Most Swiss companies do not fully understand their own digital attack surface. Forgotten subdomains, cloud resources outside IT control and Shadow IT create blind spots that attackers exploit systematically. In this article, we explain what External Attack Surface Management (EASM) means, why the external attack surface is growing faster than security budgets and which concrete steps CISOs and boards should prioritise now.
📑 Contents
What is External Attack Surface Management? · Your digital attack surface has blind spots: Shadow IT, cloud and forgotten assets · Swiss threat landscape: figures and incidents · How EASM makes the digital attack surface visible · Why classic Vulnerability Management no longer suffices · Recommendations for CISOs and boards · Frequently asked questions
What is External Attack Surface Management? Definition and context
External Attack Surface Management (EASM for short) is the approach of continuously identifying, classifying and monitoring a company’s digital attack surface. This includes web servers, APIs, cloud instances, mail gateways, VPN access, subdomains, IP ranges and, increasingly, IoT devices. The key point is that EASM works from the outside, meaning from the perspective of a potential attacker. Consequently, it also uncovers assets that internal IT may not even know exist.
Unlike classic Vulnerability Management, which scans known systems, EASM answers a more fundamental question: Which digital infrastructure does my company actually have, and which parts are exposed? At a time when companies constantly expand their IT landscape through cloud migration, acquisitions and decentralised teams, this question matters more than ever.
The external attack surface includes everything an attacker can see from the internet
Why EASM is relevant for every Swiss company
Switzerland is among the most connected economies in the world. Financial services, pharma and industrial companies, the public sector and a vibrant SME landscape run an ever more complex digital infrastructure. At the same time, Switzerland recorded the highest percentage increase in cyberattacks worldwide in Q1 2025, according to Check Point: +113% year on year, with an average of 1’279 attacks per week and organisation.
The equation is simple: the larger and less controlled the digital attack surface, the more entry points are available to attackers. EASM makes these entry points visible before they are exploited.
Your digital attack surface has blind spots: Shadow IT, cloud and forgotten assets
The biggest challenge in understanding your digital attack surface is not securing known systems. Rather, it is finding the unknown ones. In almost every organisation, digital assets exist outside formal IT control. The causes vary, yet the consequences are consistent: every unknown asset is a potential entry point and increases your cyber risk.
Shadow IT: when business units build their own infrastructure
Marketing teams that set up landing pages with cloud providers on their own. Developers who create test environments in AWS or Azure and, after the project, do not switch them off. Departments that use SaaS services without IT approval. All of this creates growing Shadow IT that never makes it into the central asset register. Studies show that, on average, companies have 30 to 40% more externally reachable assets than their IT department has documented. These “forgotten” systems are not patched and not monitored. Therefore, they are particularly vulnerable.
Cloud sprawl: misconfigurations as a persistent problem
Cloud environments in AWS, Microsoft Azure and Google Cloud Platform grow organically. New services are provisioned quickly, yet security configurations are not always implemented consistently. Publicly accessible storage buckets, exposed databases and unprotected admin interfaces are not uncommon. According to leading cloud security providers, up to 80% of security incidents in cloud environments result from misconfigurations, not from sophisticated attack methods. Consequently, the attacker often does not need exceptional skills. They only need to search systematically for open doors.
Forgotten and orphaned systems: legacy issues with real consequences
Mergers, acquisitions and reorganisations leave digital traces. Old webshops, retired portals, test servers from migration projects and domains of former subsidiaries often remain active for years, while no one takes responsibility. In addition, SSL certificates expire and trigger browser warnings, outdated CMS installations carry known vulnerabilities and API endpoints remain reachable long after a project ends. These legacy systems are particularly attractive to attackers because they typically have the lowest security maturity.
Swiss threat landscape: why you should analyse your digital attack surface now
Switzerland is in the crosshairs of international cybercriminals, and the figures speak clearly. The developments below show why controlling your digital attack surface is decisive right now.
+113% more cyberattacks in Switzerland in Q1 2025 compared with the previous year: the highest percentage increase worldwide according to Check Point Research. On average, 1’279 attack attempts per week and organisation were recorded.
