Attack Surface Management: Frequently Asked Questions

1.1 What is Attack Surface Management (ASM)?

Attack Surface Management is the continuous discovery, inventory, classification, and monitoring of every internet-facing and internal asset your organization owns: domains, subdomains, IPs, open ports, services, certificates, cloud resources, and APIs. The goal is to see your environment the way an attacker sees it, find the unknown and unmanaged assets first, and keep that picture current as the surface changes.

Strobes runs this as an always-on loop and feeds discovered exposures straight into prioritization, validation, and remediation on the same platform, so discovery does not end at a list. See the Attack Surface Management solution page for the full picture.

1.2 How is ASM different from a vulnerability scanner?

A vulnerability scanner checks assets you already know about for known weaknesses. ASM answers the prior question: what assets do you even have? ASM continuously discovers the unknown and forgotten parts of your estate (shadow IT, expired certificates, abandoned subdomains, exposed admin panels) and then scans and classifies them.

The two are complementary, not competing. Scanning without discovery only secures the assets you remembered to point it at, which is exactly the set of assets attackers do not bother with.

1.3 What is the difference between EASM and CAASM?

Two views of the same surface, built from opposite directions:

• EASM (External Attack Surface Management): maps your internet-facing footprint from the outside in, the way an attacker would: domains, subdomains, IPs, ports, certificates, and exposed services discovered with no prior knowledge.

• CAASM (Cyber Asset Attack Surface Management): builds a unified asset inventory from the inside out, by pulling from your existing tools (cloud accounts, EDR, CMDB, scanners) through their APIs.

EASM finds what you did not know was exposed; CAASM correlates and deduplicates what your tools already see. Strobes covers both views and reconciles them into one inventory.

1.4 Why do organizations need Attack Surface Management?

Because the modern attack surface changes faster than any spreadsheet can track. Cloud resources spin up and down, teams register domains, vendors get connected, and shadow IT appears without security review. Attackers scan the entire internet continuously, so an asset you forgot is an asset they will find.

ASM closes the gap between what you think you run and what is actually exposed. That gap is where most breaches start, which is why discovery is the foundation of any CTEM program.

1.5 What is shadow IT and how does ASM find it?

Shadow IT is any asset running without the security team knowing about it: a marketing microsite, a forgotten staging server, a SaaS app a team signed up for, or a subdomain pointed at a decommissioned service. None of it shows up in your CMDB, and all of it is still exposed.

ASM finds it from the outside through certificate transparency logs, DNS enumeration, passive reconnaissance, and cloud resource discovery. Strobes flags these unknown and unmanaged assets the moment they appear, so they get reviewed instead of forgotten.

1.6 What assets does Strobes ASM discover?

Strobes ASM enumerates the full external and cloud footprint:

1. 1

   Domains & subdomains: enumerated from seed domains, certificate transparency, and DNS records

2. 2

   IPs, ports & services: IP ranges, open ports, running services, and version fingerprints

3. 3

   Certificates: TLS/SSL certificates, expiry tracking, and weak-configuration detection

4. 4

   Web apps & CMS: application and CMS detection, with sensitive assets like admin panels tagged

5. 5

   APIs: exposed API endpoints, tagged as sensitive and ready for validation

6. 6

   Cloud resources: assets across AWS, GCP, and Azure and the public endpoints they expose

2.1 Does ASM discover cloud assets across multiple providers?

Yes. Strobes ASM discovers cloud resources across AWS, GCP, and Azure, including storage buckets, compute instances, load balancers, and the public endpoints they expose. Because cloud inventory changes constantly, continuous discovery catches resources the moment they spin up.

That timing matters: a temporary bucket left public for an afternoon should not become a permanent blind spot. Continuous re-discovery is what keeps a fast-moving cloud estate from drifting out of view.

2.2 How does ASM handle assets I do not know I own?

That is the core job of external discovery. Starting from a seed (a domain or organization name), Strobes ASM pivots through certificate transparency logs, DNS records, WHOIS data, and passive reconnaissance to find related assets you never inventoried: acquired-company domains, forgotten subdomains, and orphaned cloud endpoints.

Each newly discovered asset is attributed back to your organization and flagged as unmanaged, so your team can decide to claim, decommission, or secure it instead of leaving it exposed.

2.3 How does ASM detect subdomain takeover risk?

Strobes ASM continuously enumerates subdomains and checks their DNS records against the services they point to. When a subdomain still references a decommissioned cloud resource, an expired SaaS account, or a dangling CNAME, it is flagged as a takeover candidate, because an attacker could claim that resource and serve content from your domain.

Catching dangling DNS early closes one of the most common and avoidable external exposures, and continuous monitoring means new dangling records get caught as soon as a service is retired.

2.4 Does ASM monitor SSL and TLS certificates?

Yes. Certificate discovery is part of every scan. Strobes ASM tracks the certificates serving your assets, flags expired and soon-to-expire certificates, weak ciphers, and misconfigurations, and uses certificate transparency logs as a discovery source for new and forgotten subdomains.

