book

Attack Surface Management

by Ron Eddings, MJ Kaufmann

May 2025

Intermediate to advanced

300 pages

9h 37m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Should Read This BookWhat You Need to KnowWhy We Wrote This BookWhat You’ll LearnNavigating This BookHow to Use This BookConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgmentsRon EddingsMJ Kaufmann
I. Foundations of ASM
1. Laying the Groundwork: An Overview of Attack Surface Management
Attack Surface Management: What It Is and Why It MattersWhat Do We Mean by Attack Surface?Attack Vectors Versus Attack SurfacesWhat Is Attack Surface Management?The Components of ASMIdentificationClassificationPrioritizationRemediationAdaptingMonitoringThe Strategic Role of ASM in CybersecurityAdopting the Attacker’s PerspectiveChanging Your Point of ViewProactive Strategy: Playing AttackerASM Use Cases and Security ChallengesVisibility ChallengesAsset ManagementAsset IntelligenceShadow ITManaging RiskIncident Response and PrioritizationPolicy EnforcementCompliance and Regulatory PressuresSummary
2. Types of Attack Surfaces
The Ever-Expanding Organizational Attack SurfaceTraditional IT ComponentsLegacy VirtualizationModern IT ComponentsModern VirtualizationIoTWebsitesCertificatesCloudCloud ProvidersCloud WorkloadsContainersCloud-Based ApplicationsDataConfiguration ManagementSaaSSaaS ManagementIdentityUsersData Access Across PlatformsIdentity and Access Management ChallengesSupply ChainSoftware DevelopmentApplicationsCertificatesBYOD and MobileArtificial IntelligenceAI Models and Neural Network ArchitectureAI Pipelines and InfrastructureAI User Interfaces and APIsSummary
3. How the Attack Surface Relates to Risk
Measuring RiskQualitative RiskExamplesBenefitsChallengesQuantitative RiskExamplesWalkthrough: Practical Application of Quantifying RiskBenefitsChallengesDetermining the Right FitData and Complexity ConsiderationsResource and Capability ConsiderationsPurpose and Stakeholder ConsiderationsShould I Use a Mix?Example: Choosing the Right MethodRisk FrameworksNISTISOITIL v4COSO ERMOCTAVECommunicating Risk to Your Business TeamKnow Your AudienceTechnical Jargon Confuses Business TeamsHow to Translate Technical Risk to Business LanguageManaging Excuses for Poor CommunicationSummary
II. Identification and Classification
4. Identification and Classification of Assets
IdentificationAsset InventoryWhy Maintaining Inventory Is Foundational in ASMIdentifying Asset Inventory SolutionsDiscovery of AssetsClassification for Asset EnrichmentAsset Type DetailsConfiguration DataData ClassificationUsage InformationLocation and Environmental DataInterdependenciesSecurity PostureLife Cycle StatusIntegrating Asset Enrichment with Business StrategyBetter PrioritizationAccurate InventorySoftware Licensing TrackingCompliance Audit EvidenceSummary
5. Automating Asset Discovery
Importance of Automating Asset DiscoveryBreadth of EnterprisesCloud ComplicationsTypes of Automated Asset DiscoveryNetwork ScanningCloud AnalysisAPI IdentificationData DiscoveryChallenges in Automated DiscoveryFeatures That Deliver High ROISearch CapabilitiesData PresentationAnalytics and ReportingAdvanced FeaturesSummary
III. Prioritization and Remediation
6. Prioritization and Crown Jewel Analysis
Understanding PrioritizationComparisons to Other Strategic ProcessesImportance of PrioritizationPrioritization CriteriaValue to the OrganizationOperational ImpactData Sensitivity and ClassificationObtaining Business ContextMapping Business FunctionsTools and Techniques for MappingImpact AssessmentDetermining Actual PrioritizationDetermining Crown JewelsPeriodic Review and Update of Crown JewelsIdentifying Other High-Value AssetsRanking Everything ElseSummary

