Back to All Blogs

Timothy Stephan


Attack Surface Management

The Case For Attack Surface Management

May 27, 2021

Why Vulnerability Management and Penetration Testing Are No Longer Enough

Building On Themes In The SW Labs Overview of Attack Surface Management

Note that throughout this article we will be building on some of the concepts introduced by Adrian Sanabria in the report, SW Labs | Overview: Attack Surface Management, SC Media, April 22, 2021.

A Big Thank-you To Adrian Sanabria And SC Media

First of all, I want to give a big shout out to Adrian Sanabria, @sawaba and SC Media, @SCMagazine,from each of us at Intrigue. Excellent job on the recent in-depth analysis of the Attack Surface Management space and hands-on reviews of the Intrigue platform and other solution vendors.  It is not an easy task to define and describe a field that is evolving and growing as rapidly as Attack Surface Management, so we all definitely appreciate your tenacity and solid work.  

A Quick Plug For Their Review Of Intrigue, And Then A Focus On Attack Surface Management

There is a lot of great information in their review of Intrigue that speaks to the value our solution provides, and I would encourage each of you to read the report.  But I’ll limit the shameless Intrigue self-promotion to a single quote that I think captures our intent quite well:  

    While some Attack Surface Management products left us wondering where the details were and other products buried us in discovered assets with no prioritization, Intrigue strikes a solid balance between the two. If you want details, down to the raw data used to discover an issue, Intrigue has that. If you have three minutes before your next board meeting and need to know where your orgs stand, this tool has your back there as well.

    Because, what I found really interesting and perhaps more beneficial for those who are just starting to research Attack Surface Management, was how SW Labs defines Attack Surface Management itself - how it evolved and what problems it solves. Their analysis does an excellent job speaking to the value it provides, and how it differs from, and yet compliments, existing security solutions.  I can build on that to provide some context on the Intrigue approach, to make the case for why we would be an ideal long-term security partner. 

Attack Surface Management Defined

The author, Adrian Sanabria, defines Attack Surface Management, by stating that, “At its core, Attack Surface Management is asset discovery and management for exposed assets.”

     At Intrigue, we have seen this practice of relentlessly mapping and monitoring all Internet-facing assets throughout an organization’s entire network rapidly become a top enterprise priority. A primary driver is the move to dynamic, distributed IT, as massive adoption of cloud, SaaS and mobile across a distributed workforce means more exposed assets - and an expanding and evolving attack surface subject to an increasing number of sophisticated threats. The challenge isn’t new, but it is becoming both more important and more difficult to solve.  We see organizations of every type struggling to find a way to understand the size and composition of their attack surface, let alone to try to identify and remediate any exposure. 

Attack Surface Management Evolved To Fill A Gap In Existing Security Solutions

When exploring why Attack Surface Management evolved as a standalone practice, Sanabria states that it “was born out of a need to fill a gap between Vulnerability Management tools and Penetration Testing”.   Given the recent and rapid changes in how IT is configured and consumed, these solutions could no longer enable an organization to adequately identify risk and protect itself from attack. 

The author goes on to provide some specific points of differentiation:

Vulnerability Management tools are the most closely related products to ASM and require precise input to give comprehensive output. If we forget to include a website, network segment, API or mobile application – they won’t get scanned. If we’re not aware of Shadow IT or abandoned cloud projects, they won’t be included. Penetration Tests will discover some of these gaps, but also have a few shortcomings. First, that penetration tests are periodic in nature: most organizations only have one or two pen tests performed per year. Second, that they are scope and time-limited. Performed on a ‘best effort’ basis, penetration tests will also potentially miss vulnerable assets.

    Vulnerability Management may have been sufficient to calculate risk in an era where you knew what all your assets were - back when you had a limited set of assets, used by a small number of employees, all on-premises, working on a secure network.  And in that environment, semi-annual Penetration Testing may have been enough to ensure that your security programs were properly designed and implemented.  But today, in an era of distributed, dynamic IT  - with the explosion in use of Cloud, SaaS, containers, microservices, IoT and mobile, across a remote workforce on whatever network is available - Vulnerability Management and Penetration testing are not enough.  

    Perhaps then, we could view Attack Surface Management as the bigger brother to Vulnerability Management.  Both are unique, but related solutions.  Instead of having to maintain an inventory, ASM will discover assets you know and *don't know*.  ASM will also continually monitor all assets to identify exposure to known threats.  Vulnerability Management can utilize this intelligence for remediation of threats.  Attack Surface Management does not replace Vulnerability Management or remove the need for Pentesting.   Each of these processes plays a critical role, and can be found in the toolkit of security-focused organizations.

The Intrigue Solution

    Intrigue’s platform for Attack Surface Management was purpose built to support this exact situation.  Its core use case is to discover and analyze all assets, of any type, both known and unknown, across the entire environment.  Intrigue will then continually monitor those assets for any vulnerabilities, and provide actionable intelligence on any found exposure.   Intrigue has the flexibility and scale to support the largest and most complex enterprises as they quickly adopt new technologies within dynamic environments, and it leverages a broad ecosystem of over 250 third-party data sources and security tools to enrich its understanding of the environment.   And Intrigue takes very little to get started.  Just give us a few seeds of information and we’ll go out and discover the rest.

Contact Us For A Comprehensive Analysis Of Your Environment 

You can tell we’re excited about our solution and feel that we have a product that can add a lot of value to a lot of people.  We’d love the opportunity to speak with you to discuss your specific requirements.

  • For a free trial of Intrigue, which includes a complete mapping and analysis of your network, please sign up.  
  • If you’d like more information, visit and download our whitepaper
  • And as always, please feel free to reach out with any questions or for any help on getting started.