SANS 2025 Attack Surface Management Survey Reveals Shift to Unified, Automated Risk Operations
What Happened — The SANS 2025 Attack Surface Management (ASM) survey of 235 security professionals shows enterprises are moving from fragmented, alert‑driven models to unified, automated, business‑aligned risk operations. The top three insights are: unified visibility is now mandatory, automation is essential, and business context outweighs raw CVSS scores.
Why It Matters for TPRM —
- Vendors that cannot provide a single pane of glass across internal and external assets increase third‑party exposure.
- Lack of automation drives alert fatigue, raising the likelihood of missed third‑party risk signals.
- Business‑contextual prioritization is needed to assess the true impact of a supplier’s vulnerability.
Who Is Affected — Technology‑SaaS providers, cloud‑hosted ASM platforms, MSPs, and any organization that outsources security tooling.
Recommended Actions —
- Review contracts with ASM and ROC vendors to ensure they deliver unified visibility across your full attack surface.
- Verify that automation capabilities (auto‑remediation, ticketing integration) are in place and tested.
- Align vendor risk scoring with business impact metrics rather than relying solely on CVSS.
Technical Notes — The survey highlights pain points such as fragmented security stacks, insufficient external exposure detection (only 28% of respondents felt their ASM platform could reliably locate sensitive files), and the need for integration with SIEM, ITSM, and cloud‑native tools. No specific CVEs or malware were cited. Source: Qualys Blog – SANS ASM Survey 2025 Insights