20 April 2026 Security Tips Patrowl Team
You like this content ?
Share it on the networks
76% of organisations have suffered an attack through an asset they did not know they had. External Attack Surface Management (EASM) is the answer: it discovers what your scanners cannot see, in real time, from an attacker's perspective. In 2026, Gartner integrates this discipline into Unified Exposure Management Platforms (UEMP), combining Preemptive Exposure Assessment (PEA) with vulnerability validation — which is exactly what Patrowl delivers in a single platform.
This guide explains why your asset inventory is inevitably incomplete, how EASM discovery works in 4 steps, and what 5 real incidents (SolarWinds, Exchange ProxyLogon, Twitch, Volkswagen, Log4Shell) have in common. You will also see how EASM fits into a CTEM strategy and what it changes in practice for your team.
Ask your team for a complete list of every asset exposed on the internet. What you will get is a list of what you have declared — not what actually exists.
Development environments never decommissioned, cloud storage buckets created by a data team outside IT processes, subdomains inherited from an acquisition three years ago, test APIs forgotten since 2022: these assets are exposed on the internet, reachable from anywhere, and nobody on your security team is monitoring them.
Gartner estimates that 80 to 95% of an organisation's assets change every year.[1] No inventory — even an automated one — covers the full exposed perimeter.
Attackers can scan the entire public IPv4 address space in under 45 minutes and exploit a CVE within 15 minutes of publication.
CISA — Vulnerability Exploitation Reports, 2021–2022An attacker does not start from your declared inventory. They scan the entire public IPv4 address space, enumerate SSL/TLS certificates, query certificate transparency databases and search engines for exposed services. They find what you have forgotten, before you do.
In under 45 minutes, an attacker can traverse the entire public IPv4 address space, query certificate transparency logs and DNS records, and find your forgotten staging environment before your team has opened a single ticket.
External Attack Surface Management (EASM) is the continuous process of discovering, mapping, monitoring and reducing all internet-facing assets of an organisation — including those it does not know about.
The key distinction is the starting point: EASM does not start from your asset register (CMDB, Configuration Management Database). It starts from your domain name and reconstructs everything that flows from it, exactly as an attacker does during reconnaissance — without being limited to your declared inventory.
Gartner formalised the category in its Hype Cycle for Security Operations 2022 and again in 2025. It is now a core component of Continuous Threat Exposure Management (CTEM), the framework for managing exposure on a continuous basis.
EASM refers to the processes, technology and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures which include misconfigured public cloud service infrastructure, for the purpose of prioritising and addressing potential risks. [Gartner Peer Insights]
What EASM covers in practice:
The exploitation of internet-facing systems continued to be the most impactful initial access vector, and threat actors increasingly targeted partners and service providers as indirect pathways to their final targets.
A scanner tests what you declare. EASM finds what you have not declared.
A scanner is a good tool. The problem is upstream: if you do not declare an asset, it will not be tested. EASM generates the scope. The scanner then tests it in depth. These are two distinct steps, not competing tools.
Known vs unknown assets — what the scanner misses, EASM finds
| Capability | Vulnerability scanner | EASM |
|---|---|---|
| Discovery of unknown assets (outside-in) | — | ✓ |
| Continuous monitoring | Periodic | ✓ Continuous |
| Attacker perspective (outside-in) | — | ✓ |
| Threat intel enrichment (CVE, EPSS) | Partial | ✓ |
| Unknown vulnerability / 0-day detection | — | Partial |
| Declared scope required | Mandatory | Not required |
| Known vulnerability testing (CVE) | ✓ | ✓ |
A scanner must be configured and scheduled against a declared scope; EASM manages that scope for you. A scanner primarily checks whether known patches have been applied; EASM discovers and maps what the scanner was never configured to test. The two tools complement each other.
Five security incidents, all publicly documented and widely covered in the press. In each case: an asset exposed on the internet, absent from any security inventory, with attackers getting there before detection.
