The Attack Surface Management market has emerged in the past few years with antecedents in asset management, vulnerability management, penetration testing, red teaming, cyber test ranges, and, to a lesser degree, BAS. ASM combines many of these techniques, and in many cases automates these techniques, to deliver a more frequent and cost-effective set of related security capabilities. Vendor solutions in the ASM market are maturing. There is a wide array of possible features available in the products and services in the market today. At present, most vendor solutions are focused on external ASM, or EASM: what can be tested and assessed from outside customer organizations’ infrastructure. A broader view of ASM is reflected in the market definition for this research in which ASM solutions are defined as those designed to address cyber threats stemming from organizations’ ever-growing attack surface. The overall attack surface for organizations is made up of two distinct parts:

Digital Attack Surface: operating systems, applications, websites, APIs, virtual machines (VMs), containers, cloud-hosted services, code, shadow IT, etc.

Physical Attack Surface: workstations, laptops, servers, mobile phones, hard and USB drives, IoT devices, operational technology (OT) and industrial control systems (ICS) components, etc.

We believe that the ASM market will move toward this more complete definition, including covering internal and physical assets like the CAASM market. This would require the availability of on-premises components, such as appliances (physical or virtual) or installable agents for endpoints. The EASM and CAASM functionality split is not likely to be tolerated by enterprise buyers of ASM products and services indefinitely.

The ASM market today is already quite large and diverse, with both large and small, and established and startup vendors present. We expect this market to continue to evolve, mature, and grow.

ASM, therefore, can benefit many types of organizations, but given that feature sets in current examined offerings are primarily aimed at external ASM, those with extensive web estates and customer-facing infrastructure will see the most value. Each solution evaluated has different strengths that will appeal to different organizations, depending on their particular requirements.