What is Continuous Attack Surface Monitoring?

Continuous attack surface monitoring (often shortened to CASM, and sometimes called continuous ASM) is the operational discipline of keeping your inventory of internet-facing exposures live. It is not a tool category so much as a tempo: the same discovery-and-validation work that a traditional assessment does once, run on a recurring schedule short enough that the gap between scans is smaller than the time it takes an attacker to find and weaponize a new exposure. NIST formalizes the underlying idea in SP 800-137 as Information Security Continuous Monitoring (ISCM): 'maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions,' where 'continuous' means assessing controls and risks at a frequency sufficient to support risk-based decisions, not literally every second.

The case for it is a direct consequence of how modern infrastructure is built. Cloud and SaaS environments are mutable by design: an engineer spins up a load balancer, a CI pipeline publishes a new container, a marketing team points a CNAME at a third-party host, an acquisition drags in a portfolio of unknown domains. Each of these changes the boundary an attacker can reach. OWASP's Attack Surface Analysis guidance captures this drift directly, noting that 'normally, an application's Attack Surface will increase over time as you add more interfaces and user types and integrate with other systems,' and that changes to authentication, session management, and new internet-reachable APIs or upload endpoints each carry a different risk profile that must be re-reviewed. A monitoring program is simply the mechanism that performs that re-review automatically and constantly.

This is where point-in-time assessment fails, and the failure mode is specific. A penetration test or quarterly external scan produces an accurate picture of one moment. But cloud and SaaS drift means that picture decays continuously: a storage bucket made public during a Friday deploy, a staging subdomain whose backing service was decommissioned (leaving it open to subdomain takeover), an expired TLS certificate, a dangling DNS record left behind by an offboarded vendor. None of these existed during the test, so none appear in the report, yet each is live and reachable the moment it is created. The dangerous interval is the window between when an exposure appears and when your next scheduled assessment happens to notice it, and in a quarterly cadence that window can be ninety days during which the asset is defended by nothing but luck.

It is worth differentiating continuous attack surface monitoring from the categories it overlaps with. External Attack Surface Management (EASM) is the engine and market category that performs outside-in discovery; continuous monitoring is the cadence at which you run an EASM (or CAASM, or vulnerability management) program so it never goes stale. CISA describes Cyber Asset Attack Surface Management (CAASM) as enabling teams to 'continuously monitor and analyze detected vulnerabilities' across internal and external assets pulled from existing tools, which is the same continuous principle applied to consolidated internal data. And Gartner's Continuous Threat Exposure Management (CTEM) framework wraps the whole thing into a five-stage loop, scoping, discovery, prioritization, validation, and mobilization, repeated indefinitely. In every case the word doing the work is the same one: continuous. The monitoring discipline is what turns a static report into a living risk register.

A second, frequently missed point is re-validation. Continuous monitoring is not only about finding newly appeared assets; it is also about re-checking ones you already know about, because their exposure state changes independently of whether the asset itself is new. A Redis instance that was firewalled last week can become reachable after a security-group edit. A certificate that was valid yesterday expires today. A login page that was internal becomes internet-exposed when someone moves it behind a public load balancer. Re-validation closes this gap by re-testing known assets on the same loop as discovery, so the inventory reflects current reality rather than the state at first sighting. Without it, even a complete asset list silently rots into a list of assertions that used to be true.

Practically, a continuous program is defined by three properties: cadence (how often the loop runs, ideally near-real-time for the highest-velocity layers like DNS and cloud), coverage (discovery wide enough to catch unknown and shadow-IT assets, not just the ones on the CMDB), and re-validation (confirming that previously seen exposures are still or newly real). The payoff is a measurable reduction in mean time to detect exposure, which compresses the window an attacker has to exploit a misconfiguration before a defender even knows it exists.