7. Measuring Attack Surface
Attack Surface AnalysisHow Does ASA Work?How ASA Enhances Security PostureInternal and External Attack SurfacesInternal Attack Surface AnalysisExternal Attack Surface AnalysisAreas of OverlapTools for Assessing Attack SurfacesThreat ModelingThreat Modeling Informs Risk ManagementThreat Modeling MethodologiesWhich to Use?Integrating Threat Modeling with Attack Surface MappingHow Threat Modeling Improves Attack Surface ManagementHow ASM Complements Threat ModelingSummary
8. Remediation
Assessing the Remediation NeedIdentifying the Severity of VulnerabilitiesAssessing Potential ImpactCost-Benefit Analysis of RemediationPrioritization of FindingsEase of ExploitationDiscoverabilityAttacker PriorityRemediation ComplexityRemediation StrategiesValidation of Remediation EffortsFeedback Loop with StakeholdersMonitoring for Unexpected Issues or Collateral DamageDocumentation and ReportingSummary
IV. Adapting and Monitoring
9. Minimizing Attack Surfaces
How to Minimize Attack SurfacesStrategic MethodsTactical TechniquesSummary
10. Continuous Monitoring and Management
The Dynamic Nature of Digital EcosystemsTechnological Shifts and New IntegrationsImpact of Organizational Changes on the EcosystemSetting Alert ThresholdsDifferentiating Between False Positives and Legitimate ThreatsCalibrating and Fine-Tuning ThresholdsIncorporating Contextual Awareness in AlertsIntegrating with Incident ResponseCoordinating Monitoring with Incident Response TeamsSimulating Breach ScenariosRapid Response and Mitigation StrategiesPeriodic Reviews and AuditsScheduling Regular Vulnerability ScansReevaluating Remediation Efforts and EfficacyReassessing Asset PrioritiesFeedback Loops and Continuous ImprovementEncouraging Cross-Team CollaborationLeveraging Lessons Learned from Past IncidentsAdapting Monitoring Strategies Based on FeedbackAutomation and AI in Continuous MonitoringBenefits of Automated Monitoring ToolsRole of AI in Threat Detection and AnalysisBalancing Automation with Manual OversightSummary
11. The Future of Attack Surface Management
Emerging Trends in Attack Surface ManagementAI and Machine Learning in ASMQuantum ComputingEdge Computing ChallengesEvolving Challenges in CybersecurityStaying Ahead in ASM Practices and TechnologiesContinuous Learning and Skill DevelopmentStay Hungry, Never Give Up
Index
About the Authors

Content preview from Attack Surface Management

Preface

Cybersecurity is a never-ending race—one where the finish line keeps moving. Every time we think we’ve secured our systems, attackers find new ways in. Every innovation, convenience, cloud service, or connected device we adopt opens up new opportunities—not just for businesses but also for adversaries. This is where attack surface management (ASM) comes in.

ASM isn’t just another security buzzword; it’s a fundamental shift in how organizations approach cybersecurity. In a world where digital transformation is happening at breakneck speed, the old ways of securing networks and endpoints are no longer enough. Our attack surfaces have evolved from a handful of well-defined servers and firewalls to a sprawling, interconnected ecosystem of cloud environments, third-party SaaS applications, APIs, IoT devices, remote workforces, and supply chain dependencies. The modern attack surface is vast, fragmented, and constantly changing. Everything that it encompasses is a prime target for cybercriminals looking for gaps in our defenses.

But the challenge isn’t just about scale—it’s about visibility. Security teams are drowning in alerts and vulnerabilities, trying to protect assets that in some cases they don’t even know exist. ASM provides the strategic framework to cut through the noise, helping organizations discover, analyze, and manage their exposure before attackers can exploit it.

By understanding and actively managing your attack surface, you’re not just reacting to threats ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098165079Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Attack Surface Management

by Ron Eddings, MJ Kaufmann

Preface

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.