By Jeremy Wilson | VISO Group
Here's something I learned the hard way during my years in information security: the companies that think they're too small to be targeted are usually the ones already compromised.
I'm not talking about Fortune 500 breaches that make headlines. I'm talking about the 4,000-employee manufacturer in Texas with a forgotten staging server running an unpatched version of Exchange. The regional healthcare network with three acquisitions' worth of shadow IT nobody's inventoried. The financial services firm whose marketing team spun up a subdomain on AWS two years ago and never told IT.
These are mid-market companies. And right now, they're sitting on attack surfaces they can't see.
What Is an External Attack Surface, Anyway?
Your external attack surface is everything about your organization that's visible from the internet. Every IP address, every subdomain, every open port, every cloud instance, every SSL certificate, every login page — anything an attacker can discover without having credentials or insider access.
Think of it this way: if your network is a building, your external attack surface is every door, window, vent, and crack in the foundation that someone could use to get in. External attack surface management (EASM) is the discipline of continuously finding, cataloging, and monitoring all of those entry points.
The key word is continuously. This isn't a once-a-year penetration test. Your attack surface changes every time someone spins up a cloud resource, registers a subdomain, or opens a port for a vendor integration. If you're only checking quarterly, you're flying blind for 89 days out of 90.
The Mid-Market Blind Spot
Enterprise companies have dedicated teams and seven-figure budgets for this. They run continuous red team exercises and maintain asset inventories with full-time staff. Small businesses, frankly, don't have enough internet-facing infrastructure to worry much about it.
Mid-market companies — roughly $50 million to $500 million in revenue, 500 to 5,000 employees — get the worst of both worlds. They have enterprise-level complexity with small-business-level security resources.
Here's what I see over and over again:
The acquisition problem. A mid-market company acquires a smaller firm. They integrate the financials, merge the sales teams, maybe consolidate the CRM. But nobody does a full inventory of the acquired company's internet-facing assets. Six months later, that company's old dev server — still running, still internet-facing, still using the default admin password — becomes the entry point for a ransomware attack.
The cloud sprawl problem. Your infrastructure team manages the production environment in AWS. But marketing has a Wordpress instance on a separate account. Engineering has test environments in Azure. Someone in finance set up a data-sharing portal with a vendor. None of these show up in your CMDB. All of them are part of your attack surface.
The "it was temporary" problem. A developer opens port 3389 for remote desktop access during a weekend migration. The migration finishes. The port stays open. Three months later, a bot scanning the entire IPv4 space finds it and starts brute-forcing credentials. This happens constantly. It happened to a company I worked with — they had no idea that port had been open for over a year.
Why Attackers Love the Mid-Market
Attackers aren't just targeting the biggest companies anymore. Sophisticated threat actors and ransomware gangs have figured out that mid-market companies are the sweet spot:
- Big enough to pay. A $200 million company can afford a significant ransom payment. Their cyber insurance likely covers it. The business disruption cost makes paying look rational.
- Small enough to have gaps. Limited security staff means slower detection and response. Fewer tools mean less visibility. Tighter budgets mean older systems stay in production longer.
- Connected enough to be valuable. Mid-market companies are often part of larger supply chains. Compromising a mid-market vendor can be the stepping stone to a much bigger target.
The numbers back this up. According to multiple industry reports, the average cost of a data breach for companies under 500 employees crossed $3 million in recent years. For companies in the 500-5,000 range, it's significantly higher. And the majority of those breaches involved external-facing assets that the company didn't know were exposed.
What External Attack Surface Management Actually Does
EASM isn't magic. It's methodical. Here's what a good EASM program gives you:
1. Discovery — Finding What You Don't Know About
This is the part most companies skip. You can't protect what you don't know exists. EASM tools crawl DNS records, certificate transparency logs, WHOIS data, cloud provider APIs, and more to build a complete picture of your internet-facing footprint. The first time most companies run a comprehensive discovery, they find 30-40% more assets than they knew about.
2. Inventory — Keeping Track of What's Out There
Once you've discovered your assets, you need to maintain that inventory continuously. New subdomains get created. Cloud instances spin up and down. Certificates expire. An EASM program keeps this inventory current so you always know what's exposed.
3. Risk Assessment — Understanding What's Actually Dangerous
Not every exposed asset is a critical risk. An informational web page with no login form is very different from an internet-facing admin panel running outdated software. Good EASM prioritizes findings by actual risk — what's exploitable, what's sensitive, what's most likely to be targeted.
4. Monitoring — Catching Changes Before Attackers Do
Your attack surface changes constantly. EASM monitoring alerts you when new assets appear, when configurations change, when certificates are about to expire, or when a known vulnerability affects one of your exposed services. The goal is to know about changes before an attacker's automated scanner does.
What to Look For in an EASM Solution
If you're evaluating external attack surface management for your organization, here's what actually matters:
Automated discovery, not just scanning. There's a difference between running Nmap against your known IP ranges and actually discovering assets you didn't know about. Look for tools that find shadow IT, forgotten infrastructure, and assets tied to your organization through DNS, certificates, and registration data.
Continuous monitoring, not periodic snapshots. Monthly or quarterly scans miss too much. Your attack surface changes daily. The solution should be watching continuously and alerting on changes.
Actionable findings, not noise. The last thing your small security team needs is 10,000 "informational" findings. Prioritization matters. Risk context matters. If the tool can't tell you why something is dangerous and what to do about it, it's just creating more work.
Coverage beyond your known perimeter. The whole point is finding what you don't know about. If you have to manually tell the tool where to look, you're just doing asset management with extra steps.
Simplicity. Mid-market security teams are lean. You don't need a tool that requires a dedicated analyst to operate. You need something that surfaces what matters and gets out of the way.
Getting Started Doesn't Have to Be Hard
Here's the thing about external attack surface management: the hardest part is starting. Once you see what's actually exposed, the remediation is usually straightforward. Close the port. Decommission the old server. Update the certificate. Patch the software. Move the admin panel behind a VPN.
The expensive part isn't fixing the problems — it's not knowing about them until an attacker finds them first.
If you've never done a comprehensive assessment of your external attack surface, start there. Find out what's visible. You'll almost certainly be surprised.
And if you want to see what your organization looks like from an attacker's perspective, try a free scan at viso.group. No sales pitch, no commitment — just a clear picture of what's exposed. Because you can't protect what you can't see.
Jeremy Wilson is the founder of VISO Group and has spent over two decades in information security, including military service and leadership roles in corporate security programs. He builds tools that help mid-market companies defend themselves against threats that used to require enterprise budgets.