A lapsed certificate is both an availability problem and a discovery signal, and ASM treats it as both: it tells you something is misconfigured and it points you at an asset you may have lost track of.

2.5 How comprehensive is ASM asset discovery?

Discovery spans the full external footprint and the cloud estate: subdomains, IPs, ports, services, certificates, web apps, APIs, and cloud resources. Passive techniques (certificate transparency, DNS, passive recon) find assets without touching them, and active scanning (port scanning, service fingerprinting, banner grabbing) confirms what is live.

The combination keeps coverage broad without generating noise, and continuous re-discovery means the inventory does not go stale between snapshots the way a once-a-quarter scan does.

3.1 How does Strobes ASM actually work?

Strobes ASM runs a seven-stage loop:

1. 1

   Asset discovery: enumerate subdomains, IPs, cloud resources, and APIs, including certificate transparency scanning

2. 2

   Passive & active scanning: port scanning, service fingerprinting, banner grabbing, and version analysis

3. 3

   Exposure classification: categorize by app, network, DNS, SSL, and CMS, and tag sensitive assets

4. 4

   Correlation & noise reduction: deduplicate across scanners and apply AI validation to remove false positives

5. 5

   Risk prioritization: CVSS plus EPSS plus business context, with exploitability-weighted ranking

6. 6

   Attack path insight: map lateral movement paths and highlight crown-jewel access routes

7. 7

   Continuous monitoring: 24/7 change detection, new asset alerts, drift monitoring, and SLA tracking

The loop never stops, so the inventory and its risk scores stay current as your environment changes.

3.2 How often does ASM scan my attack surface?

Continuously, not on a quarterly schedule. Strobes ASM monitors your attack surface 24/7, re-discovering assets and re-scanning exposures as the environment changes. New assets trigger alerts the moment they appear, and drift in existing assets (a newly opened port, a changed service version, an expired certificate) is detected near introduction rather than at the next audit.

3.3 What is change detection in ASM?

Change detection is the continuous comparison of your current attack surface against its last known state. When a new subdomain appears, a port opens, a service version changes, a certificate lapses, or a cloud resource goes public, Strobes ASM flags the delta and alerts the right owner.

Most exposures are introduced by a change nobody reviewed, so watching for change is how you shrink the window between exposure and detection.

3.4 How quickly does ASM reduce time-to-discovery?

Because monitoring is continuous, time-to-discovery drops from the length of your audit cycle to near real time. A new internet-facing asset that might have gone unnoticed until the next quarterly review is surfaced as soon as it appears.

Shrinking time-to-discovery directly shrinks the exposure window, which is the metric attackers exploit: every day an asset is exposed and unknown is a day it can be hit.

3.5 How does ASM reduce noise and false positives?

Raw discovery is noisy: the same asset shows up across multiple scanners, and not every flagged item is a real exposure. Strobes ASM deduplicates findings across sources, correlates exposures to the business assets they belong to, and applies AI validation to eliminate false positives before anything reaches your queue.

The result is a deduplicated, validated inventory rather than a pile of overlapping alerts, so your team triages real exposures instead of filtering duplicates.

3.6 Does ASM map attack paths across assets?

Yes. Beyond listing isolated exposures, Strobes ASM maps lateral movement paths, identifies chained vulnerabilities, and highlights the routes that lead to crown-jewel access. Seeing how an externally exposed asset connects to sensitive systems is what turns a flat asset list into a prioritized picture of real risk.

4.1 How does ASM prioritize which exposures to fix first?

Strobes ASM scores every exposure using CVSS plus real-world signals: EPSS exploit probability, threat intelligence enrichment, and business context such as how sensitive the affected asset is. Exploitability-weighted ranking pushes the exposures an attacker is most likely to use to the top of the queue.

Remediation effort then goes to real risk instead of raw severity counts, so a critical CVE on an isolated test box does not outrank a medium issue on an internet-facing crown jewel.

4.2 How does ASM connect to vulnerability prioritization?

Discovered exposures do not stop at a list. Strobes ASM feeds findings into the same risk-based vulnerability management engine that handles your scanner and cloud data, so external exposures are prioritized alongside everything else using EPSS, CISA KEV, exploit availability, and business context.

One unified queue means you are not triaging ASM findings in a silo, and the same SLA-tracked remediation workflows apply to discovered exposures as to any other finding.

4.3 How does ASM feed pentesting and validation?

Discovery tells you what is exposed; validation tells you what is actually exploitable. Strobes ASM hands its newly discovered assets and exposures to agentic pentesting, where autonomous agents attempt the exploit and confirm reachability with a working proof-of-concept.

An exposure that ASM flags and pentesting validates is proven risk, not predicted risk. That sharpens prioritization and removes guesswork from remediation, because you are fixing confirmed attack paths first. For the deeper dive, see the agentic pentesting FAQs.

4.4 What is the difference between continuous ASM and periodic scans?

Periodic scans give you a snapshot on one day; everything after is assumption. Continuous ASM re-discovers and re-scans as the environment changes.

