Quick Comparison Table
Before diving into each discipline, here's a side-by-side summary of EASM, ASM, CAASM, and CTEM across seven key dimensions.
| EASM | ASM | CAASM | CTEM | |
|---|---|---|---|---|
| Full Name | External Attack Surface Management | Attack Surface Management | Cyber Asset Attack Surface Management | Continuous Threat Exposure Management |
| Focus | Internet-facing assets & exposures | Entire attack surface (internal + external) | Unified internal asset inventory | Continuous exposure reduction lifecycle |
| Perspective | Outside-in (attacker's view) | Both internal & external | Inside-out (aggregating internal tools) | Programmatic (process framework) |
| Data Sources | Internet scanning, DNS, certificates, OSINT, dark web | Varies: combines EASM + CAASM + endpoint data | EDR, CMDB, cloud APIs, vulnerability scanners, ITSM | Outputs from EASM, CAASM, BAS, pen testing, vuln mgmt |
| Primary Users | Security ops, threat intel, risk teams | CISOs, security leadership | IT ops, asset management, compliance | Security leadership, GRC teams |
| Key Output | Unknown asset discovery, exposure alerts | Holistic attack surface visibility | Unified asset inventory, coverage gaps | Prioritized remediation roadmap |
| Agent Required | No. Agentless, external only | Depends on scope | No. API-based integrations | Depends on tools used in the program |
What is ASM (Attack Surface Management)?
Attack Surface Management is the broadest term in this group. Coined and popularized by Gartner, ASM refers to the discipline of continuously discovering, classifying, and monitoring all assets that could serve as entry points for an attacker, both internal and external. Think of ASM as the umbrella category, not a single product. It encompasses EASM (external discovery), CAASM (internal aggregation), endpoint management, and more.
In practice, most vendors marketing themselves as “ASM platforms” are actually delivering EASM capabilities, outside-in internet scanning and asset discovery. True holistic ASM requires combining multiple tools and data sources to cover the full internal-plus-external picture. This is an important distinction because buying a product labeled “ASM” does not automatically mean you have complete attack surface visibility.
The value of ASM as a concept is strategic: it pushes organizations to think about their total exposure rather than protecting individual silos. A mature ASM program typically combines EASM for external discovery, CAASM for internal inventory unification, and a vulnerability management program to tie it all together.
What is EASM (External Attack Surface Management)?
External Attack Surface Management focuses exclusively on internet-facing assets, the things an attacker can see and probe without any internal access. EASM platforms operate from the outside in: they scan the public internet, enumerate DNS records, parse certificate transparency logs, crawl web applications, and harvest OSINT to build a map of everything your organization exposes to the world. No agents, no credentials, no internal network access required.
The critical capability of EASM is discovering assets your own team doesn't know about: forgotten subdomains, shadow IT cloud instances, staging environments left public, acquired company infrastructure, and third-party integrations leaking data. Key capabilities include continuous asset discovery, exposure monitoring, credential and dark web monitoring, vulnerability detection, and technology stack fingerprinting.
EASM is where most organizations start because external exposure represents the most immediate and exploitable risk. If an attacker can find it from the internet, it's your most urgent blind spot. Read the full EASM deep dive →
What is CAASM (Cyber Asset Attack Surface Management)?
Cyber Asset Attack Surface Management takes the opposite approach from EASM. Instead of scanning the internet from the outside, CAASM aggregates data from your internal security and IT tools: EDR agents, CMDB systems, cloud provider APIs, vulnerability scanners, ITSM platforms, to build a unified, deduplicated inventory of every asset in your environment. CAASM is an inside-out view of your attack surface.
The core problem CAASM solves is tool sprawl and data fragmentation. Most enterprises have dozens of security and IT tools, each with its own partial view of the asset landscape. CAASM platforms like Axonius, JupiterOne, and Sevco ingest data from all of these sources, correlate it, and surface gaps, like devices without EDR coverage, servers missing from the CMDB, or cloud instances that aren't being scanned for vulnerabilities.
Critically, CAASM does not discover unknown external assets. It can only aggregate what your existing tools already see. This makes it complementary to EASM rather than a replacement. EASM finds the unknowns outside your perimeter, while CAASM unifies the knowns inside it.
What is CTEM (Continuous Threat Exposure Management)?
Continuous Threat Exposure Management is a Gartner-defined framework, not a product category. Published in 2022, CTEM describes a five-step cycle that organizations should follow to continuously reduce their exposure to threats: Scoping (defining what matters), Discovery (finding assets and exposures), Prioritization (ranking by business risk), Validation (proving exploitability through BAS or red teaming), and Mobilization (driving remediation through existing workflows).
