EASM READINESS CHECKLIST ======================== 24-Point Assessment | easm.info A RedHunt Labs initiative INSTRUCTIONS ------------ Go through each item and assess whether your organization has this capability today. Each unchecked item represents a gap in your external attack surface visibility. 01. ASSET DISCOVERY ------------------- Why it matters: You can't protect what you can't see. Asset discovery is the foundation of EASM. [ ] Complete inventory of all internet-facing domains, subdomains, and associated DNS records - Includes wildcard entries, parked domains, and domains inherited from acquisitions. [ ] Visibility into every public IP address, open port, and running service - Covers IPv4 and IPv6, including assets behind CDNs and cloud load balancers. [ ] Cloud resource tracking across all providers, including shadow IT - AWS, Azure, GCP, and smaller providers. Includes resources spun up outside IT approval. [ ] Automatic discovery of assets from acquisitions, subsidiaries, and joint ventures - M&A activity is one of the largest sources of unknown attack surface. [ ] Mobile app analysis covering published Android/iOS apps - Identifies hardcoded API keys, backend endpoint URLs, and debug configurations in release builds. 02. CREDENTIAL EXPOSURE ----------------------- Why it matters: Leaked credentials are the fastest path to compromise. Attackers check breach databases before attempting technical exploitation. [ ] Monitoring for leaked employee credentials across breach databases and dark web marketplaces - Covers combo lists, credential dumps, and forum posts trading access to corporate accounts. [ ] Scanning of public code repositories for exposed API keys and secrets - GitHub, GitLab, Bitbucket, including git history, not just current files. [ ] Tracking credentials from stealer malware logs, paste sites, and underground forums - Stealer logs (Redline, Raccoon, Vidar) are a growing source of valid corporate credentials. [ ] Real-time alerting when new credentials tied to your domains appear online - Speed matters, a credential leak has a short window before exploitation. 03. THIRD-PARTY RISK -------------------- Why it matters: Your attack surface extends to every vendor, SaaS tool, and external dependency your organization relies on. [ ] Mapping of third-party SaaS tools and vendor integrations in your external surface - Includes OAuth connections, API integrations, and embedded third-party widgets. [ ] Monitoring your vendors' external security posture for misconfigurations - Open ports, expired certificates, and known vulnerabilities on vendor infrastructure. [ ] Tracking third-party JavaScript, external scripts, and CDN dependencies - External scripts loaded on your web properties are a supply chain attack vector. 04. AI EXPOSURE --------------- Why it matters: AI tools are creating exposure vectors that didn't exist two years ago. Data leaks through LLMs and shadow AI adoption are rapidly expanding the attack surface. [ ] Awareness of which AI tools employees use with corporate data - ChatGPT, Copilot, Gemini, Claude, each represents an unmonitored data flow to external APIs. [ ] Monitoring for organizational data in LLM outputs and AI training datasets - Data ingested into public training sets is permanent and irrecoverable. [ ] Scanning for exposed ML model endpoints, vector databases, and AI infrastructure - SageMaker, Vertex AI, self-hosted models, and vector DBs (Pinecone, Weaviate, Qdrant) accessible without authentication. [ ] Assessment of AI-powered SaaS integrations for data flow and retention - CRM, support, and analytics platforms with AI features may send data to external model providers. 05. VULNERABILITY AWARENESS --------------------------- Why it matters: Knowing what technology runs on your external surface determines how fast you can respond when a new vulnerability is disclosed. [ ] Centralized technology inventory covering every framework, library, and service - Every technology version on every external asset, searchable and up-to-date. [ ] Ability to identify affected assets within hours when a new critical CVE drops - When Log4Shell hit, organizations without a tech inventory took weeks. Those with one took hours. [ ] SSL/TLS certificate expiration monitoring, weak cipher detection, and CT log surveillance - Expired or misconfigured certificates are a common attack surface finding. [ ] Continuous checks for misconfigured cloud storage - Open S3 buckets, Azure blobs, and GCS objects, checked continuously, not quarterly. 06. OPERATIONAL INTEGRATION --------------------------- Why it matters: EASM is only valuable if findings reach the right people at the right time. Without integration into existing workflows, discoveries sit in dashboards instead of getting fixed. [ ] EASM runs continuously, not as a quarterly or annual scan - The attack surface changes daily. Point-in-time scans miss assets deployed between assessments. [ ] Findings prioritized by exploitability and business context, not just CVSS - A CVSS 7.5 on a customer-facing API matters more than a CVSS 9.8 on an internal test server. [ ] Alerts integrate with SIEM/SOAR, ticketing, and notification channels - Jira, ServiceNow, PagerDuty, Slack, Splunk, Sentinel, findings should flow into existing workflows. [ ] Attack surface metrics tracked over time and reported to leadership - Total assets, new assets, open findings, MTTR, and attack surface growth rate. SCORING ------- 20+ items checked: Strong visibility. Focus on MTTD, remediation SLAs, and extending coverage to AI exposure. 10-19 items checked: Significant gaps. Prioritize credential monitoring, third-party risk, and continuous scanning. Under 10 checked: Critical blind spots. Attackers have better visibility into your infrastructure than your security team. NEXT STEPS ---------- - Compare top EASM vendors: https://easm.info/vendors - Questions to ask vendors: https://easm.info/questions-to-ask-easm-vendors - Full interactive checklist: https://easm.info/easm-checklist - Learn more about EASM: https://easm.info/what-is-easm --- easm.info | A RedHunt Labs initiative https://redhuntlabs.com