What Is Attack Surface Management? (And How to Do It for Free)

What attack surface management actually means

Your attack surface is everything an attacker can see and interact with from the outside: your websites, APIs, subdomains, email configuration, open ports, SSL certificates, and any exposed admin panels or cloud storage. Attack surface management (ASM) is the practice of continuously discovering, monitoring, and reducing this exposure.

The key word is continuously. A one-time penetration test is a point-in-time snapshot. Your attack surface changes every time you add a subdomain, renew an SSL certificate, change a DNS record, or deploy a new service. ASM is about staying current — knowing what you have and whether it's configured securely.

What your attack surface includes

Why small teams ignore it (and why that's a mistake)

Most small teams do a one-time security audit when something goes wrong, then go months or years without checking. In that time:

• SSL certificates expire and browsers show security warnings to customers
• Staging subdomains get deployed and forgotten — often with weaker security config
• A developer opens a port for testing and forgets to close it
• SPF records get corrupted when adding a new marketing platform
• DMARC policy gets weakened after a misconfigured email tool raises false positives

None of these show up until an attacker finds them — or until a customer complains their browser is showing a certificate error. The cost of monitoring is near zero. The cost of a breach is not.

The free ASM stack for small teams

1. External scan: SSL, headers, DNS, ports

The EdgeIQ Dashboard runs a free scan against your domain that checks SSL grade and expiry, all major HTTP security headers, SPF/DMARC/MX records, and exposed ports. It's free and takes 30 seconds. Run it monthly at minimum — or set up automated weekly monitoring with Pulse.

2. Subdomain discovery

Most teams don't know all their subdomains. Certificate Transparency logs record every SSL certificate ever issued for your domain — searching them via crt.sh gives you a near-complete list of subdomains that have ever had a certificate. Do this quarterly.

3. Email authentication

Check your SPF, DKIM, and DMARC records with Inbox Shield. An A–F grade on each component tells you instantly whether your email domain is spoofable. This is a 2-minute check that most teams have never done.

4. Brand monitoring

Your external attack surface also includes what attackers build about you. Lookalike domains — typosquatted or homoglyph registrations of your domain — are used to phish your customers while looking like they come from you. BrandGuard monitors for these daily.

5. Compliance posture

If you're targeting SOC 2, HIPAA, or PCI compliance, the Compliance dashboard maps your external scan results to the relevant control framework — so you know which findings are compliance-relevant and which to prioritise.

What enterprise ASM tools give you that free tools don't

Enterprise tools like Censys, Runzero, and Axonius give you deeper internal network visibility, asset inventory for thousands of IPs, integration with SIEM/SOAR platforms, and dedicated analysts. If you have a SOC and more than a few hundred externally-facing assets, they're worth it.

For a team of under 50 people with a handful of domains and a standard SaaS stack, a free external scan tool + weekly automated monitoring covers 80% of what matters at 2% of the cost.