What is External Attack Surface Management (EASM)?

Continuous discovery and assessment of an organisation’s internet-facing assets — domains, websites, certificates, DNS, email authentication, ports, and exposed services — from the outside, the way an attacker sees them.

Definition

External Attack Surface Management (EASM) is the practice of continuously discovering and assessing the assets an organisation exposes to the public internet — and the misconfigurations and vulnerabilities on them — from an outside-in perspective. Where older security tooling assumes you already know what you are protecting, EASM starts by answering “what does the internet actually see when it looks at us?”

The attack surface includes far more than the main website: every subdomain, TLS certificate, DNS record, mail-authentication policy (SPF, DKIM, DMARC), open port, exposed admin panel, content-management system and its plugins, and any forgotten or shadow asset still answering on the internet. EASM enumerates these, evaluates their exposure, and tracks how that exposure changes over time.

EASM is the external subset of the broader category Attack Surface Management (ASM). It overlaps with vulnerability scanning and with Cyber Asset Attack Surface Management (CAASM), but its defining feature is outside-in, no-credential discovery: it sees what an attacker sees, with no agent or inside access.

Core components

  • Asset discovery. Enumerate internet-facing assets — domains, subdomains, hosts, and the services answering on them — including forgotten and shadow assets.
  • Email authentication posture. SPF, DKIM, and DMARC presence and enforcement — whether the domain can be spoofed for phishing.
  • Encryption & certificates. TLS version support and certificate validity, issuer, and expiry across hosts.
  • DNS hygiene. DNSSEC, CAA, and registration controls (transfer lock, WHOIS privacy) that prevent hijacking and unauthorized certificate issuance.
  • Web configuration. Security headers, cookie flags, WAF presence, and exposed admin interfaces.
  • Open ports & services. Reachable ports with service and version identification, flagging things that should not be public.
  • Software & CVE exposure. CMS, plugin, and library fingerprinting with matching against known vulnerabilities.
  • Reputation & change monitoring. Blacklist/phishing reputation, and content-change/defacement detection over time.

Why it matters

Most breaches begin with something exposed to the internet that the defender had lost track of or never assessed: a domain with no DMARC that gets spoofed, an admin panel left open, a plugin years out of date, a backup file in the web root, a certificate that expired. None of these require an attacker to break in — they are visible from the outside, which means EASM can find them first.

For MSPs and lean IT teams, EASM is also a scale problem: you cannot manually audit the external posture of dozens or hundreds of client domains. Automated, continuous EASM keeps an always-current view of every client’s exposure and surfaces what changed since last time.

Cyber-insurance questionnaires and frameworks such as CMMC 2.0, NIST CSF, and the CIS Controls increasingly expect organisations to maintain an inventory of internet-facing assets and to monitor their exposure. EASM is the practice that produces that inventory and that evidence.

How Lavawall® helps with EASM

Lavawall® Scout is an external scanner that performs the EASM assessment in a single pass: email authentication (SPF/DKIM/DMARC), TLS and certificates, DNS hygiene (DNSSEC/CAA), security headers and WAF detection, open ports and exposed admin panels, CMS and plugin fingerprinting with NVD-backed CVE matching, exposed-file and backup discovery, blacklist reputation via commercial-safe feeds, and content-change/defacement monitoring — on any domain, with nothing installed on the target.

Inside the Lavawall® platform it runs continuously and multi-tenant: scheduled scans across every client domain, trend history so you can show posture improving over time, native email reports with charts, and a white-label option to embed Scout on your own marketing site. Scout is deliberately quiet — WordPress-specific probes only run on WordPress sites and back off the moment a firewall pushes back.

EASM is the external view; the broader Lavawall® platform pairs it with the inside view — patching, M365 / Entra / Azure breach detection, configuration backup, and GRC — so discovery leads directly to remediation.

Frequently asked

Is EASM the same as a vulnerability scanner?
Related, but EASM starts a step earlier — discovering which internet-facing assets exist at all (including forgotten ones) and assessing exposure from the outside, including configuration issues like missing DMARC, weak TLS, or an exposed admin panel that a pure CVE scanner may not flag.
Is EASM the same as ASM?
EASM is the external subset of ASM. ASM can also cover internal and cloud assets discovered with credentials or agents; EASM specifically covers what is reachable from the public internet with no inside access.
How is EASM different from a penetration test?
A penetration test is a point-in-time, often manual deep-exploitation exercise. EASM is continuous, automated discovery and assessment of exposure. They complement each other.
Does EASM require installing software?
No. EASM is external by definition — it observes assets over the public internet, so it needs no agent or server access, and can assess assets you have lost track of or do not control.