Insights into the Team Cymru State of Attack Surface Management Survey

8 reasons to reassess your ASM strategy

In our The State of Attack Surface Management published in May, we surveyed 440 security practitioners in the US and Europe who work on their company’s security team. Each organization surveyed had to use attack surface management, or ASM platform, and these professionals were able to provide first-hand knowledge about the benefits and drawbacks of ASM tools today.

This survey is vital reading if you are new to ASM or looking to compare your current experience to see how you measure against other organizations.

It’s critical for organizations to have effective solutions that enable security teams to protect their organization from cyber-attack. But are the tools and methods being used appropriate for modern security teams, or are technology gaps leaving organizations vulnerable?

We’ve condensed the contents of our survey to eight key takeaways.

These high-level insights provide a flavor of what you can find in the complete report and will enable you to assess and potentially evolve your current approach to ASM.

Insight No. 1.

Shadow IT

While freedom and control over their own IT environments may help users across the organization do their jobs more efficiently, it opens unchecked entry points for cybercriminals and is a potential disaster for the company. A growing organization continuously adds elements to its infrastructure without following policies or best practices, and often the security team is the last to know about it.

This is why 20% of respondents say their organization implemented ASM to increase their visibility of shadow IT in the enterprise; other surveys have discovered this to be sometimes over 50%. According to 23.4%, identifying rogue or unclassified events is the most valuable capability that ASM has provided their organization.

Pro Tip: your ASM tool must have both continuous and autonomous discovery of unknown or new assets and be able to automatically scan for vulnerabilities to expose shadow IT risks.

Insight No. 2.

Cloud Migration

16.3% of our respondents say that errors associated with moving more data and assets to the cloud are the primary reason their attack surface is expanding.

Illustrating the effect of expanding attack surfaces in the cloud, Verizon’s 2022 Data Breach Investigations Report (DBIR) states that misconfigured cloud storage accounts for 13% of breaches.

Pro Tip: your ASM tool must have insights into the Application Layer and Technology Stack across any cloud environment, in addition to mapping the underlying infrastructure to fully reveal the extent of dependencies and risks of approved and unapproved cloudapps.

Insight No. 3.

Lack of Integration

14.5% cite the main limitation of existing ASM platforms as their lack of integration with automation platforms. For security teams to gain even more advantages over static reports, they need more integrations. However, legacy ASM tools can be challenging and expensive to update and maintain. As ASM 2.0 tools mature, the industry will undoubtedly benefit from the more time-saving integrations it can provide.

Pro Tip: the more capabilities your ASM tool has, the less complex integration becomes, saving time, money, and effort on stitching together multiple technologies, workflows, and processes. Look for ASM platforms that, as a minimum, integrate Asset Management, Vulnerabilities Management, and Cloud Infrastructure Management in addition to Threat Intelligence – it is more efficient to integrate a single platform than several.

Insight No. 4.

Required Training

When security solutions need an inordinate amount of time dedicated to training before users can effectively do their jobs, they burden already struggling security teams. This is why a plurality of 21.5% indicates that the training needed for analysts to use the platform is their primary challenge with their current ASM platform.

Pro Tip: your ASM tool needs to be more than fully featured; it must have many of the labor-intensive and repetitive tasks automated and running continuously – this means more emphasis on using the platform, not learning the methods. Another key point is the User Experience. Evaluate how seamlessly ASM integrates multiple competencies and assess how easy tasks can be done. If anything looks complex or time-consuming, move on.

Insight No. 5.

Time to Deploy

Of our respondents involved in deploying their current ASM solution, 23.2% said it took 6 to 9 months to get them up and running. For 18.5%, it took over a year — a long time to leave their organization vulnerable to unmanaged risks.

The time it takes to deploy and implement a new security solution is consequential because it expresses the amount of time the organization continues to go without the protection provided by the improved processes. The frustration created by a new implementation is also a challenge for security teams looking to get up and running quickly and smoothly.

Pro Tip; your ASM needs to hit the ground running. Assess how many of the features are automated and don’t require time or training to achieve value, in addition to functions that can easily be controlled, such as Asset Discovery and Vulnerabilities Scanning. If you aren’t gaining a frictionless experience during Evaluation or Proof of Concept, chances are your ASM will take months to integrate into your environment.

Insight No. 6.

Security Concerns

Integrating a new platform or giving an untested solution broad access across the enterprise will keep a CISO up at night. This is especially worrisome considering that 29.7% of our respondents said their top concerns were about the security aspects of data integration and how much access their current ASM platform had across the enterprise.

Pro Tip: ASM is currently a buoyant market for investors, but that also brings risks for Procurement. Your ASM provider should pass your standard third-party assessments and especially be compliant with ISO27001 to give assurances they take your data, security, and integrity seriously. As part of that assessment, case studies, provenance, and financial assessments provide insights to separate the target acquisition start-ups from less risky, more stable and better-established organizations.

Insight No. 7.


Legacy ASM solutions fail to deliver an adequate ROI for modern cloud-based enterprises. Many ASM users did not fully realize the initial benefits promised when they acquired their solution as well.

21.1% of the respondents felt they overpaid for their current ASM solution. Of those who plan to stop working with their ASM vendor in the next 12 months, 21% cite the cost of operation and maintenance.

Pro Tip; as an ASM buyer, automation is the key to lowering operational costs. Premium services will have a higher initial purchase price, but the returns will start almost immediately because they offer wider functionality, high levels of automation, and accuracy. Make a point to ensure that humans are also involved on the vendor side. This is hugely beneficial as the data will be more accurate, therefore less time wasted on budget and resource-draining false positives.

Insight No. 8.

Future Plans

Most businesses see enough value in their legacy ASM solution to justify using it, but many enterprises recognize they need a better solution. While 51% have no plans to stop working with their ASM vendor in the next 12 months, 27.9% say they plan to terminate their current ASM vendor with no intentions of replacing them.

Pro Tip: it’s clear that legacy ASM has failed to meet the minimum expectations of buyers and users. As a buyer, you need to be aware that the next generation of ASM platforms have already emerged, referred to as ASM 2.0. These new gen platforms resolve many of the challenges customers face, so it is vital to assess a new or existing ASM platform on the basis


Our survey results show a widespread and immediate need for change. ASM must help, not hinder, organizations in managing digital asset risks across the entire attack surface. Still, many organizations are so frustrated with their current ASM that they’re considering abandoning it altogether.

Our survey reveals legacy ASM tools are challenging to use, expensive to operationalize, and need further integrations to gain fractional advantages over a static report. But abandoning an ASM altogether will send organizations backward, not forwards. The positive news is the future of ASM is already available in the form of ASM 2.0

ASM 2.0 seamlessly blends asset discovery, vulnerability management, cloud application management, threat intelligence, and business risk management – gone are single-function low-value platforms.

SOCs gain real-time verified and validated alerts to risks and threats affecting their assets. With ASM 2.0, patching external assets in order of priority can be in lockstep with organizational goals. Additionally, shadow IT challenges are quickly discovered, assessed for impact, and risks addressed with a complete inventory of cloud-based web applications, including the IP addresses they reside on, providing laser focus for any cloud security team.

To avoid falling into legacy ASM traps triggered by your peers and to gain deeper insights into how an ASM 2.0 solution can address the deficiencies of your current ASM, download the full report here.

Subscribe Now