Qualys study calls for unified attack surface management

Qualys has sponsored new research on how organisations are using Attack Surface Management. The study, authored by SANS Principal Instructor Chris Dale, draws on responses from more than 200 cybersecurity professionals.

The findings suggest a shift away from fragmented, reactive security practices towards more integrated risk management. Respondents want Attack Surface Management, or ASM, embedded in routine operations rather than treated as a separate monitoring function.

As companies spread data and systems across cloud services, software-as-a-service applications, endpoints, and third-party suppliers, the number of assets exposed to attack has grown. The research suggests this expansion is driving demand for tools that connect asset discovery, risk prioritisation, and remediation in a single workflow.

Visibility gaps

One of the clearest messages from the survey was dissatisfaction with disconnected security tools. More than half of respondents, 55%, said they expect ASM platforms to protect internal and external assets at the same time, while 37% want better visibility into external exposures.

Only 28% said their current ASM platform effectively identifies sensitive files across the environment. That suggests many organisations still lack a full picture of where critical data sits and how it may be exposed.

Security teams have often managed internal networks and external-facing systems separately. The research indicates that approach is becoming harder to sustain as cloud use and reliance on outside providers expand the number of assets accessible from beyond the organisation.

Operational pressure

The report also highlights a growing expectation that ASM should support day-to-day risk operations rather than simply generate alerts. Respondents indicated that frequent monitoring and direct remediation guidance matter more as attack surfaces change quickly.

Some 59% of organisations said they require daily scanning of their environments. A larger share, 67%, expect ASM platforms to provide mitigation recommendations for exploitable vulnerabilities, while 58% prefer a hybrid operating model that combines manual and automated work.

These figures suggest security teams are looking for a balance between automation and human oversight. They also reflect the practical challenge of keeping up with newly discovered assets, misconfigurations, and vulnerabilities without relying solely on periodic checks and handoffs between teams.

Risk in business terms

The survey found that technical severity scores alone no longer satisfy many organisations. Respondents want risk quantification that senior leaders can understand and use to direct spending and remediation efforts.

Among those surveyed, 89% expect their ASM platforms to provide measurable risk quantification. Another 35% want current information on vulnerabilities across their environment, and 30% want ASM tools to prevent exploitation of exfiltrated data.

That points to a broader shift in how security teams are expected to explain their work within businesses. Boards and executive teams increasingly want evidence of impact, prioritised recommendations, and reporting that ties cyber risk to business outcomes rather than a high volume of alerts.

The research was sponsored by Qualys, which sells cloud-based information technology, security, and compliance products. Qualys used the findings to argue that organisations need operating models that combine visibility, prioritisation, and response across the attack surface.

"Continuous visibility, business-contextual prioritisation, and intelligent agentic AI-powered autonomous response are becoming essential for managing modern attack surfaces at scale. The findings reinforce the growing need for operational models like the AI-native Risk Operations Centre (ROC), which help organisations continuously identify, prioritise, and autonomously reduce the risks that matter most by providing a unified overview of the entire attack surface," said Kunal Modasiya, Senior Vice President - Product, GTM and Growth, Qualys.