In July 2025, Gartner removed External Attack Surface Management (EASM) from its Hype Cycle for Security Operations. The category was declared “obsolete before mature.” Vendors celebrated. Blog posts were written. Victory laps were taken.
Now, 2025’s breach data is coming in and the numbers are telling a different story.
Far from a solved problem, external vulnerability exploitation remained the number one initial attack vector for corporate breaches—for the sixth consecutive year. The tools that were supposed to manage the external attack surface have, by the numbers, failed to do so. And with threat actors now weaponizing AI to discover and exploit vulnerabilities at machine speed, the gap between what legacy EASM promised and what organizations actually need has never been wider.
EASM isn’t dead. But the first generation of tools that failed to deliver on its promise? Those deserve a burial. What’s emerging in their place is a real solution to managing the external attack surface across large, complex enterprise environments.
EASM Declared Dead
In July 2025, Gartner made the decision to remove the External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CAASM) market segments from its Hype Cycle for Security Operations. EASM was “obsolete before mature,” according to Gartner.
The reasoning was that EASM was not a significant enough product category to stand on its own. After a series of acquisitions, Gartner determined that EASM had become a component of larger markets, such as threat intelligence, vulnerability management, and security ratings services.
Gartner was quick to explain that the decision to remove EASM and CAASM from the Hype Cycle did not imply that EASM tools are irrelevant or that the process of managing the external attack surface is no longer necessary—but that didn’t stop many vendors in the Attack Surface Management space from declaring victory.
One vendor declared: “R.I.P. EASM: Move Beyond Noisy Discovery.” Another published a blog post called “CAASM is dead because it worked.” Many executives at ASM and ASM-adjacent technology providers were quick to pat Gartner and themselves on the back and shout, “Hooray! Problem solved!”
Vulnerability Exploitation Remains the Top Initial Attack Vector
And yet, all of the evidence suggests that threat actors are exploiting vulnerabilities in the external attack surface more frequently, more rapidly, and more effectively than ever before.
32% of all corporate breaches began with external vulnerability exploitation in 2025, according to the recently published Mandiant M-Trends Report 2026. That doesn’t exactly sound like a win for External Attack Surface Management.
The trend is not improving. Exploitation of internet-facing vulnerabilities has been the number one initial access vector in Mandiant’s data for six consecutive years—accounting for 38% of breaches in 2023, 33% in 2024, and 32% in 2025. Meanwhile, the mean time to exploit a vulnerability has gone from 63 days in 2018 to negative seven days in 2025, according to Google’s Threat Intelligence Group. Negative. Meaning exploitation now begins, on average, before a patch is even available.
VulnCheck reported that 42% of the 181 network edge device vulnerabilities published in 2025 that are known to be exploited in the wild were associated with end-of-life (EOL) or likely EOL devices—strong evidence that external attack surfaces are not being properly managed. There is no justification for leaving EOL devices with CVEs known to be exploited in the wild exposed to the public internet.
All of this raises some uncomfortable questions. If EASM is a solved problem, why is exploitation of internet-facing vulnerabilities the number one initial attack vector for the sixth consecutive year? If the legacy set of EASM tools did such an outstanding job managing and securing external assets, how is it that one-third of all corporate breaches begin with exploitation of a CVE on an external asset?
EASM may have been declared dead, but the data tells a different story. We badly need EASM to rise from the ashes—not as it was, but as something fundamentally better.
What EASM Must Look Like in the Era of AI
Adversaries are adopting AI, which means they are moving at extreme velocity. Google Cloud’s Cloud Threat Horizons Report H1 2026 reported that “the window between vulnerability disclosure to active exploitation collapse[d] from weeks to days in the second half of 2025.” Other research corroborates this finding. For instance, VulnCheck stated that 32% of CVEs added to their Known Exploited Vulnerability (KEV) catalog were exploited prior to or within 24 hours of the CVE’s publication.
The message is clear: AI is helping threat actors discover and exploit vulnerabilities at incredible speed. AI accelerates both the discovery of the vulnerability itself and the detection of internet-exposed instances of the software product in which the vulnerability was found. All of this can be automated and executed at machine speed, before cyber defenders have even learned the vulnerability exists.
