What is an attack surface? Understanding and reducing your exposure

What is an attack surface?

NIST defines an attack surface as "the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from." In practical terms, it's everything about your technology stack that's exposed to the outside world, or that could be reached by someone who gets inside.

Your attack surface includes:

Web applications and APIs. Every endpoint your application exposes, including APIs that mobile apps, integrations, and internal services call.
Cloud infrastructure. Compute instances, storage buckets, databases, serverless functions, load balancers, and their configurations.
Domains and DNS. Your registered domains, subdomains, DNS records, SSL certificates, and email configuration (SPF, DKIM, DMARC).
Third-party integrations. Every SaaS tool, webhook, OAuth connection, and vendor with access to your systems.
User accounts and credentials. Employee accounts, service accounts, API keys, and any authentication surface (login pages, SSO endpoints, password reset flows).
Code repositories. Public and private repos, CI/CD pipelines, and any secrets or configuration that may be exposed in version history.

Why attack surface matters for startups

Cloud-native means a larger attack surface by default. Traditional on-premises infrastructure had a relatively contained perimeter: a firewall, a handful of servers, and a limited number of entry points. Cloud-native startups operate differently. Every new SaaS tool, every API integration, every cloud service you provision expands your attack surface. Gartner has noted that nonpatchable attack surfaces (cloud services, SaaS, APIs) are growing faster than traditional infrastructure and will represent more than half of enterprise exposure.
You have assets you don't know about. Forgotten staging environments, test subdomains, old marketing landing pages, development servers with public IP addresses, S3 buckets with permissive access policies. These are the assets that show up in breach postmortems. You can't secure what you don't know exists, and most startups have blind spots in their asset inventory.
APIs are the fastest-growing attack surface. Gartner predicted that API abuses would become the most frequent attack vector for web applications, and that trend has materialized. Modern startups are API-first: your mobile app, your integrations, your webhooks all expose API endpoints. Each endpoint is a potential entry point that needs authentication, authorization, rate limiting, and input validation.
Attack surface changes constantly. Every deploy, every new integration, every infrastructure change modifies your attack surface. A startup deploying multiple times per day has an attack surface that looks different by the end of the week than it did at the beginning. Static, point-in-time assessments miss changes that happen between reviews.

Types of attack surface

There are three categories to think about:

Digital attack surface. All the software, network, and cloud assets that are reachable from the internet or from within your network. This is the category most people mean when they say "attack surface": web apps, APIs, cloud infrastructure, domains, and their configurations.
Physical attack surface. Laptops, phones, office network equipment, and physical access points. For remote-first startups, this primarily means employee devices and whatever endpoint security controls you have in place.
Human attack surface. Your people. Phishing targets, social engineering opportunities, and the risk of credential compromise through weak passwords or missing MFA. Every person with access to your systems is part of your attack surface.

Reducing your attack surface

You can't eliminate your attack surface, but you can manage it:

Know what you have. Maintain a continuously updated inventory of your assets: domains, subdomains, cloud resources, SaaS tools, API endpoints, and user accounts. Automated discovery is essential because manual inventories go stale immediately.
Eliminate what you don't need. Shut down unused services, remove old subdomains, close unnecessary ports, delete test environments that outlived their purpose, and revoke access for former employees and contractors. The simplest way to reduce your attack surface is to remove things from it.
Minimize exposure on what remains. Apply least privilege to every account and service. Put services behind authentication. Use network segmentation to limit what's reachable. Configure cloud resources with restrictive defaults rather than permissive ones.
Monitor for changes. Your attack surface changes every time you deploy code, add an integration, or provision infrastructure. Continuous monitoring catches new exposures as they appear rather than waiting for the next quarterly review or annual pen test.

How Fencer helps with attack surface management

Fencer continuously discovers and maps your attack surface across code repositories, cloud environments, and external-facing assets. Rather than maintaining static spreadsheets or running one-off scans, Fencer provides a live view of your infrastructure, domains, and integrations. When your attack surface changes (a new subdomain, a misconfigured cloud resource, an exposed service), Fencer detects it and surfaces it alongside the rest of your security findings.

Frequently asked questions

What's the difference between an attack surface and an attack vector?

An attack surface is the total set of potential entry points into your systems. An attack vector is the specific method an attacker uses to exploit one of those entry points. Think of the attack surface as every door and window on a building, and an attack vector as the technique used to get through one of them (picking a lock, breaking a window, social engineering someone into opening the door). Reducing your attack surface means having fewer doors and windows. Defending against attack vectors means securing the ones that remain.

How do I find assets I don't know about?

Start with your cloud provider's built-in inventory tools (AWS Config, GCP Asset Inventory, Azure Resource Graph) to see what's actually running in your accounts. Scan your DNS records and certificate transparency logs to find subdomains you may have forgotten. Review your OAuth connections and API integrations to identify third-party services with access to your systems. For a comprehensive view, external attack surface management (EASM) tools scan from the outside in, discovering what an attacker would find if they were looking at your organization.

How often should I review my attack surface?

Continuously, if possible. Point-in-time assessments (quarterly scans, annual pen tests) miss changes that happen between reviews, and for a startup deploying daily, that's a lot of changes. The ideal approach is automated, continuous discovery that runs alongside your existing development and deployment processes. At minimum, review your attack surface whenever you add new infrastructure, integrate new services, or make significant architectural changes.

Attack surface