“I shouldn’t be able to even reach that from here”

This is the first in a series of articles detailing the goals, objectives, and approach to Attack Surface Management (ASM) and ASM as-a-service (ASMaaS).

A few caveats:

- BLS provides ASM as a service (ASMaaS) and almost all of the content in these articles is derived from interactions with our customers.

- BBOT is our FOSS tool that makes our ASMaaS possible. BBOT Pro and BBOT Enterprise are currently being developed. These articles will ONLY discuss the FOSS version.

- This is not Gospel. This is not necessarily even canon. These are more or less tales from the trenches that enabled us to design and develop ASMaaS and BBOT to drive down customer risk.

- There is competing terminology that BLS did not create or define. An attempt will be made to disambiguate where possible, but this is by no means the final word.

… and we’re off.

ASM Goals and Objectives

“If someone can interact with it, you need to know about it.”

In the simplest of terms, the primary goal for ASM is to continuously minimize the risk associated with internet-facing applications, services, and systems. (For the remainder of this article these will be collectively referred to as “assets”) .

Supporting Objectives Include:

- Continuous Discovery and Enumeration of:

- IPs

- Ports

- Deployed Technologies

- Subdomains

- Email Addresses

- Vulnerabilities

- Misconfigurations

- Threat Intelligence Gathering and Analysis based on Business and Attacker profiles

- Continuous Risk Assessment and Asset Prioritization

- Triage and Remediation for Vulnerable Assets based on Priority and Risk

- Verification Testing and Risk Reduction

Reading through the Goals and Objectives above, it should be clear that ASM draws from multiple security controls and categories. The ASMaaS BLS provides today includes elements of or touchpoints with :

- Asset Management

- Vulnerability and Patch Management

- Risk Management

- Threat Intelligence Gathering and Analysis

- Continuous Penetration Testing

- Incident Response

There are also relatively new services and capabilities being offered that overlap with what has previously been defined as ASM. These include (but are not limited to):

- Breach and Attack Simulation (BaS)

- Adversarial Exposure Validation (AEV)

- Automated Penetration Testing

- Continuous Automated Red Teaming (CART)

A detailed analysis of Gartner categories is beyond the scope of this article. However, the overlap with the Goals and Objectives of ASM seems unavoidable. For example:

“BAS and, to a greater extent, AEV provide a strategic, proactive approach to strengthening cybersecurity defenses. Unlike sporadic audits or single-point penetration tests, these platforms deliver continuous, automated validation of your security posture, pinpointing strengths, exposing weaknesses, and guiding remediation.” 1

At the risk of oversimplifying things, each category of security controls “serves at the pleasure” of Risk Management; everything is (and should be) driven by the choices the Business makes with regard to risk. Policies, security controls, applications, and utilities are selected and deployed based on the Risk Management Strategy and Objectives of the Business. In an industry where new categories, terminology, and acronyms appear every week, this is where we are choosing to plant our flag. Basically, “I don’t care what you call it, if it doesn’t fit into our overall Risk Management Strategy and satisfy these requirements, we don’t need it”.

The Business Case for ASM: The CISO Needs Answers … like now

“Wait, so how did they get in again?”

The CISOs we work with are well read and hyper-aware. They answer to the board and when they need answers they let you know in no uncertain terms. More often than not, Executive Leadership will have read about an attack or breach on the front page of the Wallstreet Journal OR received a panicked call from a CISO colleague OR seen something on the news OR all of the above. The immediate ask to their Cybersecurity Leadership Team is, “Do we need to worry about this?”

If statistics and reporting can be believed, then there is a good chance that whatever awfulness has occurred began its life as an attack against one or more public-facing assets. To illustrate this point:

“One in four attacks (26%) against critical infrastructure exploited vulnerabilities in common public-facing or internet accessible applications. This percentage is even higher (30%) for all incidents that X-Force responded to in 2024.” 2

“VPN and edge devices accounted for 22% of exploitation of vulnerabilities vectors in breaches, which is almost eight times the 3% found in the prior year’s report.” 3

If this is case, then this is where ASM really shines. If we have a basic understanding of the initial attack vector, including the vulnerability and primary targets, then ASM enables our team to quickly answer the following questions and effectively communicate back to the CISO:

- Does the targeted software or technology exist anywhere in our Business?

- If so, what Business workflows are attached to the assets running the targeted software or technology?

- Of those managed assets, which are vulnerable to the most recent attack?

- What are the potential impacts of a successful attack?

- How do we remediate in the near-, mid-, and long-term based on the risk?

- What’s the timeline for the fix and when can we tell the Board “all is well”?

These scenarios are consistent with BLS Operations across its customer base as an ASMaaS provider. ASM Analysts are constantly gathering data with regard to new and emerging threats as well as the most prominent vectors of attack. For the current calendar year BLS has executed 17 “Halting Actions” for a single ASMaaS customer alone. “Halting Actions” (HAs) are initiated when a vulnerability or misconfiguration is discovered in an internet-facing asset that constitutes an urgent and significant risk to the Business (life, limb, or property). When a halting action is called, all ASM services and activities are stopped for the vulnerable class of assets until the vulnerability is remediated and the fix is verified and validated. With the global average cost of a data breach at roughly 4 million USD in 2025, the negative impacts to the Business would have been significant if one or more of these vulnerabilities had resulted in a breach (17 HAs @ ~ 4 million USD per HA = 68 million USD )

A large part of the value proposition of ASM is that it is done continuously; the team is always prepared, engaged, and driving down risk regardless of whether that call ever comes from the CISO. The team is always working the ASM methodology asking:

- What do we own and expose to the internet?

- Do all of these things have legitimate Business requirements that justify the exposure?

- Is any of it vulnerable?

- How would it be attacked?

- What would happen if an attacker got hold of it and is it bad enough that we have to fix it right now?

- How do we make sure this doesn’t happen again?

Hopefully this short introduction has provided a high-level overview of ASM and highlighted the potential value it can bring to a Business. In the next article we’ll define ASM metrics and Key Performance Indicators (KPIs). Mores specifically, it will address:

1. What data and metrics are gathered and reported?

2. Based on the data and metrics gathered, what are the ASM KPIs?

3. How do the KPIs translate to positive impacts on the business? (i.e., why should our CISO give a sh*t ?)

Follow-on articles will detail the ASM methodology outlined above and include detailed technical walkthroughs for deploying and using BBOT for ASM.