222 mandatory reports to BACS in the first year of the compulsory reporting duty for critical infrastructures (since 1 April 2025). That is almost one report per day, and the true figure may well be significantly higher.
175 confirmed cyber incidents in Switzerland in 2024 alone, traceable via darknet leak sites and underground forums. The sectors most affected: consumer goods, technology, manufacturing and financial services.
58 Swiss organisations were confirmed as Ransomware victims in 2025. The most active groups in Switzerland at present are Akira, Qilin and Play.
There is a direct link to the digital attack surface. Ransomware groups and their suppliers, so-called Initial Access Broker, deliberately search for exposed systems, open RDP access, unpatched VPN gateways and forgotten web applications. An uncontrolled digital attack surface is not a theoretical weakness. Instead, it is the most common entry point in real incidents.
A striking example of the consequences of insufficient external control is the Xplain incident of 2023. At the Bern-based IT service provider for federal authorities, 1.3 million files were stolen by the Play Ransomware group. 65’000 documents concerned the federal administration, including classified material. The incident triggered a comprehensive review of all federal IT supplier contracts and, moreover, it caused lasting damage to trust.
How EASM makes the digital attack surface visible: from discovery to prioritisation
Modern External Attack Surface Management works in four consecutive phases. Together, they form a continuous cycle that makes the digital attack surface visible, assessable and manageable.
Phase 1, discovery: EASM solutions scan the entire internet for assets that can be attributed to your company. This includes DNS records, WHOIS data, SSL certificates, IP ranges, cloud services and public code repositories. Crucially, they also find assets that are not in the official inventory, for instance via reverse DNS lookups, certificate transparency logs and machine learning-based attribution.
Phase 2, inventory and attribution: All discovered assets are assigned to the organisation, categorised (web server, mail gateway, API, IoT, etc.) and inventoried. Advanced solutions also identify cloud providers, hosting locations and technical dependencies.
Phase 3, risk assessment and prioritisation: Each asset is assessed based on its exposure. Are there known vulnerabilities? Is software outdated? Are configurations incorrect? Are security standards met? This assessment is enriched with a form of Threat Intelligence, meaning whether an attack vector is currently exploited in the wild. Afterwards, you can prioritise by business criticality.
Phase 4, monitoring and alerting: The digital attack surface changes every day. Therefore, EASM runs continuously and alerts you to new exposures, changes in risk ratings or the appearance of assets in threat contexts (for example on darknet marketplaces or in Infostealer logs).
The value of this approach lies in its outside perspective. EASM does not show how you see your own IT. Instead, it shows how an attacker sees your digital attack surface. For strategic cyber risk steering, this perspective is indispensable.
Why classic Vulnerability Management no longer suffices
Many companies rely on established security processes: regular vulnerability scans, Penetration Tests and patch management. These instruments remain important. However, they have a structural blind spot: they can only check what they already know.
Classic approaches vs EASM: four decisive differences
Scope: Classic Vulnerability Management scans defined IP ranges and hosts. EASM searches the entire internet for your organisation and also discovers unknown assets.
Perspective: Vulnerability scanners work internally (inside-out). EASM works externally (outside-in), meaning from the attacker’s perspective.
Frequency: Penetration Tests typically take place at longer, fixed intervals. EASM monitoring runs continuously, meaning daily or in real time.
Coverage: Internal tools only capture managed infrastructure. EASM also covers Shadow IT, cloud resources without central integration, M&A legacy issues and externally hosted services.
This does not mean EASM replaces classic security tools. Instead, it adds a crucial dimension: full visibility of your company’s external digital attack surface. Only when a company knows which assets are exposed can it prioritise effectively and protect the most critical ones first.
Recommendations for CISOs and boards
Controlling the digital attack surface is not purely a technical task. It affects governance, budget decisions and the question of how a company steers cyber risk strategically. The measures below should therefore be prioritised by decision-makers now.
Recommended measures: from inventory to board-level integration
1) Capture the external digital attack surface in full for the first time: Run an initial EASM discovery. Compare the results with your known asset inventory. The difference, meaning the number of previously known versus unknown externally reachable systems, provides a first indicator of the scale of the problem.
