What Is an Attack Surface?

Scott Lester
13 December 2023
3 min Read
Scott Lester
Create free account

The current challenge

The IT infrastructure of any online company is quickly becoming more complex, distributed, sprawling and fluid – even for small companies. For large companies, keeping on top of what they have online can become an unmanageable task. As a consequence, too many cyber security incidents are caused by shadow IT, forgotten servers and neglected websites.

A typical company’s infrastructure is progressively spreading out from on-premise and subsidiary networks to the cloud. The increase in home working and remote access requirements also adds complexity. On top of this is the fact that infrastructure is always changing; whether through new resources, new or changed services, or more widespread changes due to company mergers and organisational changes.


The sum total of everything an organisation has online is its attack surface.

We could call it their defence surface, but the convention is to see it from an adversary’s perspective. A company’s online attack surface includes everything online that hosts or processes their data, or forms a part of that hosting or processing, that could be targeted by an attacker. This can include server and desktop computers, cloud assets, websites and certificates, domain records, email configuration, and much more.

A company’s attack surface may also technically include some elements owned and managed by vendors or by third-parties, which are outside their control but still form a part of their infrastructure. With the use of SaaS products and Content Delivery Networks (CDNs), the defence of your infrastructure is now a global challenge.

You cannot secure what you don’t know about, and therefore the unknown or unmanaged assets are likely to be a vector of choice for an attacker as they are likely to be easy targets.

Unknown data and assets

It is not uncommon for a company’s infrastructure to include unknown and unmanaged online assets. There may be legacy systems that have not been retired, shadow IT setup to circumnavigate controls, or simply something you meant to get around to updating last year but never actually got updated. To anyone unfamiliar with modern IT this might seem like an unforgivable oversight, but it’s very easy for omissions and mistakes to creep in. This is especially true for medium-size and large organisations, with multiple offices, services and IT teams involved.

Why should I care?

With a targeted attack, sophisticated attackers might explore some or all of an organisation’s attack surface as they try to find a way in. As common these days are indiscriminate attacks; when a new vulnerability is discovered some particularly aggressive attackers will automate the whole process of finding and exploiting vulnerable targets. This is one reason why the old argument of “but why would anyone try to hack us” doesn’t really stand up. If it’s part of your attack surface, it can be attacked.

Either way, the answer is the same: understand your online attack surface, and keep on top of it. More on how to manage your attack surface in our next blog “What Is Attack Surface Management?”

About Scott Lester
Scott is a technical Cyber Security professional with over fifteen years' experience across a broad range of roles within the public and private sectors. With a deep understanding of cyber security, he has in his career focussed on applied cryptography, network technologies, digital forensics and security research. At Red Maple he leads the delivery of all of our cyber security services.
Scott Lester


What our customers think