CybersecurityMay 3, 2026Serdar9 min read

Attack Surface Management (ASM): Finding the Invisible Risks

Summary: What Attack Surface Management (ASM) is, how to map the external attack surface, and how to manage the internet-exposed assets that stay hidden in SMEs.

Summary: ASM (Attack Surface Management) is the discipline of continuously mapping every internet-exposed asset of an organization (domains, subdomains, IPs, ports, services, cloud accounts, SaaS accounts) and prioritizing the risks. The "we don't know what we have" problem is widespread in SMEs: a test server set up 5 years ago and forgotten, a Cloudflare subdomain spun up by a former developer, a SaaS subscription a department signed up for without IT — each of these is an attack vector. ASM makes those unknowns visible.

In an SME, the asset attackers love most is the one you do not know about. The IT team patches the existing servers, the website, the email server — but dev-old.firma.com.tr, opened by a developer for tests in 2019, is still alive. It runs an unpatched, internet-exposed WordPress. After scanning, the attacker finds this asset before you do; it becomes their ideal entry point into the organization.

In this article we cover the ASM concept, how to map your external attack surface at SME scale, and how to manage the "shadow IT" problem. The audience is IT leads, security managers, and decision-makers who want to challenge the assumption "we know what we have."

What Is the Attack Surface, and What Does It Cover?

The attack surface is the sum of every point an attacker could potentially use to enter an organization.

Components of the External Attack Surface

Category	Example
Domain names	firma.com.tr, blog.firma.com.tr
Subdomains	api., dev., staging., admin., vpn.
IP addresses	Static internet IPs
Open ports	22 (SSH), 80/443 (web), 3389 (RDP), 1433 (SQL)
Web applications	WordPress, corporate website, customer portal
API endpoints	REST/GraphQL endpoints
Cloud accounts	AWS, Azure, GCP, Cloudflare
SaaS subscriptions	M365, Google, Salesforce, etc.
Certificates	TLS certificate history
Code leaks	Credentials accidentally pushed to GitHub
DNS records	TXT, MX, SPF
Email addresses	Generic info@, contact@ addresses can be hijacked
Third-party integrations	Connected OAuth apps

Visible vs. Invisible Attack Surface

Visible: Assets IT knows about and that are documented
Invisible (Shadow IT): Unauthorized, forgotten, or legacy assets — the attacker's favorite

The big value of ASM is making the invisible part visible.

Why Do Invisible Assets Pile Up?

In a modern SME, this accumulation happens for several reasons:

1. Historical Additions

A test server set up in 2018 is still running in 2024
A temporary subdomain a former developer created
A staging environment that was forgotten

2. Departmental Independence

Marketing: a separate domain for their blog
Sales: an unauthorized Salesforce subscription
HR: signed up for Workday on their own
Engineering: a GitHub organization

IT is unaware — three months later, "where are we?" cannot be answered.

3. Cloud Experimentation

A developer opened an AWS account "just to try something"
A forgotten RDS database sits on it
Customer data ends up in a public S3 bucket

4. M&A and Acquisitions

The company merged with another; new domains and assets came in
The acquired company's assets never made it into the inventory

5. SaaS Sprawl

30 different SaaS subscriptions
IT knows about half; the other half are on personal cards belonging to employees

The ASM Process — Five Stages

A mature ASM strategy operates in five stages.

1. Discovery

Surface every asset, known and unknown:

DNS scanning (subdomain enumeration)
Scanning IP CIDR ranges
Subdomain discovery from Certificate Transparency (CT) logs
Cloud account inventory
SaaS connection check
GitHub/GitLab code-leak scanning

2. Identification

For every asset discovered:

What service is running? (HTTP, SSH, etc.)
Who owns it? (department, person)
What is it used for? (still in use?)
How long has it existed?

3. Risk Assessment

The risk each asset carries:

Patched? Which version?
Any known vulnerabilities (CVEs)?
Does it skip authentication?
Is sensitive data exposed?
Is it open to DoS/brute force?

4. Prioritization

Convert into actions with a risk × value matrix:

High risk + high value = act now
High risk + low value = consider shutting it down
Low risk = keep on the watch list

5. Remediation

Patching
Shutting down (if unused)
Hardening (strict configuration)
Hiding (placing it behind a firewall)

This loop runs continuously — ASM is not a one-off project but ongoing operations.

The ASM Solution Market

Tools to evaluate at SME scale:

Solution	Type	SME Fit
Censys ASM	Commercial ASM	Mid-to-large SME
Microsoft Defender EASM	Cloud ASM	Integrated if M365 + Azure
Palo Alto Cortex Xpanse	Enterprise ASM	Upper-end SME
Detectify	Web-focused ASM	Web-heavy SMEs
Intrigue.io / Project Discovery (open source)	Open source	Where there is a technical team
Recon-ng / Amass / Subfinder	Manual tools	DIY, free
Shodan / BinaryEdge	Scanning / research	Low cost, manual
Snallygaster	Web config leakage	Open source

Two paths for SMEs: (1) a commercial ASM subscription (low install/maintenance, monthly cost USD 200-2,000), (2) periodic manual scans with open-source tools.

DIY ASM — A Low-Cost Path for SMEs

If a full ASM investment is not yet justified, you can start with free/low-cost steps.

Subdomain Enumeration

amass enum -d firma.com.tr
subfinder -d firma.com.tr
assetfinder firma.com.tr

These commands extract subdomains using passive (DNS sources) and active (brute force) methods.

