A new research report, sponsored by Qualys, a leading provider of cloud-based IT, security and compliance solutions, and authored by SANS Principal Instructor Chris Dale, explores how organisations are operationalising Attack Surface Management (ASM) to eliminate blind spots and quantify risk in business terms.

The SANS Survey on Attack Surface Management (ASM) for 2025, based on insights from over 200 cybersecurity professionals, highlights a clear shift away from reactive, fragmented and alert-driven approaches toward proactive, unified, automated and business-aligned risk management. As attack surfaces expand across cloud, SaaS, endpoints and third parties, respondents are increasingly demanding ASM programs that integrate into day-to-day operations – connecting discovery, prioritisation and remediation into a measurable risk workflow.

“Continuous visibility, business-contextual prioritisation, and intelligent agentic AI-powered autonomous response are becoming essential for managing modern attack surfaces at scale. The findings reinforce the growing need for operational models like the AI-native Risk Operations Center (ROC), which help organisations continuously identify, prioritise, and autonomously reduce the risks that matter most by providing a unified overview of the entire attack surface,” said Kunal Modasiya, senior vice president – Product, GTM and Growth at Qualys.

Key findings from the SANS Survey on ASM for 2025

There are three defining signals changing what organisations expect from ASM:

1. Unified visibility across internal and external assets is no longer optional

Organisations are increasingly frustrated with siloed tools and disconnected workflows—and want a single, consistent view of risk across the full attack surface.

• 55% of organisations expect ASM platforms to protect both internal and external assets simultaneously
• 37% want ASM platforms to improve visibility into external exposures
• Only 28% say that their ASM platform effectively identifies sensitive files across the environment

Traditionally, internal networks and external perimeters were managed separately, creating persistent visibility gaps and slower incident response. With cloud adoption and third-party reliance accelerating, the external attack surface is expanding dynamically — making unified visibility across the entire attack surface essential for preventing exposure from lingering long enough to be exploited.

2. Automation is now essential for modern risk operations

Security teams can no longer rely on periodic scans and manual handoffs if they want to reduce exposure at the pace attackers operate. Respondents are looking for ASM platforms that operationalise action, not just detection.

• 59% of organisations require daily scanning of their environments
• 67% expect their ASM platforms to provide mitigation recommendations for exploitable vulnerabilities
• 58% prefer a hybrid model combining manual and automated operations

The survey signals security leaders are moving away from platforms that simply identify vulnerabilities and misconfigurations. What’s gaining traction are platforms that automate asset discovery, connect prioritisation to real exposure, and accelerate remediation through guided, integrated workflows.

3. Business context matters more than CVSS alone

Organisations want risk quantification that leaders can understand, and that teams can use to prioritise what will reduce business impact most.

• 89% of surveyed organisations expect their ASM platforms to provide measurable risk quantification
• 30% want their ASM tools to prevent exploitation of exfiltrated data
• 35% want their ASM platforms to provide current information on vulnerabilities across their environment

Traditional vulnerability management focused on technical severity scores is no longer enough. Organisations aren’t investing in security platforms just to generate alerts. They expect measurable business outcomes, clearer remediation direction, and risk reporting that supports executive leadership and board decision-making, and justifies security investment based on impact, not noise.

To read the full report, download it here or read the blog post here