On 27 May 2023, the Cl0p ransomware crew started mass-exploiting a zero-day (CVE-2023-34362) in Progress Software's MOVEit Transfer. Six weeks later, more than 2,600 organisations had been breached. Shell. British Airways. The BBC. The US Department of Energy. The State of Maine, where 1.3 million residents' data walked out in one go. CISA wrote it up as AA23-158A.
The common thread in the victim list wasn't sophistication. It was MOVEit instances sitting on the internet that nobody owned properly. A file transfer box stood up in 2019 for a single customer project, then forgotten. An instance the managed services provider never told the business about. A CNAME pointing somewhere nobody had logged into for three years.
This is what external attack surface management is for. Not a Gartner quadrant. Not a platform. A list of everything on the internet that smells like your business, and a read on which of it is broken.
The thing nobody calls it
The industry calls it EASM. External Attack Surface Management. The name made sense to the analysts who invented it and to absolutely nobody else. What it is in practice: a scanner that goes out and enumerates every domain, subdomain, IP, open port, TLS cert, and web tech stack that points back at you, then tells you which of it is dangerous.
I spent years at SilentGrid running pentests where the hardest part wasn't the pentest. It was getting the client to admit what they owned. The scope meeting would end with someone from finance saying "oh, I forgot about that." The thing they forgot is almost always the thing the attacker finds first. This is a solved problem with tooling. It's not solved with meetings.
Why SMBs need this more than anyone
Enterprise buys ASM because the CISO wants a dashboard. Small businesses need it because nobody's looking at all. The attackers don't care about your revenue. They run subfinder and nuclei against whole netblocks, find the thing bleeding, and go after it. Being small is not camouflage.
Three patterns show up on almost every SMB scan I run. A staging site from the last website refresh, still pointing at Heroku, still accepting traffic, still showing customer data from the migration someone forgot to finish. A plugin on the production site that shipped a critical CVE in 2024 and still hasn't been patched because the developer who built the site moved on. A DMARC policy set to none because someone read a forum post in 2020 and never came back. Every single one of these takes under sixty seconds to find from outside.
How to start if you're not buying anything
You do not need a tool to begin. You need a spreadsheet. Write down every domain your business owns. Then every subdomain you can remember. Then look at crt.sh for certificates issued on those domains and add the subdomains you forgot. You will find some. Everyone finds some.
Once the list exists, visit each one in a browser. Note what's running, who owns the DNS, and whether you still use it. This is already more attack surface discipline than most mid-sized businesses have.
When the list gets past 40 assets, scanning by hand stops being realistic. That's where the free check is useful as a first pass, and where a scheduled scan starts earning its keep. Attack surfaces change. Marketing spins up a landing page on Thursday and you don't know until it breaks.
MOVEit will rhyme. Next year's zero-day will be in something else. The constant is the forgotten asset. The scan takes a minute. The work is the phone call to the person who stood the thing up and moved on.
Run your own external scan.
AttackEdge continuously scans what your business exposes to the internet, then translates the findings into plain English. See what attackers see, without hiring a security team.