Attack surfaceterms, explained.
Clear, practical definitions for the language of external attack surface management — and how each concept maps to the way Legba Recon discovers, validates, and reports real exposures.
Program & Strategy.
Continuous attack surface monitoring is the practice of running asset discovery, exposure detection, and re-validation on an ongoing loop instead of as a one-time audit, so a newly exposed cloud bucket, subdomain, or service is caught hours after it appears rather than at the next quarterly scan. It exists because your internet-facing footprint changes every day, and a point-in-time snapshot is stale the moment a single deploy ships.
External Attack Surface Management (EASM)External Attack Surface Management (EASM) is the continuous, outside-in discovery, inventory, and risk assessment of an organization's internet-facing assets so security teams can find and fix exposures the same way an attacker would find them. It answers a single, urgent question: what of ours is reachable from the public internet right now, and which of those things are dangerous?
Vulnerability Scanning vs Attack Surface ManagementVulnerability scanning checks assets you already know about for known flaws like missing patches and weak configurations, while attack surface management (ASM) first discovers every internet-facing asset you own so nothing gets left unscanned. They are complementary: ASM answers "what do we have exposed?" and vulnerability scanning answers "what is wrong with it?"
Discovery.
Asset discovery is the process of finding every internet-facing thing an organization owns or operates - domains, subdomains, IP addresses, hosts, open services, and cloud resources - so that nothing exposed to attackers stays invisible to defenders. It is the first and most decisive phase of external attack surface management, because you cannot protect, patch, or monitor an asset you do not know exists.
Port ScanningPort scanning is the act of sending crafted packets to a host's TCP and UDP ports to learn which ports are open, closed, or filtered, and then identifying the services and versions listening behind the open ones. It is the foundational discovery step that turns an unknown IP address into a concrete inventory of reachable, attackable services.
Subdomain EnumerationSubdomain enumeration is the process of finding every hostname that lives under a domain (like staging.example.com or vpn.example.com) so you can see your full internet-facing footprint before an attacker maps it for you.
Validation.
Exposure validation is the step of confirming that a discovered exposure is actually reachable and exploitable from an attacker's vantage point, producing concrete evidence rather than a theoretical scanner score. It answers the only question that matters before you wake someone up at 2 a.m.: can this really be used against us right now?
False Positives in Security ScanningA false positive in security scanning is a finding a scanner reports as a vulnerability that, on inspection, is not actually exploitable or present, so it produces work without reducing real risk. Cutting false positives lets a team trust its findings and spend remediation time only on issues that an attacker could genuinely use.
Methodology.
Attack path mapping is the practice of stitching individually validated exposures into the step-by-step route an attacker would actually walk to reach a high-value asset, so a defender knows not just that a weakness exists but where it leads. It turns a flat list of findings into a prioritized story of how a breach unfolds.
Passive vs Active ReconnaissancePassive reconnaissance collects intelligence about a target without ever sending it a packet, by mining third-party data such as certificate transparency logs, passive DNS, WHOIS, and public OSINT, so the target sees nothing. Active reconnaissance probes the target directly with traffic it can attribute to you, for example port scans or live endpoint requests, trading stealth for fresher, ground-truth data.
ReconnaissanceReconnaissance is the information-gathering phase of an attack or assessment in which an adversary or tester collects intelligence about a target's organization, infrastructure, and people to plan everything that follows. It is the first tactic in the MITRE ATT&CK Enterprise matrix (TA0043) and splits into passive techniques that never touch the target and active techniques that probe it directly.
Exposure Concepts.
An attack surface is the complete set of points on the boundary of a system where an attacker can try to enter it, cause an effect on it, or extract data from it. In practice it is the running tally of every internet-facing host, service, API, credential, and forgotten asset an adversary could reach to get a foothold.
Digital FootprintAn organization's digital footprint is the complete set of internet-discoverable traces it leaves behind: registered domains and subdomains, internet-facing services and IPs, cloud assets, source-code repositories, leaked credentials, and the OSINT trail of its employees. It is precisely what an attacker enumerates first, because everything they can find without touching your network is free intelligence for planning the breach.
Shadow ITShadow IT is any device, software, cloud service, or internet-facing asset that runs without the knowledge or approval of central IT and security teams, which means it never lands in the official inventory and never gets patched, monitored, or decommissioned. The job teams actually want done is simple: see every asset an attacker can see, including the ones nobody told you about.
