Attack Surface Management (ASM) tools offer the promise of reduced risk, but often deliver more information instead. Security teams implement ASM, leading to the growth of asset inventories, increased alerts, and filled dashboards. While there is visible activity and measurable output, the answer to the question “Is this reducing incidents?” remains unclear, highlighting the core ROI problem in attack surface management when ROI is primarily measured through asset counts rather than risk reduction.
The Promise vs. The Proof
Most ASM programs focus on discovery, emphasizing the importance of knowing what assets exist to protect them. However, metrics such as the number of assets discovered, changes detected, and alerts generated do not directly indicate whether the organization is truly safer. Teams often find themselves busier without feeling less exposed, showcasing the gap between effort and outcome in ASM.
Why ASM Feels Busy but Not Effective
ASM tends to prioritize coverage metrics, such as the quantity of assets discovered, changes detected, and alerts generated, which may give the impression of progress but do not necessarily translate to reduced risk. Teams commonly experience alert fatigue, long backlogs of unresolved assets, ownership confusion, and prolonged exposure, indicating that the work is tangible but the actual risk reduction is harder to discern.
The Measurement Gap
One of the reasons why proving ASM ROI is challenging is that most attack surface metrics concentrate on what the system can observe rather than on actual organizational improvements. While common attack surface management metrics include the number of assets and changes, more meaningful metrics such as how quickly risky assets are claimed, the duration of dangerous exposure, and the reduction of attack paths over time are often neglected.
What Would Meaningful ROI Look Like?
Rather than focusing solely on the quantity of assets discovered, a more valuable approach would involve assessing how much faster and safer the organization has become at handling exposure. By shifting the ROI perspective from visibility to response quality and exposure duration, organizations can better align their efforts with real-world risk reduction.
Three Outcome Metrics That Actually Matter
1. Mean Time to Asset Ownership
Reducing the time it takes to determine asset ownership is crucial as assets without clear ownership tend to linger longer, get patched later, and are more likely to be forgotten entirely. A shorter time-to-ownership signifies that ASM findings are being translated into action.
2. Reduction in Unauthenticated, State-Changing Endpoints
Tracking the number of external endpoints that can change state and require authentication provides a more accurate indication of whether the attack surface is shrinking where it matters most. An environment with few unauthenticated, state-changing paths is inherently safer than one with many risky entry points.
3. Time to Decommission After Ownership Loss
Measuring how quickly assets are retired once ownership is lost indicates long-term hygiene and is a strong indicator of risk reduction. If abandoned assets persist indefinitely, it suggests that discovery alone is not effectively reducing risk.
What This Looks Like in Practice
Instead of fixating on total asset count, organizations should prioritize metrics such as asset ownership, unresolved assets, and the duration of unclear ownership to drive faster resolution and reduce risk more effectively.
Turning ASM into a Control
ASM struggles not due to lack of effort but because the outcomes are not consistently aligned with leadership’s priorities. By reframing ROI around speed, ownership, and exposure duration, organizations can demonstrate tangible progress, even if the raw asset count remains unchanged.
A Concrete Starting Point
One approach to validate outcome-based ASM metrics is to make asset visibility widely accessible across teams, eliminating tooling silos. By enabling engineering, security, and infrastructure teams to see ownership gaps and exposure duration, organizations can expedite resolution without inundating teams with more alerts.
If an attack surface management program cannot demonstrate a reduction in exposure over time, it is challenging to argue that it is more than just identifying the problem.
Note: This article was expertly written and contributed by Topher Lyons, Solutions Engineer at Sprocket Security.
