The Verizon 2025 DBIR Found That Third-Party Breaches Doubled to 30% of All Incidents
That statistic alone explains why traditional asset inventories fail. Your security team cannot protect assets it does not know exist — and in 2026, a significant portion of your attack surface lives in third-party services, shadow cloud deployments, and API endpoints that never went through a security review.
External attack surface management (EASM) exists to close that gap. It discovers, classifies, and continuously monitors every asset an adversary could target from the outside — starting not from your CMDB, but from the attacker’s perspective.
What EASM Actually Does (and What It Does Not)
EASM is not asset inventory with a new label. An asset inventory records what you know you have. EASM finds what you do not know you have.
The distinction matters. A traditional CMDB tracks servers your team provisioned, applications your team deployed, domains your team registered. EASM starts from your root domains, IP ranges, and organizational identity, then discovers everything associated with them — including assets that were provisioned by a developer who left two years ago, staging environments that were never decommissioned, and SaaS integrations that expose data through misconfigured OAuth flows.
EASM feeds directly into Phase 2 (Discovery) of the CTEM framework. Without it, every downstream phase — prioritization, validation, mobilization — operates on incomplete data. You cannot prioritize an exposure you have not discovered.
External vs. Internal Attack Surface
Your external attack surface is everything reachable from the public internet without authentication: domains, subdomains, IP addresses, cloud storage endpoints, publicly accessible APIs, DNS records, email infrastructure, and certificates. This is the surface threat actors probe first during reconnaissance, and it is where EASM tools focus.
Your internal attack surface is everything behind authentication or network boundaries: Active Directory, internal APIs, databases, CI/CD pipelines, workstations. Internal surface matters enormously — lateral movement after initial access depends on it — but it requires different tools and different access.
A complete attack surface management program addresses both. But EASM is the starting point, because external exposures are the ones attackers reach first and exploit without credentials.
Key external risks in 2026:
- Subdomain takeover from expired cloud resources still pointed to by CNAME records. Attackers claim the abandoned resource and inherit your subdomain’s trust.
- Exposed staging and development environments running with debug modes enabled, default credentials, or no authentication at all.
- Misconfigured cloud storage — S3 buckets, Azure Blob containers, GCS buckets — leaking sensitive data to anyone with the URL.
- Legacy applications running end-of-life software with known, weaponized CVEs. Edge device exploitation surged from 3% to 22% of vulnerability-related breaches according to the Verizon 2025 DBIR.
The API Attack Surface
APIs now carry 71% of all web traffic according to Imperva’s 2024 State of API Security report. They are the primary interface for modern applications — and the primary target for modern attackers. Salt Security’s data shows 95% of API attacks come from authenticated sources, which means perimeter defenses like WAFs often miss them entirely.
API attack surface management requires specific techniques that traditional EASM does not always cover.
Shadow APIs are endpoints deployed by development teams without security review, often undocumented and running in production with excessive permissions. They are the API equivalent of shadow IT, and they are everywhere.
Deprecated API versions are endpoints that should have been decommissioned but were not. They often run older code with known vulnerabilities and weaker authentication. Attackers specifically look for /v1/ and /v2/ endpoints when the current version is /v4/.
Excessive data exposure through API responses that return more data than the client needs is one of the OWASP API Top 10 2023 risks. A single overly verbose endpoint can leak PII, internal identifiers, or infrastructure details that enable further attacks.
Effective EASM must discover API endpoints through documentation scraping (OpenAPI/Swagger), traffic analysis, JavaScript parsing, and active probing — then feed those endpoints into the CTEM validation workflow for security testing.
Core EASM Capabilities
Certificate Transparency log monitoring. Every publicly trusted TLS certificate is logged in CT logs. Monitoring these logs gives you real-time visibility into new certificates issued for your domains — which means instant detection of new subdomains, whether they were created by your team or by an attacker who compromised your DNS.
Subdomain enumeration and asset discovery. Modern EASM combines DNS brute-forcing, passive DNS databases, CT log analysis, web crawling, search engine dorking, and internet-wide scan correlation (Shodan, Censys) to build an asset inventory that matches what a motivated attacker would find during reconnaissance. The benchmark is simple: if a threat actor would find it, your EASM tool must find it first.
Technology fingerprinting. Once assets are discovered, fingerprinting identifies the software stack — web servers, application frameworks, CMS platforms, JavaScript libraries, and their versions. This transforms a list of hostnames into actionable intelligence by correlating against known vulnerability databases. A subdomain running Apache 2.4.49 is a different risk than one running Nginx 1.25.
Shadow IT detection. Cloud services, SaaS applications, and developer tools deployed without IT approval often lack security controls entirely. Shadow IT detection identifies these resources through DNS analysis, cloud API enumeration, and certificate monitoring. These assets are disproportionately represented in breach data because they sit outside security team visibility.
Continuous monitoring. A point-in-time asset inventory is outdated within hours. New subdomains appear, cloud resources spin up, API endpoints go live, certificates rotate. Continuous monitoring detects these changes as they happen — not during next month’s scheduled scan. This is the difference between attack surface management and an asset list.
Practical Best Practices
Start from root domains outward. Enumerate every domain your organization owns — including acquisitions, subsidiaries, and legacy brands — then expand discovery from each root domain. Missing a root domain means missing every subdomain beneath it.
Monitor CT logs in real time. Certificate Transparency logs are one of the highest-signal, lowest-effort monitoring sources available. A new certificate for your domain means a new asset. You should know about it before the DNS propagates.
Treat APIs as first-class attack surface. Every API endpoint deserves the same discovery, classification, and risk assessment as a web application. The days of “it’s just an internal API” ended when that API got exposed through a misconfigured load balancer.
Assign ownership to every asset. Unowned assets are the ones that get breached. Every discovered asset needs an owner and a risk classification within 48 hours of discovery. Assets that cannot be attributed to a team should be escalated — they are almost certainly shadow IT.
Integrate discovery with your CTEM pipeline. Discovery without prioritization and validation is just a bigger list. Ensure every discovered asset flows into prioritization scoring and, where warranted, BAS validation to confirm real exploitability.
VirtueThreatX automates external attack surface management with subdomain discovery, API endpoint detection, CT log monitoring, technology fingerprinting, and continuous monitoring across your full digital footprint. Every discovered asset feeds directly into the CTEM pipeline for prioritization and validation. See EASM on the platform or schedule a 30-minute walkthrough.