Attack surface
The attack surface is all the points where someone unauthorized could try to enter data, steal data, or take control of software or devices in an environment. Reducing this surface is a basic security goal.
As organizations use more digital tools, the attack surface grows and can change quickly. It includes websites, cloud apps, mobile apps, and the networks that connect them, as well as partners, suppliers, and other parts of the digital ecosystem. Different organizations have different attack surfaces, and the surface is made up of many small, connected pieces that sit on the internet and inside organizational networks. Third parties and the digital supply chain also add to what needs protection.
There are three steps to understanding and visualizing an attack surface:
- Step 1: Visualize. Map out all devices, paths, and networks in the system.
- Step 2: Find indicators of exposure. Look for signs like missing security controls.
- Step 3: Find indicators of compromise. Look for signs that an attack has already succeeded.
To improve security, common strategies aim to reduce the attack surface:
- Reduce the amount of code that runs in the environment.
- Reduce entry points available to untrusted users.
- Eliminate services that few users need.
By having less code and fewer active features, there are fewer chances for security failures. However, reducing the attack surface does not eliminate all risk and cannot completely prevent damage if a vulnerability is exploited.
This page was last edited on 3 February 2026, at 19:17 (CET).