The Question
The enterprise has a CMDB. It has an asset inventory maintained by IT operations. It has agent-based and agentless scanning across the managed environment. The security team believes it knows what it is defending.
The question that exposes the gap: when did you last discover an externally exposed asset you didn't know existed?
For most organizations, the honest answer is "during a breach investigation" or "during a vendor-conducted external assessment." Which means the discovery happens after an attacker has already found it. Attackers enumerate the external attack surface continuously and automatically. Most enterprise security teams do not. The asymmetry — attacker discovery outpacing defender discovery — is the operational problem that External Attack Surface Management (EASM) exists to close.
The CMDB tracks what IT provisioned through formal channels. It does not track the development environment a team spun up in AWS last Tuesday, the subdomain pointed at a decommissioned service, the SaaS application whose API key was exposed in a public GitHub repository, or the Citrix gateway deployed by an acquired company that has not yet been integrated into the parent organization's security program. These assets are unknown to the security team and fully visible to anyone who looks from outside with the same tools attackers use.
Attack surface management is not about knowing your assets — it is about knowing what an attacker would find when looking at your organization from outside, which is a fundamentally different question than what your IT department has catalogued.
Why This Matters Now
In February 2025, a threat intelligence report from Mandiant documented a pattern of initial access across multiple financial services and healthcare organizations that shared a consistent characteristic: the initial foothold in every incident was obtained through an asset the victim organization did not have in its formal asset inventory. In six of the nine analyzed cases, the asset was infrastructure from an acquired company. In two cases, the asset was an abandoned subdomain that had been repurposed by attackers using domain hijacking techniques. In one case, it was an API endpoint exposed through a developer's public GitHub repository.
The pattern is not new, but its frequency is increasing as enterprise attack surfaces grow through cloud adoption, SaaS proliferation, and M&A activity. Rapid7's 2024 Attack Intelligence Report found that internet-facing infrastructure — VPN appliances, remote access gateways, edge devices — accounted for the initial access vector in 36 percent of incidents where the entry point was identified. A significant portion of those appliances were not in the organization's active security monitoring scope.
The Snowflake breach campaign of mid-2024 affected hundreds of organizations through a mechanism that EASM would not have prevented directly — the attack vector was credential theft, not exposed infrastructure — but the incident pattern reinforces the broader point: the organizations most vulnerable to externally initiated attacks are those with the least visibility into what they look like from outside. Ticketmaster, Santander, and AT&T, among others, were affected through Snowflake data environments that, in several cases, lacked the multi-factor authentication controls their internal systems required — a policy gap that continuous external posture assessment would have flagged.
What the CURVE™ Data Shows
The 2026 Stackcurve CTEM CURVE™ Report evaluated eight EASM vendors on five dimensions: discovery breadth (what asset types and protocols are covered), freshness (how frequently the attack surface is re-enumerated), accuracy (false positive rate in discovered asset attribution), integration (how findings flow into downstream CTEM and SIEM tooling), and risk contextualization (how well the platform connects discovered assets to prioritized exposures).
Palo Alto Xpanse — formerly Expanse, acquired in 2020 and now integrated into the Cortex platform — leads on discovery breadth and integration. Its data sourcing from BGP routing tables, certificate transparency logs, Shodan-equivalent internet scanning, and cloud provider APIs gives it the most comprehensive external enumeration of the evaluated platforms. Integration with Cortex XSOAR and Prisma Cloud enables automated workflow on discovered exposures. The tradeoff: Xpanse is priced and architecturally positioned as an enterprise platform, with corresponding complexity and cost.
Mandiant Attack Surface Management (Google Cloud) scores highest on threat intelligence integration, connecting discovered assets to active adversary campaign data — a direct benefit of Mandiant's threat intelligence depth. Tenable ASM is the most natural extension for organizations already running Tenable for vulnerability management, enabling unified asset data across internal and external surfaces in a single platform.
CyCognito and Censys both score well on discovery accuracy and are operationally accessible for organizations that want EASM capability without full Cortex or Tenable ecosystem commitment. Runzero — originally Rumble Network Discovery — is the preferred platform for asset discovery on internal networks and is frequently deployed alongside a dedicated EASM tool for organizations that need both internal and external coverage.
The full vendor rankings are in the 2026 Stackcurve CTEM CURVE™ Report — free to download.
The Gap Most Buyers Miss
The CMDB Tracks Intent, Not Reality
Configuration management databases are built from provisioning records: servers provisioned through IT, cloud instances deployed through approved processes, applications registered through change management. They reflect the infrastructure the organization intended to create and maintain. They do not reflect the infrastructure that actually exists, because enterprise infrastructure is created through more channels than formal IT provisioning.
Shadow IT — applications and infrastructure deployed by business units without IT involvement — is the most well-known source of undiscovered assets, but it is not the largest one in most large enterprises. The largest source is M&A activity. When an organization acquires a company, it acquires all of that company's internet-facing infrastructure, including the parts that have not been maintained, the parts that run software versions no longer supported, and the parts that were secured to the acquired company's standard rather than the parent company's standard. Integration of acquired infrastructure into the parent's security monitoring program routinely takes 12–24 months. During that window, the acquired infrastructure is fully exposed to external attackers and partially invisible to the acquiring organization's security team.
