization—are discussed, along with technical and operational challenges tied to ASM implementation. Practical use cases and performance indicators are presented to support effective exposure management. Ultimately, ASM is positioned as a cybersecurity maturity accelerator, essential for building a resilient and adaptive security posture aligned with regulatory demands and business continuity imperatives in an ever-evolving digital ecosystem.
Keywords
Attack Surface Management (ASM), External Attack Surface Management (EASM), Shadow IT, Threat Intelligence, Risk-Based Prioritization, Cybersecurity Maturity, CI/CD Security, Security Operations Center (SOC), Exposure Management, Regulatory Compliance.
References
[1] M. C. Montoya, D. C. Yates, and P. N. Otto, “Managing Your Digital Attack Surface,” ISACA Journal, vol. 4, pp. 1–5, 2021.[2] Gartner, “Market Guide for Attack Surface Management,” Gartner Research, 2021.[3] S. Adair and C. Hessel, “Seeing Your Organization Through the Eyes of an Attacker,” Dragos White Paper, 2020.[4] ENISA, “Threat Landscape for Attack Surface Management,” European Union Agency for Cybersecurity, 2023.[5] Palo Alto Networks, “Understanding EASM: External Attack Surface Management,” Palo Alto Whitepaper, 2022.[6] Rapid7, “InsightVM and ASM Integration Guide,” Rapid7 Documentation, 2021.[7] M. Curphey, “DevSecOps and ASM Automation,” OWASP Global AppSec, 2020.[8] Trend Micro, “ASM with API-first Security Architecture,” Trend Micro Blog, 2021[9] BitSight, “Security Ratings vs. Attack Surface Management: Understanding the Differences,” BitSight Whitepaper, 2022.[10] Randori, “Real-Time Visibility with ASM,” Randori Attack Surface Report, 2021.[11] SecurityScorecard, “How Security Ratings Complement ASM,” SecurityScorecard Insights, 2021.[12] Recorded Future, “Dark Web Monitoring for ASM,” Recorded Future Intelligence Report, 2020.[13] Forescout Technologies, “Visibility and Control of OT and IoT Assets,” Forescout Whitepaper, 2022.[14] IBM, “Zero Trust and Endpoint ASM,” IBM Security Report, 2021.[15] McAfee, “Shadow IT: A Growing Risk,” McAfee Threats Report, 2020.[16] SANS Institute, “Prioritizing Risk in Attack Surface Management,” SANS White Paper, 2022.[17] FireEye, “Threat Intelligence for ASM,” FireEye Threat Research, 2021.[18] Proofpoint, “ASM and Credential Phishing Trends,” Proofpoint Quarterly Report, 2022.[19] Splunk, “ASM Data in SIEM/SOAR Workflows,” Splunk Security Essentials, 2021.[20] ISO/IEC, “ISO/IEC 27001:2022 - Information Security,” ISO Standard, 2022.[21] GitLab, “Shift Left with DevSecOps and ASM,” GitLab DevSecOps Handbook, 2021.[22] Gartner, “Continuous Threat Exposure Management: A New Framework,” Gartner Report, 2022.[23] Tenable, “Managing False Positives in ASM,” Tenable Blog, 2021.[24] Cisco, “ASM Integration Challenges,” Cisco Cybersecurity Series, 2020.[25] Forrester, “The Limits of Attack Surface Visibility,” Forrester Consulting, 2021.[26] Netskope, “Discovering Shadow IT Assets,” Netskope Cloud Report, 2020.[27] Check Point, “Identifying Shadow Cloud Instances,” Check Point Research, 2021.[28] OWASP, “API Security Top 10,” OWASP Foundation, 2023.[29] Deloitte, “Cyber Due Diligence in M&A,” Deloitte Insights, 2021.[30] Bugcrowd, “Zombie Servers and Forgotten Assets,” Bugcrowd ASM Report, 2022.[31] Axonius, “Asset Inventory Metrics for ASM,” Axonius Tech Brief, 2021.[32] Gartner, “KPIs for ASM Platforms,” Gartner Research Note, 2021.[33] Mandiant, “Measuring Exposure Time in ASM,” Mandiant Threat Report, 2022.[34] ServiceNow, “CMDB Integration with ASM,” ServiceNow Whitepaper, 2021.[35] Qualys, “Unmanaged Asset Discovery in ASM,” Qualys Whitepaper, 2021.[36] NIST, “Cybersecurity Framework Implementation Tiers,” NIST CSF, 2020.[37] ISACA, “Bridging the Gap between IT and Security,” ISACA Cyber Leadership Study, 2022.[38] CrowdStrike, “Feeding ASM with Endpoint Intelligence,” CrowdStrike Tech Blog, 2021.[39] Gartner, “Maximizing ROI from ASM Investments,” Gartner Strategic Planning Assumptions, 2021.[40] Accenture, “ASM Maturity Assessment Framework,” Accenture Cyber Strategy, 2022.[41] Microsoft, “ASM and Adaptive Security Architecture,” Microsoft Security Blog, 2022.[42] World Economic Forum, “Cybersecurity Leadership and Communication,” WEF White Paper, 2021.[43] KPMG, “Cyber Resilience in a Digital World,” KPMG Security Insights, 2022.