GigaOm Key Criteria for Evaluating Attack Surface Management (ASM) Solutionsv3.0

An Evaluation Guide for Technology Decision-Makers

Table of Contents

  1. Executive Summary
  2. ASM Sector Brief
  3. Decision Criteria Analysis
  4. Analyst’s Outlook
  5. About Chris Ray

1. Executive Summary

The difficulties and challenges presented by rapid digital growth, cloud adoption, and the sprawling public IP space leave organizations unable to accurately identify their rapidly changing attack surface, creating a wealth of opportunities for online attackers. Compounding this problem is the lack of visibility into the risks resulting from the dynamic nature of the attack surface. In response, attack surface management (ASM) solutions provide value through the continuous discovery of and insight into an organization’s attack surface.

The attack surface encompasses all public-facing services, application programming interfaces (APIs), applications, IP addresses, and infrastructure, regardless of the host type (virtual machine, container, or bare metal) or location (on-premises or cloud). ASM starts with the attack surface and builds a proper management process around it. This includes automated asset discovery and tracking of asset details.

Attack surfaces today are composed of some of the newest technologies—containers, Kubernetes clusters, serverless functions, social media, static and dynamic HTML web content, and even internet of things (IoT) devices. This conglomeration creates an enormous amount of additional work for security teams to properly manage.

Moreover, the attack surface is dynamic; it can change daily, if not more often, and tracking these changes in an automated fashion is a key requirement for an ASM solution. But simply knowing the scope and composition of the attack surface is not sufficient. Delineating the types of assets in an organization’s attack surface as well as the severity of related risks rounds out an ASM solution’s value proposition.

ASM is a recent addition to the defender’s tool set, and like other new technologies, it is still evolving. As more vendors enter this space, they are compelled to innovate to differentiate from one another. Decision-makers should keep this ongoing evolution in mind because this space has yet to realize its full potential.

Business Imperative
In today’s rapidly evolving digital landscape, the expansion of an organization’s attack surface presents a technical challenge and a critical business imperative. For CxOs, understanding and managing this attack surface is vital to safeguarding the organization’s operational integrity, reputation, and financial stability. ASM solutions emerge as a strategic necessity in this context. They offer continuous visibility into the organization’s digital exposure, transforming the approach to digital security from reactive to proactive. This shift is essential for aligning security posture with business objectives and mitigating risks effectively.

The value of ASM for a CxO extends beyond mere asset tracking and management. It provides a comprehensive understanding of the organization’s digital ecosystem, enabling leadership to articulate and manage digital risks in terms of business impact. In a digital economy where threats evolve as swiftly as the technologies they exploit, ASM stands as a crucial tool. It empowers organizations to adapt quickly, ensuring sustainable business growth and operational resilience in an environment of constant digital threats. Adopting an ASM solution is a strategic decision, pivotal to maintaining a competitive edge and securing the organization’s digital future.

Sector Adoption Score
To help executives and decision-makers assess the potential impact and value of an ASM solution deployment to the business, this GigaOm Key Criteria report provides a structured assessment of the sector across five factors: benefit, maturity, urgency, impact, and effort. By scoring each factor based on how strongly it compels or deters adoption of an ASM solution, we provide an overall Sector Adoption Score (Figure 1) of 4.4 out of 5, with 5 indicating the strongest possible recommendation to adopt. This indicates that an ASM solution is a strong candidate for deployment and must be considered.

The factors contributing to the Sector Adoption Score for ASM are explained in more detail in the Sector Brief section that follows.

Key Criteria for Evaluating ASM Solutions

Sector Adoption Score







Figure 1. Sector Adoption Score for ASM

This is the third year that GigaOm has reported on the ASM space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) for selecting an effective ASM solution. The companion GigaOm Radar report identifies vendors and products that excel in those decision criteria. Together, these reports provide an overview of the market, identify leading ASM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.


The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and non-functional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

Full content available to GigaOm Subscribers.

Sign Up For Free