CTEM is broader than any single tool. It's a programmatic approach that uses outputs from EASM, CAASM, vulnerability management, Breach and Attack Simulation (BAS), pen testing, and red teaming. You cannot buy a “CTEM product” off the shelf. You build a CTEM program by orchestrating multiple capabilities.
EASM is one of the most critical inputs to CTEM. Without external discovery, the “Discovery” phase of CTEM has a massive blind spot. In practice, organizations implementing CTEM typically combine EASM for external discovery, CAASM for internal inventory, and BAS for validation to cover the full cycle.
How They Overlap
These four acronyms are not competing products. They're layers of a mature security program. ASM is the umbrella discipline. EASM handles outside-in discovery of internet-facing exposures. CAASM handles inside-out aggregation of internal asset data. And CTEM is the process framework that ties it all together into a continuous cycle of discovery, prioritization, validation, and remediation.
ASM: The Umbrella
The overarching discipline covering all attack surface visibility and management efforts.
EASM: Outside-In Discovery
Scans the internet from an attacker's perspective. Discovers unknown domains, IPs, cloud assets, credentials, and third-party exposures.
CAASM: Inside-Out Aggregation
Integrates with internal tools (EDR, CMDB, cloud APIs) to build a unified asset inventory and find coverage gaps.
CTEM: The Process Framework
A five-step cycle (Scope → Discover → Prioritize → Validate → Mobilize) that consumes outputs from EASM, CAASM, BAS, and pen testing to continuously reduce exposure.
EASM vs ASM: Key Differences
The most common source of confusion in this space is the relationship between EASM and ASM. ASM is the broad category. It covers every type of attack surface visibility, from endpoint telemetry to cloud configuration to external exposure. EASM is a specific subset that focuses exclusively on the external, internet-facing attack surface.
In the vendor landscape, this distinction gets blurry. The majority of products marketed as “ASM solutions” are actually EASM tools. They perform outside-in discovery and monitoring but don't touch internal assets. When evaluating vendors, look beyond the label: ask whether the platform requires internal agents or network access (that's broader ASM) or operates entirely from the outside (that's EASM).
Key takeaway: If a vendor says “ASM” but only offers external scanning with no internal integration, you're getting EASM, which may be exactly what you need, but be clear about what you're buying.
EASM vs CAASM: Key Differences
EASM and CAASM solve fundamentally different problems. EASM discovers unknown external assets, things your organization doesn't know it's exposing to the internet. CAASM aggregates known internal assets, unifying data from tools you already have to find coverage gaps and data inconsistencies. One looks outward, the other looks inward.
These are complementary capabilities, not competing ones. EASM will find the forgotten subdomain running an unpatched WordPress instance. CAASM will tell you that 200 of your 5,000 servers don't have EDR installed. Together, they give you the closest thing to complete asset visibility: external unknowns plus internal coverage gaps.
Key takeaway: EASM finds what you don't know about externally. CAASM unifies what you already know internally. You likely need both.
EASM vs CTEM: Key Differences
CTEM is a framework, not a technology. You can't deploy CTEM. You implement it as a program. EASM is a technology that feeds into the CTEM cycle, specifically the Discovery and Prioritization phases. Without EASM providing continuous external discovery data, a CTEM program has a critical blind spot in its exposure assessment.
Think of it this way: CTEM defines what you should do (scope, discover, prioritize, validate, mobilize). EASM is one of the tools that does part of it, specifically the external discovery and exposure monitoring. You can run EASM without a formal CTEM program, but you can't run a meaningful CTEM program without EASM.
Key takeaway: CTEM tells you how to build the program. EASM is one of the essential technologies that powers it. They're not alternatives. EASM is a prerequisite for CTEM.
Which One Do You Need?
The answer depends on where your biggest visibility gaps are and how mature your security program is. Here's a practical decision framework:
- You don't know your external footprint: Start with EASM. External exposure is the most urgent blind spot because it's what attackers see first. EASM gives you immediate, agentless visibility into everything your organization exposes to the internet, including assets no one told security about.
- You can't unify your internal asset data: Add CAASM. If you have dozens of security and IT tools but no single source of truth for your asset inventory, CAASM will aggregate, deduplicate, and surface the coverage gaps hiding in your internal environment.
- You want a comprehensive exposure management program: Implement the CTEM framework using EASM + CAASM + BAS. CTEM gives you the programmatic structure to continuously discover, prioritize, validate, and remediate exposures across your entire attack surface.
Where Most Organizations Start
Most security teams start with EASM because external exposure is the most immediate risk. You can deploy an EASM platform in hours, with no agents or internal access required, and immediately begin discovering unknown assets and exposures. From there, adding CAASM for internal visibility and building toward a full CTEM program becomes a natural progression.