2) Address Shadow IT and cloud systematically: Establish a process in which new cloud resources are provisioned only with central registration. Involve business units. However, do so not as a controlling authority, but as a partner for secure self-service. EASM tools help uncover existing Shadow IT and monitor it continuously.
3) Prioritise risks, not just lists: Not every exposure is equally critical. Use solutions that prioritise vulnerabilities in context, based on asset criticality, active exploitability and Threat Intelligence. This way, you reduce alert fatigue and focus resources on what matters.
4) Continuous monitoring instead of point-in-time audits: The digital attack surface changes daily. Annual Penetration Tests and quarterly scans are no longer sufficient. Invest in continuous EASM monitoring that detects and reports changes in real time.
5) Make the attack surface a board topic: Use EASM data and Security Ratings to describe the cyber risk situation to the board in clear language. Metrics such as the number of exposed assets, changes in risk ratings over time and industry benchmarking enable informed decisions at leadership level.
6) Prepare for reporting duties: Since 1 April 2025, Switzerland has a 24-hour reporting duty for cyberattacks on critical infrastructures. Full visibility of your digital attack surface is a prerequisite for detecting incidents quickly, classifying them correctly and reporting within the deadline.
Conclusion
Your company’s digital attack surface is, in all likelihood, larger than you assume. Shadow IT, cloud sprawl and orphaned systems create blind spots that attackers deliberately seek out and exploit. In a Switzerland that saw the strongest rise in cyberattacks worldwide in 2025, and where regulatory requirements tightened noticeably through mandatory reporting, controlling the external digital attack surface is not optional. It is necessary.
External Attack Surface Management provides the outside perspective that classic security tools cannot offer. It makes visible what attackers see and, therefore, enables well-founded, prioritised decisions at CISO and board level.
Get to know your external attack surface
Do you want to understand how large your real external digital attack surface is, and where the biggest risks lie? As a consulting partner for cyber risk intelligence, we support you with an initial EASM analysis, an assessment of your exposure and the development of a sustainable monitoring strategy.
🎯 Key takeaways for decision-makers
Summary for boards, executive management and CISO:
✓ Digital attack surface is larger than expected: 30 to 40% of externally reachable assets are typically unknown to internal IT.
✓ Switzerland in focus: +113% more cyberattacks in Q1 2025, 222 mandatory reports in the first year of the BACS reporting duty, 58 confirmed Ransomware victims in 2025.
✓ EASM complements, it does not replace: External Attack Surface Management closes the gap left by classic Vulnerability Management and pentesting.
✓ Continuous instead of occasional: Annual audits are no longer sufficient, because the digital attack surface changes daily.
✓ A board-level topic: EASM data and Security Ratings create a shared language between IT security and corporate leadership.
Frequently asked questions: FAQ on External Attack Surface Management
What is External Attack Surface Management (EASM)?
External Attack Surface Management is the continuous discovery, inventorying and monitoring of all digital assets of a company that are reachable from the internet. EASM works from the attacker’s perspective and also uncovers unknown systems such as Shadow IT, forgotten subdomains and cloud resources, and assesses their risk.
What is the difference between EASM and classic Vulnerability Management?
Vulnerability Management scans known, managed systems for vulnerabilities. EASM goes one step further: it first discovers all externally reachable assets, including the unknown ones, and assesses their risk. EASM complements Vulnerability Management with the outside-in perspective and, consequently, closes a critical gap in the security architecture.
Is EASM also relevant for Swiss SMEs?
Yes. In fact, SMEs often have a surprisingly large digital attack surface, which they must monitor with limited IT resources. Swiss SMEs are increasingly targeted by Ransomware attacks because attackers expect weaker protective measures in smaller organisations. EASM enables you to identify the largest exposures with reasonable effort and address them in a targeted way.
How are EASM and Swiss reporting obligations connected?
Since 1 April 2025, operators of critical infrastructures must report cyberattacks to BACS within 24 hours. Full visibility of your own digital attack surface is a prerequisite for detecting incidents quickly, classifying them correctly and reporting within the deadline. Without EASM, the basis for effective incident detection is often missing, especially when affected assets were unknown to IT.
