Security Fundamentals
What is an Attack Surface?
Every system exposes points where an attacker can attempt to enter, extract data, or cause harm. Understanding and reducing your attack surface is the foundation of every effective security program — and the starting point for everything Dexfense does.
Entry Points
All pathways into your system — APIs, web forms, ports, third-party integrations
Assets
Sensitive data, credentials, keys, configuration files, and privileged processes that attackers target
Trust Levels
The access rights granted to different actors — from anonymous users to authenticated admins and backend services
Defining the attack surface
An attack surface is the sum of all the different points — called attack vectors — where an unauthorised user can try to enter data to or extract data from an environment. The larger the attack surface, the greater the opportunity for an adversary to find and exploit a weakness.
The OWASP Attack Surface Analysis Cheat Sheet categorises attack surface components into three dimensions:
Common Entry Points
Web & API Layer
HTTP/HTTPS endpoints, REST & GraphQL APIs, OAuth flows, web forms, file uploads, cookies, HTTP headers
Network & Infrastructure
Open ports, load balancers, VPNs, DNS, FTP/SFTP, remote desktop, cloud storage endpoints
Authentication Interfaces
Login forms, password reset flows, MFA prompts, SSO providers, API keys, JWT tokens
Third-party Integrations
Webhooks, OAuth providers, payment processors, cloud services (AWS/Azure/GCP), CDNs, SaaS tools
Internal Services
Message queues, internal APIs, admin consoles, CI/CD pipelines, secrets managers, monitoring agents
Human Factors
Employee email (phishing), helpdesk social engineering, insider threat, contractor access, shared credentials
Why attack surfaces grow — and become unmanageable
Modern software architectures are inherently expansive. A typical enterprise today operates across hybrid cloud environments, dozens of SaaS products, mobile applications, APIs shared with partners, and remote workforces — each layer adding new exposure.
The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector grew by 180% year-on-year — driven largely by attackers scanning for unpatched edge devices and internet-facing systems that organisations had failed to account for in their surface inventory.
Common failure modes include:
- Shadow IT — services deployed without security team visibility
- API sprawl — undocumented or deprecated endpoints left exposed
- Third-party risk — supplier integrations inheriting trusted access without review
- Cloud misconfiguration — overly permissive IAM roles, public S3 buckets, open security groups
- Legacy components — older systems retained in production long after end-of-support
Attack surface reduction — the goal of every defense plan
OWASP defines Attack Surface Reduction as the practice of systematically eliminating or hardening entry points to reduce the number of ways an attacker can compromise a system. NIST CSF 2.0's "Protect" function (PR) is built around the same principle.
Disable what you don't need
Remove debug endpoints, disable unused services and ports, retire legacy components with no active use.
Maintain a living inventory
Attack surface analysis is not a one-time activity. Every architecture change potentially adds new vectors.
Apply least privilege
Limit what each user, service, and integration can access. Over-privileged accounts are prime attacker targets.
Segment and isolate
Network segmentation limits lateral movement. Isolate sensitive systems from general-purpose networks.
Validate all inputs
Treat every entry point as potentially adversarial. Sanitise, validate, and reject unexpected inputs.
Monitor the surface continuously
Use threat intelligence and anomaly detection to identify novel attack paths as they emerge.
How Dexfense maps your attack surface to real threats
Most attack surface tools give you a list of exposed assets. Dexfense goes further: it maps every component in your architecture to the MITRE ATT&CK® techniques that adversaries actually use to exploit it.
You select the components that describe your environment — web application, cloud infrastructure, authentication providers, endpoints, databases, third-party integrations. Dexfense then surfaces the ATT&CK techniques most relevant to that specific stack, across all 14 tactics: from Initial Access and Credential Access through Lateral Movement to Exfiltration.
The result is a prioritised, architecture-aware defense plan — not a generic checklist, but a focused view of which controls matter most given the specific attack vectors your environment exposes. Exportable as PDF, aligned to NIST CSF 2.0.
What Dexfense gives you
70+ components covering web, cloud, network, endpoint, IAM, and more
200+ MITRE ATT&CK® techniques mapped to component-level exposure
NIST CSF 2.0 gap analysis across all 6 functions (GV, ID, PR, DE, RS, RC)
Exportable PDF defense plan tailored to your architecture
Interactive planner — add or remove components and see threats update in real time
Educational annotations so analysts build intuition alongside their plan
How our team of professionals can help
Dexfense is a powerful starting point — but some environments require more than a self-service tool. Our team of certified cybersecurity professionals works directly with organisations to deliver hands-on attack surface analysis and defense planning services.
Architecture-level attack surface review
Our team conducts a structured review of your architecture, identifying entry points, assets, and trust boundaries that automated tools miss — including business logic flaws and contextual risk.
Threat modelling workshops
Facilitated sessions with your engineering and security teams to systematically enumerate threats using STRIDE, ATT&CK, and OWASP methodologies against your specific design.
NIST CSF 2.0 gap assessment
A formal evaluation of your current controls against NIST CSF 2.0, producing a prioritised roadmap that maps directly to your actual risk exposure — not a generic maturity benchmark.
Defense plan validation & advisory
We review and validate the defense plan Dexfense generates for your environment, adding expert interpretation and feasibility assessment for control implementation.
Incident response readiness
Map your current detection and response capabilities against the techniques most likely to target your environment, and identify critical coverage gaps before an attacker finds them.
Ongoing security advisory
Retain access to our specialists for architecture reviews as your system evolves — ensuring your attack surface stays mapped and your defenses stay current.
Our professionals hold industry certifications including OSCP, CISSP, CEH, and CISM, and have experience across financial services, healthcare, SaaS, and critical infrastructure sectors.
Key References
Map your attack surface now
Select your architecture components in the planner and get a prioritised, MITRE ATT&CK® mapped defense plan — free. Or contact our team for a professional assessment.