Skip to Content
Concepts and Fundamentals

What is an attack surface?

An attack surface is the set of all the points where an attacker can try to enter, cause harm, or extract data from a company. Every device, account, application, cloud service, and person is a possible entry point. The larger the surface, the more paths the attacker has, and the harder it is to defend.

Zamak TechnologiesUpdated on July 11, 2026

How to reduce your attack surface

You cannot protect what you cannot see. Reducing the attack surface is a continuous cycle of three steps:

1

Map everything that is exposed

List the devices, accounts, cloud systems, remote access, and internet-facing services. Much of a company's surface is what it does not even know is turned on.

2

Remove what does not need to exist

Turn off unused services, remove old accounts, close open remote access, and cut permissions no one uses. Every point removed is one less door.

3

Monitor what remains

Whatever must stay exposed has to be watched and kept patched. The surface changes every week, with each new device, account, or application.

Source: the NIST glossary (CSRC) definition of attack surface and the practice of attack surface management (ASM).

What makes the attack surface grow

  • Remote work and the cloud: data and access left the office and spread to homes, phones, and online services.
  • Personal devices (BYOD) and the Internet of Things: every connected device is a new entry point.
  • Shadow IT: software and services signed up without IT's knowledge, that no one protects because no one knows they exist.
  • Vendors and integrations: every partner connected to your systems extends your surface beyond your walls.
  • Exposed credentials and data: leaked passwords and public information that give the attacker the first foot in.

The three attack surfaces

  • Digital Everything reachable over the network: websites, applications, servers, APIs, cloud services, open ports, and remote access. It is the fastest-growing surface.
  • Physical The equipment someone can touch: computers, servers, USB sticks, lost or stolen devices, and unauthorized access to the premises.
  • Human People, the target of social engineering. It is the surface exploited by phishing, voice scams, and fraud, and the one no technical tool covers on its own.

Why this matters for the business

22%
of vulnerability-based intrusions exploit exposed edge devices and remote access (Verizon, 2025)
3
the surfaces to cover: digital, physical, and human
$ 4.44M
average global cost of a data breach (IBM, 2025) that a smaller surface helps avoid

Every company wants to grow, and growing increases the attack surface: more people, more devices, more cloud, more integrations. The problem is when it grows with no one keeping track. Exploitation of exposed edge devices and remote access jumped to 22% of vulnerability-based intrusions (Verizon, 2025), precisely the points companies forget to count. Every forgotten point is a door the attacker finds before you do. Reducing and watching the surface is what keeps a data breach, costing an average of $ 4.44 million worldwide (IBM, 2025), on the outside. It is the difference between defending a territory you know and one you did not even know you had.

How to start controlling the attack surface

You cannot reduce what was never measured. Control starts with seeing, and evolves into watching:

  1. Inventory what is exposedTake stock of the devices, accounts, and services reachable from outside. An exposure assessment already reveals points no one remembered existed.
  2. Cut the excessTurn off what is unused, remove old accounts, and close open remote access. It is the fastest, cheapest reduction of the surface.
  3. Apply least privilegeReduce what each account can reach. Even if a point is breached, the surface it exposes stays small.
  4. Keep watchingThe surface changes constantly. Treat the inventory as something living, reviewed and monitored, not a photo taken once.

In practice

Ask your team: how many devices, accounts, and services are reachable from the internet right now? If no one knows the exact number, that uncertainty is the size of your unwatched attack surface.

How Zamak reduces your attack surface

Zamak Technologies helps your company see and shrink the attack surface: it maps what is exposed, cuts the excess, applies least privilege, and keeps continuous watch as part of managed cybersecurity in the Zamak Method, always alongside your internal IT team. A good starting point is a reading of your current exposure with the AI exposure check and the cybersecurity self-assessment.

Frequently asked questions about attack surface

What is the difference between an attack surface and an attack vector?
The attack surface is the set of all possible entry points. The attack vector is the specific path the attacker uses through one of those points (a phishing email, a stolen password, an unpatched flaw). The surface is the map; the vector is the chosen route.
How do you shrink the attack surface?
By reducing the number of exposed points: turning off unused services, removing old accounts, closing open remote access, applying least privilege, and keeping patches up to date. Every point eliminated is one less door for the attacker.
Does remote work increase the attack surface?
Yes. With people, devices, and data outside the office, the surface no longer stops at the company walls and now includes homes, phones, and cloud services. It is one of the biggest drivers of surface growth today.
What is attack surface management (ASM)?
It is the practice of continuously discovering, cataloging, and monitoring everything that is exposed, especially what can be seen from outside the company. It exists to find the forgotten points before an attacker does.
Does a small business have a large attack surface?
It can. All it takes is cloud, remote work, personal devices, and a few unmanaged online services. The size of the surface depends on how many points are exposed and unwatched, not on the size of the company.