I authored a Qualys-sponsored study on attack surface management, surveying more than 200 cybersecurity professionals about how they actually run ASM today. SecurityBrief Australia has now covered it in Qualys study calls for unified attack surface management.
The short version: organizations are moving away from fragmented, reactive security toward integrated risk management, and the expectations people place on an ASM platform have grown well beyond “find my external assets.”
A few of the findings that stood out:
- Visibility is still the gap. 55% expect ASM to cover internal and external assets at the same time, but only 28% say their current platform effectively finds sensitive files across their environments. 37% want better visibility into external exposures.
- The cadence is daily. 59% need daily scanning of their environment, and 67% expect the platform to hand them mitigation recommendations for exploitable vulnerabilities, not just a list of findings.
- Humans and automation, together. 58% prefer a hybrid model that combines automated coverage with manual testing. This lines up with how we run continuous penetration testing at River Security.
- Talk business, not just severity. 89% expect measurable risk quantification, and people want business-contextual reporting rather than a wall of technical severity scores.
None of this surprises me, but it is good to see it in the numbers. The theme throughout is consolidation: continuous visibility, business-contextual prioritization, and increasingly AI-driven response, brought together instead of scattered across disconnected tools.
You can read SecurityBrief’s write-up here. iTWire also covered it, framing the shift well in New SANS survey finds attack surface management is evolving from severity scores to business-aligned risk operations.