"Attack Surface Management (ASM) tools promise reduced risk. What they usually deliver is more information. Security teams deploy ASM, asset inventories grow, alerts start flowing, and dashboards fill up. There is visible activity and measurable output. But when leadership asks a simple question, " Is this reducing incidents?" the answer is often unclear. This gap between effort and outcome is the core ROI problem in attack surface management, especially when ROI is measured primarily through asset counts instead of risk reduction."
"ASM tends to optimize for coverage because coverage is easy to measure: more assets discovered, more changes detected, and more alerts generated. Each of those feels like progress. But they mostly measure inputs, not outcomes. In practice, teams experience: Alert fatigue Long backlogs of "known but unresolved" assets Repeated ownership confusion Exposure that lingers for months The work is real. The risk reduction is harder to see."
ASM programs increase visibility by discovering domains, subdomains, IPs, cloud resources, third-party infrastructure, and transient assets. Asset inventories grow, alerts multiply, and dashboards show upward trends. Those metrics measure inputs such as coverage and activity, not outcomes like incident reduction. Teams often face alert fatigue, long backlogs of known but unresolved assets, repeated ownership confusion, and lingering exposures. Leadership frequently cannot determine whether incidents are actually reduced. More meaningful metrics track how quickly risky assets are owned, how long dangerous exposures persist, and whether attack paths shrink over time. Asset inventory remains the foundation for ASM.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]