The practical effect: exposure windows shrink from the length of your audit cycle to hours, and risk data stays current instead of decaying between cycles.

4.5 Does ASM verify that exposures are actually remediated?

Yes. When an exposure is marked fixed, Strobes re-scans the asset to confirm the change actually closed it, and continuous monitoring catches silent regressions in later changes. Exposures close on evidence, not on a status update.

Drift monitoring and SLA tracking keep remediation on a clock with an owner, so a fix that quietly regresses in a later deployment gets caught instead of resurfacing in next year's audit.

4.6 How does ASM fit into a CTEM program?

CTEM runs a five-stage loop: scoping, discovery, prioritization, validation, and mobilization. ASM owns the discovery stage, continuously mapping the attack surface that scoping defines, and feeds the prioritization and validation stages with current, attributed exposure data.

Because Strobes runs ASM, prioritization, validation, and remediation on one platform, the CTEM loop closes without exporting data between tools, and each stage works from the same live picture instead of a stale handoff.

5.1 Does ASM cover third-party and supply-chain exposure?

Discovery surfaces the third-party dependencies and connected services that extend your attack surface beyond assets you directly own: vendor-hosted subdomains, third-party scripts, and externally connected endpoints. Mapping these dependencies shows where your exposure depends on someone else.

That seam, between your assets and the third parties they trust, is exactly what attackers probe in supply-chain attacks, so seeing it explicitly matters.

5.2 How does ASM handle assets from mergers and acquisitions?

Acquisitions inherit an attack surface nobody on the security team mapped. Starting from the acquired organization domains, Strobes ASM enumerates their subdomains, IPs, certificates, and cloud assets and attributes them back to your now-larger estate.

That gives you a fast inventory of inherited exposure during due diligence or integration, instead of discovering it the hard way after an incident.

5.3 Can ASM discover exposed APIs?

Yes. API endpoints are discovered as part of the asset inventory and tagged as sensitive. From there, exposed APIs can be handed to validation, where agentic pentesting tests them for authentication flaws, broken object-level authorization, and other API-specific weaknesses.

Discovering an API is the first step; confirming whether it leaks data or accepts unauthorized requests is the next, and the two run on the same platform.

5.4 How does ASM relate to application security posture management?

ASM works from the outside in, discovering exposed applications and assets across your whole footprint. Application security posture management works from the code and pipeline out, governing the security of applications you build.

They meet in the middle: ASM finds an exposed application and ASPM explains its posture across the SDLC. On the Strobes platform, both feed the same prioritized view of risk.

5.5 Does ASM cover both internet-facing and internal assets?

The primary focus of ASM is the external, internet-facing attack surface, where attackers start. Strobes pairs that external view with a CAASM-style internal inventory built from your connected tools, so you see both the outside-in exposure and the inside-out asset picture and can correlate the two.

Real attack paths cross that boundary: an external foothold plus an internal path to sensitive systems is the breach scenario worth seeing, and covering both sides gives you that connected view.

5.6 How is Strobes ASM different from a standalone EASM tool?

A standalone EASM tool discovers exposures and stops at a report, leaving prioritization, validation, and remediation to whatever you bolt on. Strobes ASM discovers and then acts on the same platform:

You get discovery through verified closure in one place, rather than a discovery silo that hands a CSV to the next tool.

6.1 Does ASM integrate with the rest of my security stack?

Yes. Strobes connects to over 100 integrations across scanners, cloud providers, ticketing systems, and SIEMs, so ASM findings flow into the tools your team already uses. Discovered exposures sync to Jira, Azure DevOps, and GitHub with context.

The unified inventory reconciles data from your existing scanners and cloud accounts rather than adding another silo, which is the difference between a CAASM view and yet another dashboard.

6.2 How quickly can ASM be deployed?

Quickly. Strobes ASM is SaaS, so external discovery needs nothing installed: provide a seed domain or organization name and discovery begins immediately. There is no scan infrastructure to rack and no agents to deploy across a fleet for the external view.

The first attack surface map can be ready the same day you start, which is usually when teams find the first asset they did not know was exposed.

6.3 What does Strobes ASM cost?

ASM is part of the Strobes CTEM platform rather than a separate point tool, so you get continuous discovery, prioritization, validation, and remediation under one platform subscription instead of buying and stitching together several products.

See pricing for current plans, and book a demo to scope your environment.

6.4 Is Strobes ASM secure and compliant?

Strobes is ISO 27001 and SOC 2 certified and CREST accredited. Discovery data and findings stay within your tenant, and external reconnaissance uses passive and non-intrusive techniques where possible to map exposure without disrupting assets.

The accreditations and the validated-findings model mean the exposure picture you act on is both trustworthy and auditable. For the full security model, see Trust & Security.

6.5 How do I get started with Strobes ASM?

Book a demo, provide a seed domain or organization, and review your first attack surface map. The Strobes team helps you scope discovery, attribute newly found assets, and connect ASM to prioritization, validation, and remediation so exposures move from discovered to closed. Most teams see a meaningful inventory the same day they start.