Attack Surface Management

Attack surface management (ASM) is the continuous practice of discovering, cataloguing, and monitoring every internet-facing asset your organisation owns or is associated with, including domains, subdomains, IP addresses, cloud infrastructure, third-party-hosted assets, and shadow IT created without IT knowledge. The goal is to maintain a live, accurate inventory of your external footprint and to identify new vulnerabilities or exposures as they appear, rather than waiting for an annual penetration test to find them. External Attack Surface Management (EASM) focuses specifically on the externally visible attack surface: the portion attackers can reach without internal access. Unlike periodic vulnerability scanning, which only covers known assets on a fixed schedule, ASM runs continuously and discovers unknown assets as they appear. Most mid-market organisations discover between 15 and 35 previously unknown assets within the first 72 hours of onboarding.

Vulnerability scanning and attack surface management solve different problems. Internal vulnerability scanners only scan what you configure them to. ASM discovers assets you do not know exist (shadow IT, forgotten subdomains, marketing microsites, developer test environments). Scanners run on fixed schedules (weekly, monthly). ASM monitors continuously and alerts when new exposures appear within hours. Scanners do not discover assets created by third parties on your behalf (agencies, contractors, SaaS providers). Cloud infrastructure changes constantly. Scanners cannot keep pace with dynamic environments. Certificate transparency log monitoring for subdomain takeover risk is not available in traditional scanners. ASM is not a replacement for vulnerability scanning. It ensures you are scanning everything that matters, including assets you did not know existed.

Attack surface management (ASM) pricing typically ranges from £1,500 to £6,000 or more per month depending on scope and monitoring requirements. Standard ASM for small organisations (single brand, under 100 assets) averages £1,500 to £2,500 per month including continuous discovery, vulnerability detection, and real-time alerts. Mid-sized organisations (multiple brands, 100 to 500 assets) typically pay £2,500 to £4,000 per month. Enterprise ASM (multiple subsidiaries, 500 or more assets, cloud and on-premise) typically costs £4,000 to £6,000 or more per month. Pricing includes 24/7 monitoring, CREST-accredited analyst validation of critical findings, Slack/Teams/email alerting, and monthly reporting. Annual contracts typically receive a 15 to 20 percent discount. We provide fixed monthly pricing after initial asset discovery.

Self-service ASM platforms such as Censys, CrowdStrike Falcon Surface, or Microsoft Defender EASM require dedicated security staff to manage daily alert triage, tune false positives, and prioritise findings in context. For organisations without a dedicated ASM analyst (which is most mid-market teams) the tool generates more noise than signal. A managed EASM service from Precursor means CREST-accredited analysts handle discovery, triage, and validation on your behalf. You receive a prioritised list of real, confirmed exposures, not a raw feed of hundreds of automated findings. For most mid-market organisations, the total cost of a managed service is comparable to or lower than a SaaS platform licence plus the analyst headcount required to operate it effectively.

ISO 27001 Annex A.8.1 requires organisations to maintain an inventory of assets and ensure they are managed appropriately throughout their lifecycle. Continuous ASM directly evidences this control by maintaining a live, automatically updated inventory of all internet-facing assets. Monthly ASM reports provide auditable documentation showing what was discovered, when, and what action was taken. This is exactly the evidence auditors ask for. For PCI DSS, ASM supports Requirement 11.2 (identifying and monitoring all assets in scope) and Requirement 6.3 (managing vulnerabilities as they appear). For NIS2 and DORA, continuous monitoring of the digital perimeter is an explicit obligation. Monthly ASM reporting provides the documented evidence required during supervisory review. If your audit has flagged continuous asset management as a gap, talk to an analyst about your specific compliance requirements.

Yes. Our managed EASM service monitors cloud infrastructure across AWS, Azure, and GCP using an outside-in discovery approach that is fundamentally different from Cloud Security Posture Management (CSPM) tools. CSPM tools monitor assets within managed accounts. They miss infrastructure created outside your account structure, provisioned via a personal cloud account using a company subdomain, or deployed by a third-party agency. Our service discovers cloud assets the same way an attacker does: from the outside, via DNS, certificate transparency logs, passive DNS, and internet-wide scan data. This means we find EC2 instances, Azure App Services, GCP buckets, and exposed cloud APIs regardless of whether they appear in your internal asset registry. We also identify public-facing storage buckets, unmanaged cloud instances, and dangling DNS records that CSPM tools cannot see. Cloud asset coverage is included in all service tiers.

No. A penetration test is a deep-dive, time-bounded assessment conducted by human analysts, typically once or twice per year. ASM is a continuous, automated service that monitors your external perimeter 365 days a year. It does not go as deep as a skilled penetration tester, but it covers every known and unknown asset continuously, catching new exposures within hours rather than waiting for an annual test window. The two services are complementary: ASM ensures you know what you have, and penetration testing tells you how deeply it can be exploited. For continuous human-led security testing integrated with your development pipeline, see our Continuous Security Testing service.

Yes. You can provide the domains of critical suppliers to include their external posture in your monitoring scope. This helps manage supply chain risk by detecting when a key vendor's systems are exposed in ways that could affect your organisation, such as an exposed portal you authenticate against, or a subdomain of a supplier that resolves to your IP space.

New assets such as a freshly registered subdomain or newly deployed cloud service are typically detected within 24 to 48 hours of going live. Critical vulnerability checks against known assets run continuously. In practice, most clients receive their first confirmed findings within 72 hours of providing their seed domains at onboarding.