The Question
Every enterprise security program begins with an asset inventory. The CMDB, the network scanner, the cloud account registry — these are the official record of what the organization owns and operates. Security teams patch the assets in the inventory, monitor the assets in the inventory, and respond to incidents on the assets in the inventory.
The problem is the assets that are not in the inventory.
Cloud adoption has accelerated provisioning velocity to the point where engineering teams spin up infrastructure in minutes — and decommission it months later, sometimes never. Mergers and acquisitions bring entire technology stacks into the corporate network without a corresponding security review. Developers expose APIs and backend services to the internet to solve an immediate problem, with the intention of locking them down later. Employees create cloud accounts on company credit cards and build workflows outside IT visibility. SaaS proliferation means thousands of third-party applications hold company data, each with API integrations that create their own exposure surface.
The result is an external attack surface that grows faster than any inventory process can track — and an asymmetry that favors attackers, who have no obligation to use the inventory.
External attack surface management answers the question "what does an attacker see when they look at our organization from the internet?" — and for most enterprises, the answer includes assets the security team has never inventoried.
Why This Matters Now
The pattern repeated itself throughout 2024 and into 2025 with enough consistency to qualify as a finding in its own right: organizations were breached through infrastructure they did not know they had.
The operational technology incidents at water utilities and manufacturing facilities in 2024 frequently traced back to internet-facing remote access systems installed during the COVID-19 remote work transition and never decommissioned — systems absent from asset inventories, unpatched, and in some cases still running default credentials. The healthcare sector saw multiple incidents traced to acquired company infrastructure that had never been integrated into the acquiring organization's security program. The target in each case was not the well-defended enterprise — it was the inherited, forgotten, or shadow infrastructure attached to it.
Palo Alto Networks' Xpanse platform, in public reporting on its enterprise engagements, consistently identifies 30 to 40 percent more externally exposed assets than the organization's CMDB contains. In large enterprises with active M&A programs, the gap is wider. The finding is not specific to any vertical — it appears in financial services, healthcare, manufacturing, and technology alike.
This gap exists because the mechanisms that create external exposure have structurally outpaced the mechanisms that track it. Cloud provisioning is instantaneous. CMDB updates are manual. Developer velocity has increased. Procurement processes have not. M&A timelines compress security review windows. These are not temporary conditions — they are features of how modern enterprises operate, which means the inventory gap is permanent without tooling specifically designed to address it.
The attack surface management question is therefore not "how do we improve our inventory process" but "how do we continuously discover what is exposed to the internet regardless of whether it is in the inventory."
What the CURVE™ Data Shows
The 2026 Stackcurve CTEM CURVE™ Report evaluated the external attack surface management (EASM) market across five capability dimensions: continuous discovery breadth, attribution accuracy, integration with downstream CTEM workflows, cloud asset coverage, and acquired-entity discovery speed.
The market stratifies clearly. Palo Alto Xpanse leads on discovery breadth and cloud coverage, with the deepest integration into the broader Cortex CTEM workflow — enterprises already in the Palo Alto ecosystem gain the most from the integration. Mandiant Attack Surface Management (now part of Google Security Operations) differentiates on threat intelligence correlation: discovered assets are immediately cross-referenced against active threat actor targeting, adding prioritization context that pure EASM tools lack.
Tenable ASM extends naturally for organizations that have standardized on Tenable for vulnerability management, providing a unified asset view from external discovery through internal scan. CyCognito stands out for M&A use cases — its autonomous discovery engine requires no configuration or seed data, making it effective at discovering acquired infrastructure without prior knowledge of what was acquired. Censys occupies a strong position at the discovery layer, with the broadest internet scan coverage and strong API access for teams that want to build custom workflows. Runzero covers the gap that pure EASM tools miss: internal network discovery alongside external exposure, important for organizations whose perimeter is less meaningful than their internal segmentation. Shodan is the attacker's reconnaissance tool, available to defenders — useful for understanding exactly what adversaries see, though it requires interpretation rather than workflow integration.
The full vendor rankings are in the 2026 Stackcurve CTEM CURVE™ Report — free to download.
The Gap Most Buyers Miss
Organizations evaluating EASM platforms typically focus on discovery coverage — which platform finds the most assets. This is a reasonable starting point, but it misses the more consequential capability gaps that determine whether an EASM deployment actually reduces exposure.
The attribution problem is harder than the discovery problem. Finding an IP address or domain is the easy part. Correctly attributing it to your organization — distinguishing assets you own from assets that merely reference your domain or share infrastructure with former tenants — is where EASM platforms diverge significantly. False positives consume remediation capacity; false negatives leave real exposure unaddressed. Evaluate attribution accuracy specifically against your M&A history and cloud footprint, not against a standard benchmark environment.
Discovery without classification is noise. An EASM platform that returns 50,000 discovered assets without classifying them by exposure severity, technology stack, and business context creates a different kind of inventory problem. The platforms that integrate business context — which assets are associated with which business units, which discovered services are running end-of-life software, which exposed ports represent genuine risk versus expected architecture — drive materially different remediation outcomes than those that deliver raw discovery data.
The CMDB reconciliation workflow matters more than discovery coverage. The goal of EASM is not to replace the CMDB but to continuously surface what is missing from it. The platforms that integrate directly with ServiceNow, Jira, and enterprise CMDB systems — creating tickets for discovered-but-not-inventoried assets and closing them when assets are inventoried or decommissioned — are the ones that produce lasting inventory improvement. Platforms that require manual export and import workflows see significantly lower CMDB improvement rates in practice.
Acquired entity coverage requires configuration-free discovery. Standard EASM platforms require seed data — known domains, IP ranges, ASNs — to begin discovery. For acquired entities, that seed data may not exist or may be incomplete. The platforms that perform autonomous discovery from minimal seeds (company name, primary domain) and expand outward to find affiliated infrastructure are specifically suited for M&A-heavy organizations. This capability varies significantly across vendors and is underweighted in standard evaluation criteria.
Shadow IT and SaaS discovery are separate from infrastructure discovery. EASM platforms are primarily designed to discover internet-facing infrastructure. Shadow IT cloud accounts (AWS, GCP, Azure accounts created outside IT) and unauthorized SaaS applications require different discovery mechanisms — CASB tools and SaaS security posture management (SSPM) platforms. Enterprises that treat EASM as their complete shadow IT solution will have gaps in their SaaS and cloud account coverage that infrastructure-focused EASM cannot address.
Questions Your Buying Team Should Be Asking
1. What is the platform's discovery methodology, and how frequently does it rescan the full internet surface? The internet is not static — new assets appear, old ones disappear, configurations change. Understand whether the platform performs continuous scanning or periodic sweeps, what the rescan frequency is for different asset types, and how quickly newly provisioned infrastructure appears in the discovery results. For cloud assets in particular, the gap between provisioning and discovery should be measured in hours, not days. Ask for specific SLA data on discovery latency.
2. How does the platform handle attribution of assets from acquired companies with no prior relationship to our primary domain? This is the M&A test case. Provide the vendor with a real example: a company your organization acquired in the last two years with infrastructure your security team is still mapping. Ask the vendor to demonstrate discovery of that company's infrastructure using only the acquired entity's primary domain as seed data, without providing IP ranges or ASN information. The quality of the result will tell you more about M&A discovery capability than any feature comparison.
3. What is the false positive rate, and how is it measured? Every EASM platform will claim high discovery accuracy. Ask for specific data on false positive rates — assets attributed to your organization that do not belong to you — and ask how the platform handles corrections. A platform with a 15 percent false positive rate on a 50,000-asset discovery result creates 7,500 assets that require human review to dismiss. Understand the operational load that false positives create before selecting a platform.
4. How does the platform integrate with our vulnerability management and CTEM workflows? EASM discovery is an input to CTEM prioritization, not an end state. Ask how discovered assets are fed into vulnerability management platforms (Tenable, Qualys, Rapid7), CTEM orchestration tools, and ticketing systems. Understand whether the integration is bidirectional — not just "EASM discovers asset and creates ticket" but "vulnerability scanner confirms remediation and EASM verifies asset is no longer exposed." The platforms that close the loop on remediation verification provide substantially more value than those that only generate findings.
5. Can the platform show us what an attacker sees from our organization's internet presence today, without any configuration? This is the readiness test. Before committing to a platform, ask for a proof-of-concept assessment of your organization's external attack surface using only public information — no credentials, no network access, no seed data beyond your primary domain. The quality of the PoC result, and how it compares to your current CMDB, is the most direct indicator of the platform's value to your specific environment.
The Stackcurve Take
External attack surface management is not a luxury capability for mature security programs — it is a prerequisite for any accurate understanding of your organization's exposure. The CTEM framework explicitly places discovery as Stage 1 for a reason: you cannot scope, prioritize, validate, or mobilize remediation for exposures you have not found. Every subsequent stage of CTEM is limited by the completeness of the discovery stage.
The inventory gap is structural. Cloud velocity, M&A activity, developer autonomy, and SaaS proliferation will not slow down to match security's discovery pace. The only adequate response is discovery tooling that operates at the same speed and scope as the processes creating exposure — continuous, autonomous, and independent of the CMDB.
The specific attackers most relevant to this gap are not sophisticated nation-state actors. They are the commodity initial access brokers who sell network access to ransomware groups, and who rely on exactly the exposures EASM finds: internet-facing RDP without MFA, misconfigured cloud storage, forgotten development environments with production credentials. These are the assets that generate ransomware incidents, not zero-day exploits. The organizations that close the EASM gap are the ones that eliminate the commodity initial access pathways that account for the majority of enterprise ransomware compromises.
The 2026 Stackcurve CTEM CURVE™ Report covers the full EASM vendor landscape, including detailed capability assessments for Palo Alto Xpanse, Mandiant ASM, CyCognito, Censys, Tenable ASM, Runzero, and emerging platforms. Download it free →
Stackcurve Advisory Briefs are independent research. No vendor pays for placement, tier assignment, or editorial influence. The CURVE™ methodology is disclosed in full at stackcurve.net/research/methodology.