What is an Attack Surface?
Your attack surface is every door, window, and side entrance a hacker could try on your business — and most companies have far more of them than they realize.
Count every way in.
Picture your business as a building. A burglar casing it doesn't care about the solid walls — they look for the doors, windows, loading dock, and that side gate someone left unlocked. Your attack surface is the digital version of all those entry points added together: every website, server, login page, cloud app, email account, remote-access tool, and internet-connected device an attacker could try to get through.
The principle is simple: the larger and more exposed your attack surface, the more chances an attacker has to find one weak spot. And here's the catch most businesses miss — your attack surface grows on its own. Every new SaaS tool, every cloud server spun up "just for a test," every employee account is another potential way in. Plenty of breaches start at a system the company had completely forgotten it even had online.
It's bigger than your website.
Security people usually split the attack surface into a few categories. All of them count.
Digital / external
Everything reachable from the internet — your website, customer portal, VPN, email servers, and any cloud service. This is what attackers scan first, and it's the part you most often lose track of.
Physical
The laptops, phones, servers, and office network gear someone could steal, plug into, or tamper with in person. A misplaced laptop is part of your attack surface too.
Human
Your people. Every employee who can be tricked by phishing or social engineering is a potential entry point — often the easiest one.
Supply chain
The vendors and software you rely on. If a tool you use is compromised, the attacker may reach you through it — extending your attack surface beyond your own walls.
They map you before they touch you.
Before a serious attacker does anything noisy, they quietly build a map of your attack surface — the same exercise a penetration tester does. Using public tools, they catalog your domains, find which servers are exposed, fingerprint the software you run, and note who works there. Then they look for the weakest point on that map and aim there.
The defender's job is to see their own attack surface at least as clearly as the attacker does — ideally better, and before the attacker gets there. That's the whole idea behind attack surface management: continuously discovering what you expose (including the forgotten stuff) and watching it for new risk.
Less exposure, fewer break-ins.
- Inventory everything exposed. List every domain, server, cloud account, and tool reachable from outside. You can't protect what you don't know you have.
- Turn off what you don't use. Retire old servers, close unused ports and services, and delete dormant accounts. Every one you remove is one less door to defend.
- Lock the doors you keep. Put multi-factor authentication on every login and limit access to only what each person needs.
- Watch it continuously. Your attack surface changes weekly. Re-scan regularly so a new exposure doesn't sit unnoticed.
A Red Hound penetration test starts by mapping your full attack surface — often surfacing exposed systems you didn't know were online — then shows you exactly which ones an attacker would target first.
Attack surface, answered.
What is an attack surface?
Your attack surface is the sum of every point where an attacker could try to get into your systems or data — every website, server, login page, cloud app, employee account, and connected device. The bigger your attack surface, the more ways in a hacker has.
What's the difference between an attack surface and a vulnerability?
Your attack surface is all the possible entry points an attacker could reach. A vulnerability is a specific weakness at one of those points that can actually be exploited. Shrinking the attack surface reduces how many places a vulnerability could even exist.
How can a business reduce its attack surface?
Take inventory of everything exposed, then remove or lock down what you don't need: shut off unused services, retire forgotten servers, limit who can access what, and require strong authentication. Less exposure means fewer ways in.
What is attack surface management?
Attack surface management is the ongoing practice of continuously discovering everything your organization exposes to the internet — including things you forgot about — and monitoring it for new risks, the same way an attacker would scan you from the outside.
Related topics
- What is Penetration Testing? — testing the weak points on your attack surface.
- What is Vulnerability Management? — finding the flaws within that surface.
- What is Zero Trust? — a model that limits how far any one entry point reaches.
- What is Cloud Security? — the fastest-growing part of most attack surfaces.
- From the blog: A hidden attack surface in Active Directory Certificate Services.
Book a Red Hound penetration test.
We map your full attack surface and show you which doors an attacker would try first.
Or get plain-English security tips by email: