What Attack Surface Management actually does
Attack Surface Management (ASM) is what every CISO has always wanted: a continuously updated map of every internet-facing asset that an adversary might find, plus continuous monitoring for changes.
Most enterprises think they have a complete asset inventory. They don't. The reasons:
- Shadow IT — marketing or sales teams spin up subdomains for campaigns
- Acquired entities — security teams inherit unknown assets
- Forgotten dev/staging environments — created during projects, never decommissioned
- Cloud sprawl — multi-account growth across departments
- Vendor SaaS — sub-processors that handle company data
- Third-party DNS / certificates — legacy from agency relationships
What Bachao.AI's ASM covers
External attack surface discovery:
- Subdomain enumeration via passive DNS + certificate transparency logs
- IP block discovery (legitimate ASN ownership + cloud ranges)
- Port scanning for exposed services
- Web application discovery + technology fingerprinting
- SSL/TLS certificate inventory
- DNS record changes detection
- Dark web monitoring for company email + employee credentials
- Code repository monitoring for leaked secrets
- Pastebin / leak site monitoring
- Stealer log monitoring (for credentials harvested by infostealers)
- Sub-processor inventory tracking
- Third-party vendor security posture
- Public security incidents at known vendors
- Vendor SaaS configuration drift
- New asset discovery alerts
- Configuration changes on existing assets
- Service exposure changes (new open ports)
- Certificate expiry warnings
- DNS hijacking patterns
Discovery output
A typical first ASM discovery report includes:
- Assets you knew about: typically 60–80%
- Assets you didn't know about: typically 20–40%
- Critical exposures you didn't know about: typically 3–8 critical findings
- 41 subdomains active, 17 not in customer's inventory
- 3 forgotten staging environments with weak authentication
- 1 production database publicly accessible (legacy from cloud migration)
- 6 employee credentials on dark web (4 still valid)
- 2 sub-processors with active security incidents
- 8 SSL certificates expiring in next 30 days (3 unmanaged)
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanThe engagement
Month 0 — Onboarding (2 weeks):
- Asset inventory baseline established
- Discovery scan baseline
- Alert routing configured (Slack + email + Jira)
- Initial findings triage workshop with customer's security team
- 24×7 discovery scanning
- Daily new-asset and change alerts
- Weekly digest report
- Monthly review call
- Quarterly executive summary
- Critical findings escalated within 4 hours
- Bachao.AI security team available for triage support
- Remediation guidance per finding
Pricing
| Tier | Monthly fee |
|---|---|
| Startup (single brand, <500 assets) | ₹1.5L |
| Growth (multi-brand, <2,000 assets) | ₹3L |
| Enterprise (multi-brand, multi-region, <10,000 assets) | ₹5L |
| Custom | Quote |
What you receive
- Continuously updated asset inventory dashboard
- Real-time alerts for new assets, changes, exposures
- Weekly digest of all activity
- Monthly executive report
- Findings triaged before reaching your team
When ASM bundles with other services
Many Bachao.AI ASM customers combine with:
- MSSP — ASM-discovered assets get monitoring coverage automatically
- vCISO — ASM findings feed into the quarterly risk register
- VAPT — ASM scope drives VAPT engagement scope
How to start
ASM engagement starts with a 60-minute scoping call. We confirm scope (brands, regions, asset classes), tier selection, alert routing. Onboarding starts within 1 week of contract.
Schedule the ASM scoping call →
Related: Case Study: Enterprise Reduced External Attack Surface 60% in 90 Days · ASM for Indian Fintech
