One of the things you’ll hear repeatedly in cybersecurity circles is that you can’t protect what you can’t see. It sounds obvious and yet TrendAI Africa’s threat detection data in EMEA for the second half of 2025 found that the top risks it detected were not sophisticated intrusions or novel malware, but risky cloud app access, stale or dormant identities, and multifactor authentication (MFA) that hadn’t been switched on in cloud environments.
TrendAI said these oversights aren’t difficult to address, but no one in the business knew they were there. Every cloud account, SaaS application, API integration and third-party tool an organisation has ever provisioned is a potential entry point and the average organisation has far more of them than anyone has documented. “Everyone’s watching the firewall,” says Christo Coetzer, CEO of BlueVision. “Organisations tend to manage what they’ve deliberately built, but the attack surface includes everything else too.”
Attack surface management (ASM) is a security discipline built around this visibility problem and involves discovering, classifying and monitoring every asset an attacker could reach, and closing the gaps. But ask any ASM practitioner where the real exposure is and the answer is the same: not where anyone is looking. “The biggest gaps exist where visibility ends and complexity begins,” says Ian Oelofse, a pre-sales solution architect at CASA Software. “These are often found in unmanaged subdomains, forgotten cloud storage buckets and thirdparty integrations that operate outside the view of central security teams. Because organisations are constantly evolving, these dark corners of the business are rarely managed effectively. Malicious actors only need to find one open, overlooked asset to compromise the environment.”
The goal isn’t a cleaner spreadsheet. It’s a smaller, better understood attack surface.
Christo Coetzee, BlueVision
Coetzer says identity is where the real exposure hides, particularly service accounts and non-human identities that accumulate privileges quietly over time. It’s the kind of thing IT teams fail to remove because nobody remembers adding it in the first place.
“The attack surface is no longer just endpoints and email. It’s every cloud account, SaaS application, API integration, OT sensor and AI workload your organisation has ever provisioned, whether IT knows about it or not,” says Zaheer Ebrahim, solutions architect at TrendAI Africa. “A developer can spin up a cloud environment, build something with AI assistance, connect it to production data and abandon it, all within a week,” says Coetzer. “The exposure isn’t just growing. It’s constantly shifting shape.
That fundamentally changes how you have to think about discovery and monitoring.” The risk also doesn’t stop at abandoned resources. Shadow IT, for one, has always existed, but there is now self-service cloud infrastructure and AI-generated code to contend with. “The attack surface is much more fluid and harder to track,” says Oelofse, explaining that AI also adds a new layer of risk through direct data leakage into public models and structural vulnerabilities where AI agents can be manipulated to execute code and expose sensitive information. “Employees are feeding sensitive data into AI tools, developers are building AI-powered applications on cloud infrastructure, and organisations are deploying large language models without adequate security oversight,” says Ebrahim. “The question has changed. It’s no longer, ‘Are we defended?’ but, ‘Do we even know what we’re defending?’”
By using automated tools to map your digital footprint from an attacker’s perspective, you can identify high-value targets and misconfigurations before they are discovered by malicious actors.
Ian Oelofse, CASA Software
“You need to see your organisation the way an attacker sees it, not the way your CMDB describes it,” says Coetzer, referring to the configuration management database that most organisations use to track their assets, and which rarely reflects reality. An internet-facing server with read-only access to a test database is a nuisance. The same server with administrative access to production data is a different conversation – the impact depends on what sits behind it.
ASM seeks to anticipate threats before they can be exploited, says Oelofse, but this requires a shift from reactive discovery to proactive threat modelling and continuous asset discovery. “By using automated tools to map your digital footprint from an attacker’s perspective, you can identify high-value targets and misconfigurations before they are discovered by malicious actors.” Oelofse’s advice is to integrate threat intelligence, which will allow security teams to understand which specific vulnerabilities are currently being weaponised in the wild, enabling you to close the door on a threat before it transitions from a theoretical risk to an active exploit. Attack path modelling maps the routes an attacker would take through an environment, tracing exposed assets, misconfigurations and vulnerabilities to show not just what is exposed, but what is within reach of the attacker. Individual findings that appear low severity in isolation can turn critical when a misconfiguration, an exploitable vulnerability and a path to sensitive data converge on the same asset. “That gives you a window, sometimes a narrow one, to act first,” says Oelofse.
A proactive ASM programme rests on four factors that must be cycled through continuously: discover, assess, prioritise and remediate. Discovery means finding not just the assets IT knows about, but the forgotten and unmanaged ones, including OT devices that cannot run agents. By combining cloud API-based discovery from the inside with external scanning from the outside, organisations close the gaps that neither approach catches alone. Assessments will prioritise context over cataloguing, looking at vulnerabilities, misconfigurations and exposed credentials that will form a risk picture that reflects what is actually exploitable. Modern ASM tools also integrate directly with SIEM, SOAR, ticketing systems and developer tools as well APIs and prebuilt connectors, so that findings are sent automatically to the right team rather than sitting in a dashboard nobody outside the security team ever opens. Teams may also struggle to prioritise their work. With thousands of vulnerabilities and a finite security team, the question is never what is wrong, but what to fix first. “And it starts with the assumption that your known asset inventory is incomplete, because it always is,” says Coetzer.
“From there, continuous automated discovery from an outside-in perspective is non-negotiable. The goal isn’t a cleaner spreadsheet. It’s a smaller, better-understood attack surface.”
ASM tools deliver the adversary’s view, an outside-in picture of exposed assets, while cloudnative application protection platforms (CNAPPs) go further by embedding ASM within a wider framework that also covers posture management, vulnerability management, identity security and runtime protection. For organisations running across multiple cloud providers, the two are increasingly complementary. What none of this changes is the fundamental arithmetic – attackers need to find one thing. Defenders need to find everything and ASM gives security teams the best chance of seeing the whole board before someone else does. “Remediation without accountability closes nothing,” says Ebrahim. “When leadership asks whether things are improving, that data provides a direct answer rather than a slide full of activity metrics.”
How AI really changes ASM
The difference between seeing an issue and understanding its real impact is what AI brings to ASM. AI-powered platforms ingest data from DNS records, TLS certificates, cloud APIs, WHOIS data and threat intelligence feeds simultaneously, correlating signals to surface assets that belong to an organisation even when nobody registered them in an inventory tool. A subdomain stood up this morning can appear in the asset inventory within hours. Risk scoring becomes contextual rather than categorical, with AI models assessing whether an asset is internet-facing, whether a known exploit exists in the wild, how critical the asset is to the business and whether it has a path to something more sensitive, producing a prioritised list of what actually matters rather than a catalogue of everything that is technically wrong. Shadow APIs, endpoints created for internal use that accidentally end up internet-facing, are among the most common and least-monitored exposures in modern environments. AI-driven platforms scan for open ports, identify API endpoints, analyse response patterns and flag high-risk behaviour such as unauthenticated access or endpoints returning personal data, without anyone having to know the API existed in the first place. “Employees find creative ways to solve work problems with AI, even when blocked,” says Ben Fourie, senior software developer at Dariel. “Proprietary company secrets are being shared with AI. Free tier AI uses user interaction to train models, so company data becomes part of a public model that others can query.” An open storage bucket with a DNS entry pointing to it, sitting on an instance with identity roles that reach production databases and an IP address that threat intelligence has already flagged as actively probed, is not just a finding but a crisis. AI connects those dots automatically in ways that most security teams, stretched thin and drowning in alerts, cannot do fast enough on their own.
* Article first published on www.itweb.co.za
Share