Discovery Techniques Attackers Use — and Defenders Should
EASM platforms enumerate the attack surface using the same techniques attacker reconnaissance employs:
DNS enumeration discovers subdomains, mail servers, and related infrastructure through DNS zone enumeration, brute-force subdomain discovery, and passive DNS databases. This reveals services associated with a domain that the organization may not be actively monitoring — including subdomains pointed at decommissioned systems, which can be subject to subdomain takeover attacks.
Certificate transparency logs provide a continuously updated record of every TLS certificate issued. Because certificates are required for HTTPS services, CT log enumeration surfaces new web-facing infrastructure within minutes to hours of deployment, including developer environments and staging servers that may not go through formal IT provisioning.
BGP routing tables and ASN data identify the full IP address space associated with an organization, including ranges acquired through M&A, historical allocations, and cloud provider IP ranges in use. This provides the perimeter within which to conduct deeper scanning.
Cloud provider APIs — with appropriate credentials — enumerate cloud resources directly. Without credentials, organizations like Censys and Shodan conduct internet-wide scanning that identifies cloud resources by their network characteristics, providing external enumeration that does not require cloud account access.
What EASM Discovers That VM Scanners Miss by Design
Internal vulnerability scanners are designed to scan the managed environment. They require network access to the target host, authentication credentials or network adjacency, and knowledge of the target's IP address. By design, they do not discover assets they are not pointed at.
EASM discovers assets from outside without prior knowledge of their existence. The practical discovery categories: abandoned subdomains with live services behind them, forgotten S3 buckets with public access policies, development and staging environments exposed to the internet, API endpoints with authentication controls weaker than the main application, acquired company infrastructure not yet in the parent's scan scope, and SaaS application instances where credentials or API keys have been publicly exposed.
Questions Your Buying Team Should Be Asking
1. When was the last time your organization conducted a structured external attack surface enumeration from the perspective of an external attacker with no prior knowledge of your infrastructure?
This is not asking about external vulnerability scanning — it is asking whether anyone has looked at the organization from outside using discovery techniques rather than scanning known targets. If the answer is "our penetration testers do this annually," the organization has a point-in-time snapshot, not continuous visibility. If the answer is "never," the organization's attack surface inventory reflects only what it already knew.
2. How does your security team discover internet-facing assets deployed by acquired companies before they are formally integrated into your asset inventory?
M&A activity is the most consistent source of unknown external exposure in large enterprises. The question tests whether there is a defined process — not a plan to have a process — for bringing acquired infrastructure into external monitoring scope immediately upon close, rather than waiting for the 12–24 month integration timeline.
3. What is your organization's process for identifying and remediating subdomain takeover vulnerabilities?
Subdomain takeover — where a subdomain's DNS record points to a decommissioned third-party service that an attacker can claim — is a well-documented, frequently exploited technique. The Hackerone bug bounty program consistently ranks subdomain takeover among the most commonly reported valid vulnerabilities. A mature EASM program has a continuous check for dangling DNS records. Most organizations do not.
4. How quickly would your security team be notified if a developer accidentally exposed an internal API endpoint to the public internet?
This tests the freshness and alerting capability of the EASM program. An EASM platform that re-enumerates continuously and triggers alerts on new external exposure would notify within hours. A program that relies on quarterly external scans would not detect this for up to 90 days. The answer defines the organization's exposure window for accidentally published assets.
5. Does your EASM tooling integrate with your vulnerability management and SIEM platforms, and are discovered external exposures automatically enriched with vulnerability data?
EASM that runs in isolation produces a list of external assets. EASM integrated with Tenable or Qualys produces a list of external assets with their associated vulnerabilities, enabling prioritization of the external attack surface by exploitability rather than just visibility. EASM integrated with a SIEM enables alerting on new external exposure events. Integration determines whether EASM output is actionable or informational.
The Stackcurve Take
External attack surface management is not an advanced capability that only the most mature security organizations need — it is the foundational visibility layer without which every other CTEM capability is operating on an incomplete picture. You cannot prioritize exposures on assets you don't know exist. You cannot validate attack paths that begin at infrastructure outside your inventory. You cannot close the loop on remediation for findings that your tooling cannot attribute to your organization.
The practical entry point for organizations that have not yet deployed EASM is not necessarily a full enterprise EASM platform. For organizations primarily concerned about external exposure of known assets, Tenable ASM or Qualys EASM as add-ons to existing platform deployments provide meaningful coverage with low operational overhead. For organizations with significant M&A activity or cloud footprint, Palo Alto Xpanse or CyCognito deliver the discovery breadth that justifies the additional investment.
The non-negotiable requirement regardless of platform: EASM must run continuously, not periodically. An attack surface that is enumerated quarterly provides quarterly visibility. An attack surface that is enumerated daily provides visibility that is operationally useful. The attacker's reconnaissance cadence is continuous; the defender's should match it.
The 2026 Stackcurve CTEM CURVE™ Report covers the full EASM vendor landscape including detailed capability scoring, integration architecture guidance, and deployment patterns by organization size and industry vertical. Download it free →
Stackcurve Advisory Briefs are independent research. No vendor pays for placement, tier assignment, or editorial influence. The CURVE™ methodology is disclosed in full at stackcurve.net/research/methodology.