Glossary

What Is an Attack Surface?

An attack surface is the complete set of points — domains, subdomains, IP addresses, exposed services, third-party integrations — where an unauthorized actor could probe, interact with, or attempt to enter an organization's systems.

Three Layers of Attack Surface

Digital Attack Surface

Internet-exposed assets: domains, subdomains, web applications, APIs, mail servers, VPNs, exposed databases, cloud storage buckets, third-party SaaS, and any IP-reachable service. This is the layer most external attackers target first.

Physical Attack Surface

Devices, premises, and people: laptops, IoT, badge readers, social-engineering targets, USB drops. Less relevant to most internet-borne attacks but critical for high-value targets.

Social Attack Surface

Email addresses, profiles, and public information that enable phishing, business-email compromise, and pretexting. This expands every time an employee posts on LinkedIn.

Why Attack Surfaces Keep Growing

Modern organizations spin up infrastructure faster than they retire it. Marketing campaigns register new domains; engineering teams launch new services; product launches add subdomains; acquisitions inherit unfamiliar IP ranges. A typical mid-sized company doesn't have a complete inventory of its own external footprint — and what it can't see, it can't defend.

Attack Surface Discovery

Discovering an organization's external footprint requires correlating data from multiple sources:

  • WHOIS: domains registered to the organization or its known email contacts.
  • DNS: subdomains, mail servers, and other records under owned zones.
  • BGP / IP allocation: IP prefixes routed by the organization's ASN or assigned by RIRs.
  • Certificate transparency: TLS certificates issued for hostnames the organization owns.
  • Hosting and cloud metadata: services running on those IPs.

Joining all of these is exactly the kind of multi-hop graph problem infrastructure intelligence is built for.

Reducing the Attack Surface

  • Inventory continuously — discovery is not a one-time exercise.
  • Retire what you don't need — every retired host removes a target.
  • Apply DNSSEC, SPF, DMARC, MTA-STS — close common authentication gaps.
  • Patch the surface, not just the perimeter — public CVEs become exploits within days.
  • Monitor third parties — your dependencies' attack surface is part of yours.

Whisper for Attack Surface

Whisper joins WHOIS, DNS, BGP, hosting, and threat feeds into one queryable graph. Starting from any seed (a domain, an ASN, an organization name) analysts can traverse to every connected asset and prioritize by exposure, risk, and threat-feed presence. Read more about the Whisper platform.

Related Terms