So what does the second incarnation of EASM look like? If it’s going to make a real difference this time, it needs to be rebuilt from the ground up—not an incremental improvement on the old model, but a fundamentally different approach to how the external attack surface is discovered, monitored, and defended.
We’ve distilled this into five core tenets—the 5 C’s of AI-defensive external attack surface management.
| Legacy EASM | Next-Gen EASM (The 5 C’s) | |
| Clarity | Frequent misattribution of assets; noisy false positives | Transparent entity and asset attribution with evidence chains |
| Coverage | IPv6 discovery limited to DNS AAAA records | Computational mapping of the full IPv6 space via 6Gen |
| Completeness | Top 1,024–5,000 ports scanned | All 65,535 ports inspected, every run |
| Continuity | Periodic scans marketed as “continuous” | Comprehensive discovery and assessment at least weekly |
| Convergence | Asset inventory with limited remediation context | Real-time alerting with entity ownership and workflow integration |
Clarity: Entity & Asset Attribution
One of the major shortcomings of the first generation of EASM tools was misattribution of domains and IP addresses. In other words, many EASM tools would incorrectly assign assets to a customer when those assets did not belong to the customer’s organization.
These attribution errors led to a lot of noise and wasted time. Alerts generated by the EASM tool would turn out to be false positives because the asset was owned by a third-party organization. The vulnerability may be real, but it’s on somebody else’s system. There’s no room for these kinds of errors in today’s world.
SixMap overcomes these challenges with two elements in our attribution process: entity attribution and asset attribution. The organization mapping procedure finds all of the distinct entities—divisions, business units, operating companies, subsidiaries, holding companies, regional headquarters—that belong to a given organization. The evidence for assigning each entity to the parent organization is shared with customers. As for asset attribution: SixMap surfaces the exact discovery techniques used to identify every network, IP address, and domain. This shows how a given asset is tied to an entity, while the entity attribution shows the link between that entity and the parent organization.
Coverage: Full Visibility Across IPv4 and IPv6
Legacy EASM tools had just one rudimentary method for finding IPv6 assets: examining the AAAA record in DNS data. Whereas an A record directs traffic from a domain (or subdomain) to an IPv4 address, a AAAA record points traffic from a domain to an IPv6 address. If a domain is known to be owned by a given organization, and that domain has a AAAA record, it’s trivial to capture the IPv6 address and add it to an inventory.
This is worthwhile, but it obviously misses all of the IPv6 exposures that do not have a DNS record associated with them. And these exposures are often the ones that create the most risk. If someone took the time to create a AAAA record, it’s safe to assume the organization is aware that the associated IPv6 addresses exist. But if there’s an orphaned cloud instance or an exposed IoT device running IPv6 with no DNS records? That’s the type of vulnerable, unknown exposure that security leaders need to know about.
SixMap leverages 6Gen, a computational mapping algorithm designed to map the entire IPv6 space, to discover all of an organization’s IPv6 exposures. As a result, SixMap is able to develop a far more complete asset inventory covering networks, IP addresses, and domains across both IPv4 and IPv6. Internal research shows that 9% of an enterprise’s IP addresses sit in the IPv6 space—far from a majority, but enough to pose significant risks if not properly monitored and managed.
Completeness: Inspection of All 65,535 Ports, Every Run
Many older EASM tools only look at the top 1,024 ports, known as “common ports.” Others may look at the top 2,000 to 5,000 most commonly used ports. A few products claim to look at all 65,535, but they’re fuzzy about the details, so it isn’t clear how often those high ports are actually checked. Is it monthly? Quarterly? Annually? It isn’t clear.
The trouble is that every internet-facing machine—be it a hardware networking device, an on-prem web server, or a cloud instance—can send and receive traffic on 65,535 unique ports. While many of these are not commonly used, failing to inspect all of them potentially leaves vulnerabilities, misconfigurations, or signs of malicious activity undetected. This does not cut it in the era of AI-augmented attacks.
