What is External Attack Surface Management (EASM)?

EASM is an emerging market category that Gartner introduced in 2021 to describe products that identify risks coming from internet-facing assets and systems an organization may be unaware of. The defining trait is the vantage point: EASM looks at you the way an external attacker does, with no agents, no API keys into your tooling, and no prior knowledge of your inventory. It starts from a seed (a domain, a brand name, a known IP block) and recursively expands outward to map everything connected to you.

A complete EASM workflow has three stages that run on a loop rather than once a quarter. First, discovery: continuously finding public-facing assets as soon as they surface on the internet, including domains, subdomains, IP addresses, TLS certificates, exposed services, and cloud endpoints. Second, inventory and attribution: deduplicating those findings and attributing each asset to your organization so you have a real-time, owned-asset register rather than a pile of unattributed hits. Third, risk assessment: evaluating whether each discovered asset is risky or behaving anomalously, then prioritizing remediation. The UK's NCSC frames the same loop as identifying, monitoring, and reducing vulnerabilities within assets that are accessible from the internet.

The category exists because the modern attack surface is not a curated list anyone maintains by hand. Marketing teams stand up landing pages, engineers spin up cloud buckets and staging environments, acquisitions bring in unknown domains, and contractors register subdomains that point at services nobody tracks. These become shadow IT: assets that are exposed but absent from the CMDB. EASM's job is to surface exactly this unknown-unknown layer, because an attacker only needs one forgotten asset, while a defender has to know about all of them.

It is important to differentiate EASM from two adjacent disciplines it is constantly confused with. CAASM (Cyber Asset Attack Surface Management) sees all assets, internal and external, but does so primarily through API integrations with existing tools such as CMDBs, EDR agents, vulnerability scanners, and cloud platforms; it consolidates data you already have rather than discovering things from the outside. CAASM is therefore only as complete as the tools it ingests from, which means it cannot see shadow IT that no internal tool has recorded. Vulnerability management, by contrast, assumes the asset list is already known and goes deep on enumerating CVEs against those known hosts; it answers 'which vulnerabilities exist on assets we manage,' not 'which internet-facing assets do we even have.' EASM is the discovery and outside-in lens that feeds both: it finds the asset CAASM and vuln scanners did not know to ask about, then hands it off for deeper internal correlation and patching.

EASM also sits inside the larger arc Gartner now describes as Continuous Threat Exposure Management (CTEM), where EASM is the scoping-and-discovery engine and validation tools confirm whether discovered exposures are actually reachable and exploitable. In practice, mature programs do not pick EASM versus CAASM versus vulnerability management. They run EASM for outside-in discovery, CAASM for internal consolidation, and vulnerability management for depth, then unify the output so the same exposed Redis instance or dangling DNS record is seen, attributed, validated, and remediated once.