Attack Surface Management (ASM) tools promise to reduce risk. What they provide is usually more information.
As security teams deploy ASM, their asset inventory increases, alerts start flowing, and dashboards fill up. There are visible activities and measurable outcomes. But when leaders ask a simple question, “Will this reduce incidents?” the answer is often unclear.
This gap between effort and results is at the heart of the ROI problem in attack surface management, especially when ROI is primarily measured by asset count rather than risk reduction.
promise and proof
Most ASM programs are built on the rational idea that you can’t protect something you don’t know exists. As a result, teams will focus on discovering things like domains and subdomains, IPs and cloud resources, third-party infrastructure, and temporary or short-lived assets.
As time passes, the count increases. Dashboards are on the rise. Improves coverage.
However, none of these metrics directly answer whether an organization is actually secure. Teams often get busier without feeling less exposed.
Why ASM feels busy but ineffective
ASM tends to optimize coverage because it is easier to measure coverage: more assets discovered, more changes detected, more alerts generated. Each feels like progress.
However, they primarily measure inputs rather than outcomes.
In fact, the team will experience:
Alert fatigue Long unresolved “known but unresolved” assets Repeated ownership confusion Exposures that last for months
The work is real. Risk reduction is less visible.
measurement gap
One reason ASM ROI is difficult to prove is because most attack surface metrics focus on what the system can see, rather than what the organization actually improves.
Common attack surface management metrics include:
Number of assets Number of changes
More meaningful attack surface metrics are rarely tracked.
How quickly risky assets are acquired How long does exposure last? Whether attack vectors actually shrink over time
Asset inventory continues to be the basis for measuring external attack surfaces. Without broader discovery, it is impossible to understand the exposure at all. This gap occurs when discovery metrics are not combined with measurements that indicate whether risk is actually being mitigated.
Without results-oriented measurement, ASM will be difficult to adhere to during budget reviews, even if everyone agrees that asset visibility is necessary.
What would a meaningful ROI look like?
Rather than asking, “How many assets have we discovered?” a more useful question is, “How much faster and safer were we in dealing with exposure?”
This reconfiguration shifts the ROI from visibility to response quality and exposure duration. One that more closely correlates to real-world risks.
Three outcome metrics that really matter
1. Average time to asset ownership
How long does it take to answer the basic question, “Who owns this?”
Assets without clear ownership:
Lasts a long time Patch later Likely to be completely forgotten
Reducing the time to possession reduces the period during which risk exists without liability. This is one of the clearest signs that ASM’s findings are being translated into action.
2. Reducing unauthenticated state-changing endpoints
Not all assets are equally important.
Tracking the number of external endpoints that can change state, the number of external endpoints that require authentication, and how those numbers change over time provides a stronger signal of whether the attack surface is shrinking in important areas.
An environment with thousands of static assets but few unauthenticated state-changing paths is significantly more secure than an environment with fewer assets but many dangerous entry points.
3. Time until decommissioning after loss of ownership
Exposure often continues even if:
Team changes Application retirement Vendor migration Reorganization
Measuring how quickly an asset is retired after ownership ceases to be one of the strongest indicators of long-term health, but one of the least commonly tracked.
Discovery alone will not reduce the risk if abandoned assets persist indefinitely.
what actually happens
Abstract metrics are easy to agree on, but difficult to operationalize. The goal is not a new dashboard or a different set of alerts, but a change in visibility, such as ownership gaps, exposure duration, and unresolved risks that blend into the asset count.
Rather than emphasizing the total number of assets, this view reveals that:
Which assets are owned? Which are outstanding? How long has ownership been unknown?
The goal is faster resolution, not more alerts.
Turn ASM into a control
ASM’s struggles aren’t due to a lack of team effort. They struggle because their efforts are not consistently connected to the results that leadership values.
By reframing ROI around velocity, ownership, and exposure duration, it becomes possible to demonstrate real progress. Even if the raw wealth number never changes. Often the most meaningful wins come by making the offensive surface boring again.
concrete starting point
One way to pressure test results-based ASM metrics is to make asset visibility widely accessible across teams, rather than gated behind a tool silo. We find that when engineering, security, and infrastructure teams can see ownership gaps and exposure periods, resolution is faster without additional alerts.
With this idea, we decided to release the community edition of the ASM platform, exposing asset discovery and ownership visibility without cost or limitations. The goal is not to replace existing tools, but to provide teams with a way to measure whether exposure is actually decreasing over time.
If you want to pressure test the ROI of your ASM program, try the following: Ignore the number of assets you own.
Instead, ask:
How long do risk assets remain unowned? How many uncertified paths are changing state today compared to last quarter? How quickly do abandoned assets disappear?
If these answers are not improved, discovering more will not change the result.
Bottom line: Measuring what actually changes risk
Attack surface management becomes defensible when it is measured not only by what accumulates, but also by what changes. Discovery is always important. Visibility is always important when measuring your attack surface. However, neither guarantees that exposure is decreasing, only that exposure is being observed.
The ROI of attack surface management occurs when at-risk assets are confirmed to be in possession sooner, dangerous vectors disappear faster, and abandoned infrastructure does not remain indefinitely. An asset inventory provides the necessary coverage. Results-oriented metrics provide the depth needed to understand real risk mitigation.
At Sprocket Security, we think about attack surface management not only in terms of the number of assets present, but also in terms of how long meaningful exposures last and how quickly they can be resolved. Most importantly, progress is visualized through attack surface metrics, not just inventory growth.
If your attack surface management program can’t answer whether your exposure is shrinking over time, it’s hard to argue that you’re doing anything more than reporting the problem.
Note: This article was professionally written and contributed by Topher Lyons, Solutions Engineer at Sprocket Security.
Source link