SixMap inspects all 65,535 ports on each asset, every single scan. This exhaustive exposure assessment finds every open port, every exposed service, and every network-layer vulnerability visible from the internet. Because SixMap operates as a Tier 1 internet service provider, these assessments can be run efficiently, silently, and frequently, collecting extremely high-fidelity data without the organization being assessed ever knowing their infrastructure is being mapped.
Continuity: Shifting from “Frequent” to “Continuous”
Virtually all EASM tools claim to be continuous. But ask for details—how often do the assessments run? When does one scan stop and another begin?—and you’ll get a lot of hand-wavy answers. The truth is, they never meant “continuous” in the sense of “the assessments never stop running; a new one starts the second the previous one ends.” They meant “automated and runs iteratively in the background without a human executing the process.”
When you really drill down, most EASM tools were conducting very rudimentary discovery and assessment processes on a regular basis. Maybe the top 1,024 ports were scanned across external assets once per week or every other week. Do a quick check, update a few data points, and call it continuous.
Once again, this is insufficient in today’s world. Security leaders need full confidence that their data is accurate, complete, and up to date. That means discovery and assessment processes that are not just continuous but also comprehensive, every single time the process runs.
SixMap runs a complete discovery and exposure assessment, looking at every single port on every asset, at least once per week (often more, though it depends on the size of the environment and the needs of the customer). We store and surface all data for customers. That means you can view the delta between any two assessments. If you want to see every detail that’s changed in your attack surface over the past six days—down to every single IP address, open port, and exposed service—you can easily do that with a few clicks. You can also zoom out to see what’s changed over the past 90 days or 12 months for an executive-level reporting view.
Convergence: Faster Detection, Preemptive Mitigation
The original promise of the External Attack Surface Management category was simple: you can’t protect the assets you don’t know about, so deploy our tool and we’ll show you all the assets you weren’t aware of. There are two problems here. First, EASM tools only partially delivered on that promise. The results surfaced some shadow IT but remained incomplete, due to the reasons highlighted above, and also brought in a lot of misattributed assets that caused false positive alerts and wasted time.
Second, simply identifying shadow IT isn’t enough to properly defend against AI-driven attacks. Security teams need real-time alerting on exposures and vulnerabilities, along with seamless integration into existing workflows, so that risks can be mitigated as quickly as possible. This requires complete discovery, entity and asset attribution, comprehensive exposure assessments, and truly continuous monitoring—all of the points highlighted above—in order to accelerate remediation cycles and prevent breaches.
SixMap brings all of this together into a single solution. When a new CVE is published in one of your technologies, you immediately know which assets are affected, which entities are responsible for those assets, and who to contact about remediation. The same holds true for other types of risks: a misconfigured database or staging environment exposed to the web, a remote access service running on a high port because someone forgot to disable the service when their work was done, an insecure protocol accidentally made externally visible. All of these present very urgent risks, and SixMap can help you find and fix these issues faster.
Long Live EASM
Security leaders have told us they don’t want more visibility. We get it. But what they actually don’t want is more inaccurate visibility—more noise, more false positives, more misattributed assets clogging up their workflows.
If a solution could provide complete, accurate, and current data showing real assets, real exposures, and real risks with near-zero false positives, every security leader would instantly understand the value. That’s not a hypothetical. That’s what the 5 C’s are designed to deliver.
EASM is neither obsolete nor a solved problem. The data isn’t whispering this—it’s shouting it. One-third of corporate breaches still begin with exploitation of an external vulnerability. EOL devices with known CVEs are still sitting on the public internet. The mean time to exploit has gone from weeks to negative days. The old approach to EASM didn’t fail because the category was unnecessary. It failed because the tools weren’t good enough.
It’s time for a new standard. And we’re confident enough in ours to issue a challenge: put SixMap to the test. Let us map your external attack surface and show you what your current tools are missing. If we’re wrong and your attack surface is fully accounted for, you’ll have confirmed it with hard data. But if there are blind spots—unknown assets, unmonitored IPv6 exposures, open ports on high numbers that nobody’s checked—you’ll see them for the first time, and you’ll know exactly how to close them.