Certificate Transparency (CT Logs)

Services like crt.sh list every SSL certificate ever issued for a domain — useful for surfacing hidden subdomains.

curl "https://crt.sh/?q=%.firma.com.tr&output=json"

Shodan Query

Shodan scans internet-exposed services. By querying your IPs/domains, you learn which services are visible.

hostname:firma.com.tr
ssl:"Firma A.S."

Port Scanning

An Nmap scan of your owned IP CIDR:

nmap -sV -sC -p- -T4 X.X.X.X/24

Learn which ports are open and which services are running.

GitHub/GitLab Leak Scanning

Scan company repos with Trufflehog, gitleaks, and similar tools — find passwords and API keys left behind in code.

Repeat These Steps Monthly

The cardinal rule of DIY ASM: a one-off scan is not enough. Automate it monthly or quarterly so new assets are caught early.

Shrinking the Attack Surface — Hygiene Tips

What do you do once ASM has done discovery? Typical actions to shrink the attack surface:

1. Shut Down Unused Assets

An old test server? Shut it down.
An old staging environment? Shut it down or put it behind a VPN.
An old blog running an out-of-date stack? Delete or modernize.

2. Close Default / General Open Ports

22 (SSH) should not be exposed directly to the internet — put it behind a VPN
3389 (RDP) should never be on the internet
1433/3306/5432 (DB ports) should never be on the internet
Management interfaces (e.g., 8080/admin, 10000/Webmin) should be behind a VPN or allowlisted

3. Close Trivial Information Leaks

Hide the technology versions in HTTP headers
Is your admin panel exposed in robots.txt?
Stack trace display on error pages disabled

4. Certificate Management

Are old certificates being renewed?
Is wildcard certificate use controlled?
Are there subdomains leaked into CT logs?

5. Cloud Account Hygiene

Any public S3 buckets?
Open security-group rules (0.0.0.0/0)?
Are old IAM accounts closed?
Are access logs being captured?

Managing Shadow IT

Shadow IT — technology used without IT's knowledge — is the hardest part of ASM.

Ways to Detect It

Corporate card statements (SaaS subscriptions)
DNS log analysis (which domains people are connecting to)
CASB (Cloud Access Security Broker) solutions
Regular employee surveys
Microsoft Cloud App Discovery (if you have M365)

Management Strategy

"Guidance" over "bans": clarify which tools employees can pick
An approved SaaS catalog and a quick approval process
A flow that lets employees subscribe to safe SaaS without going through IT every time
Periodic audits — are all SaaS accounts on the map?

What Yamanlar Bilişim Offers

Our SME-scale ASM support areas:

Discovery report of your current external attack surface
Subdomain enumeration and sensitive-service detection
Cloud account inventory and hygiene audit
SaaS subscription map
ASM solution selection consulting (commercial vs DIY)
Periodic (monthly/quarterly) ASM reporting
Shadow IT management policy design
Annual attack-surface audit

Frequently Asked Questions

Conclusion

Attack Surface Management is the measurable answer to the SME question "do we know what we have?" The invisible assets that typically surface in the first scan may already have been found by an attacker setting up an upcoming attack; ASM ensures that the defender finds them first. Even without investing in a full commercial ASM, DIY open-source tooling running monthly is a realistic and effective starting point at SME scale.

At Yamanlar Bilişim, we deliver ASM as a one-off or as ongoing services sized to your environment — drawing the "invisible risk" into view and putting the map of the battlefield on the defender's side.

Frequently Asked Questions

Does an SME really have invisible assets ?

Yes, almost every SME does. Typical examples: a test subdomain set up 3-5 years ago and forgotten, a Cloudflare account created by a former employee, a cloud account bought to try fast and forgotten. SMEs doing ASM for the first time typically find 5-15 unknown assets; 1-3 of them carry serious risk.

Are tools like subfinder and amass legally legitimate?

Passive discovery (DNS queries, CT log scanning) is legitimate for your own domain — it is public data. Active discovery (brute force, port scanning) is legitimate only against your own assets; scanning someone else's infrastructure without permission can become a legal issue. Scanning your own surface is safe.

Is Microsoft Defender EASM free?

Microsoft Defender EASM requires its own subscription; it is not free. However, the Defender for Cloud subscription offers a limited External Attack Surface capability. Open-source alternatives (amass, subfinder, Project Discovery) are free; with a technical team, that path is sufficient for most SMEs.

How long until ASM shows value after deployment?

The first scan delivers value immediately — unknown assets surface right away. Monthly repeat scans get better at catching newly added assets as the discipline matures. Within 6-12 months, external attack-surface management becomes a mature discipline; we don't know what we have is replaced by we know what we have, and we are watching it.

Are ASM and pentesting the same thing?

No. ASM does continuous and broad discovery (all assets, ports, services); pentesting does periodic and deep testing (real attack simulations on specific systems). They are complementary: ASM knows what exists, pentesting actually tests those assets for vulnerabilities. ASM output is also used to scope pentests.

When I find an invisible asset, should I immediately shut it down?

No, first investigate : who opened it, for what purpose, is it still in use, what data is on it, does shutting it down have operational impact? Some assets really are forgotten and can be safely shut down; others are legitimate but undocumented. Instead of shutting it down, the right action may be add to inventory + harden.