EASM Readiness Checklist

Complete inventory of all internet-facing domains, subdomains, and associated DNS records

Includes wildcard entries, parked domains, and domains inherited from acquisitions.

Visibility into every public IP address, open port, and running service

Covers IPv4 and IPv6, including assets behind CDNs and cloud load balancers.

Cloud resource tracking across all providers, including shadow IT

AWS, Azure, GCP, and smaller providers. Includes resources spun up outside IT approval.

Automatic discovery of assets from acquisitions, subsidiaries, and joint ventures

M&A activity is one of the largest sources of unknown attack surface.

Mobile app analysis covering published Android/iOS apps

Identifies hardcoded API keys, backend endpoint URLs, and debug configurations in release builds.

Monitoring for leaked employee credentials across breach databases and dark web marketplaces

Covers combo lists, credential dumps, and forum posts trading access to corporate accounts.

Scanning of public code repositories for exposed API keys and secrets

GitHub, GitLab, Bitbucket, including git history, not just current files.

Tracking credentials from stealer malware logs, paste sites, and underground forums

Stealer logs (Redline, Raccoon, Vidar) are a growing source of valid corporate credentials.

Real-time alerting when new credentials tied to your domains appear online

Speed matters: a credential leak has a short window before exploitation.

Mapping of third-party SaaS tools and vendor integrations in your external surface

Includes OAuth connections, API integrations, and embedded third-party widgets.

Monitoring your vendors' external security posture for misconfigurations

Open ports, expired certificates, and known vulnerabilities on vendor infrastructure.

Tracking third-party JavaScript, external scripts, and CDN dependencies

External scripts loaded on your web properties are a supply chain attack vector.

Awareness of which AI tools employees use with corporate data

ChatGPT, Copilot, Gemini, Claude. Each represents an unmonitored data flow to external APIs.

Monitoring for organizational data in LLM outputs and AI training datasets

Data ingested into public training sets is permanent and irrecoverable.

Scanning for exposed ML model endpoints, vector databases, and AI infrastructure

SageMaker, Vertex AI, self-hosted models, and vector DBs (Pinecone, Weaviate, Qdrant) accessible without authentication.

Assessment of AI-powered SaaS integrations for data flow and retention

CRM, support, and analytics platforms with AI features may send data to external model providers.

Centralized technology inventory covering every framework, library, and service

Every technology version on every external asset, searchable and up-to-date.

Ability to identify affected assets within hours when a new critical CVE drops

When Log4Shell hit, organizations without a tech inventory took weeks. Those with one took hours.

SSL/TLS certificate expiration monitoring, weak cipher detection, and CT log surveillance

Expired or misconfigured certificates are a common attack surface finding.

Continuous checks for misconfigured cloud storage

Open S3 buckets, Azure blobs, and GCS objects, checked continuously, not quarterly.

EASM runs continuously, not as a quarterly or annual scan

The attack surface changes daily. Point-in-time scans miss assets deployed between assessments.

Findings prioritized by exploitability and business context, not just CVSS

A CVSS 7.5 on a customer-facing API matters more than a CVSS 9.8 on an internal test server.

Alerts integrate with SIEM/SOAR, ticketing, and notification channels

Jira, ServiceNow, PagerDuty, Slack, Splunk, Sentinel. Findings should flow into existing workflows.

Attack surface metrics tracked over time and reported to leadership

Total assets, new assets, open findings, MTTR, and attack surface growth rate.