APT29 (a group linked to Russia) gained access to an internet-connected development server whose authentication relied on a trivial password with no MFA, and which appeared in no security inventory. After months of reconnaissance and analysis of developer habits, they inserted malicious code into SolarWinds Orion updates by mimicking internal coding styles. The code, distributed with the next update, exfiltrated sensitive data from victims including over 30,000 US government agencies.
What EASM would have changed: the development server would have been detected as an unmanaged exposed asset as soon as it went online — before APT29 found it during reconnaissance.
CVE published on 2 March 2021. Within 48 hours, HAFNIUM had compromised 250,000 Exchange servers. The real problem: thousands of organisations did not know their servers were accessible from the internet. Without visibility over these assets, no response was possible.
What EASM would have changed: as soon as the CVE was published, EASM would have cross-referenced exposed assets with threat intelligence (CISA KEV, EPSS). Affected Exchange servers would have been surfaced immediately as critical priority.
A server configuration error at Twitch allowed an unauthorised third party to access internal Git repositories. Platform source code, internal security tools, and streamer payout data — 125 GB in total — were exfiltrated and published on 4chan. The access resulted from a misconfiguration, not a sophisticated attack.
What EASM would have changed: subdomain enumeration would have surfaced the misconfigured server as soon as it became reachable — without any human team needing to know it existed beforehand.
A cloud storage bucket belonging to Cariad, the Volkswagen Group's software entity, remained publicly accessible for several months. It contained geolocation data from 800,000 electric vehicles, including those of political figures and German military officers. The asset was monitored by no one after deployment.
What EASM would have changed: manually tracking every cloud service deployed across an international group is structurally impossible. Continuous monitoring of cloud storage configurations is a core EASM capability.
When CVE-2021-44228 (Log4Shell) was published, security teams discovered that Log4j was embedded in hundreds of internal applications, often without anyone knowing. Internet-facing services were using the library without anyone's knowledge, some inherited from old projects that had never been decommissioned. Mass exploitation began less than 72 hours after publication.
What EASM would have changed: EASM maintains a continuous map of the technologies running on each exposed asset. As soon as the CVE was published, assets running Log4j would have been identified and surfaced as critical priority, reducing the exposure window from several weeks to a few hours.
Asset exposed, absent from any security inventory, access to sensitive data. Attackers exploit blind spots, not just CVEs.
Unlike a scheduled scanner, EASM runs continuously with no maintenance window. Every new asset, every newly published CVE, every configuration change automatically triggers a map update and, where relevant, an alert.
Unlike a pentest, EASM never stops — every new asset and every new exploit is detected as it appears
Patrowl combines EASM and PTaaS in a unified platform. Continuous discovery feeds directly into PTaaS and automated hybrid pentest programmes — tests are always run against the current scope, not a stale declared list. Colas, MGEN and PMU use this approach to maintain real-time visibility of their external exposure.
CTEM (Continuous Threat Exposure Management) is the Gartner framework for managing exposure on a continuous basis. Annual audits and penetration tests — whether annual or twice-yearly — are no longer sufficient: infrastructure changes too fast between cycles.
CTEM breaks down into 5 phases: scoping, discovery, prioritisation, validation, mobilisation. EASM covers the first two. It defines the real perimeter and surfaces exposures that other tools miss.
EASM moved from "essential new technology" in 2021 to a component of CTEM in 2023. The market is converging towards integrated platforms combining VM, CTI and EASM. [Gartner Peer Insights, 2023]
On average, organisations discover 35% more internet-exposed assets after deploying an EASM tool.[Security Magazine, 2023] A third of your real attack surface is invisible to your current tools — that is not a minor blind spot.
As soon as you have several dozen exposed services, multiple cloud environments, or suppliers connected to your infrastructure — you need EASM. It is not reserved for large enterprises.
Concrete use cases:
Before EASM, you protect what you know. After, you protect what actually exists. The 35% of missing assets — attackers had already found them.
Sources
