What Is Attack Surface Management? A Plain-English Guide for UK SMBs
Attack surface management explained without the jargon — what it is, why it matters for UK small businesses, and how a passive scan protects you without touching your systems.
What attackers see before you do
Every domain you own has a public face: DNS records, SSL certificates, mail authentication policies, HTTP headers. Attackers read all of it before they send a single packet your way. Attack surface management (ASM) is the discipline of reading that same public face — and fixing the weaknesses before someone else exploits them.
Active vs passive scanning
Most security tools are active: they probe your servers, attempt connections, send test payloads. That is useful but it is also noisy, potentially disruptive, and legally grey when run against systems you do not own.
Passive scanning queries only public data sources — DNS resolvers, certificate transparency logs, SSL grading services, DMARC policy records. No packets reach your server. No logs are created on your side. It is entirely read-only, which makes it safe to run on any domain — including competitors or domains you are about to acquire.
The six checks that matter most
- DNS hygiene — dangling CNAME records, missing CAA entries, nameserver mismatches
- TLS grade — cipher suites, protocol version (TLS 1.2 vs 1.3), certificate validity and chain trust
- Email authentication — SPF, DKIM, and DMARC policies that prevent your domain being used to send phishing mail
- HTTP security headers — CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
- Subdomain takeover risk — abandoned CNAME targets that an attacker could register
- Email spoofing exposure — whether your domain can currently be forged in From: headers
Why UK SMBs are the most exposed
Enterprise companies have dedicated security teams who run these checks continuously. SMBs — firms with 5 to 150 users — typically set up DNS and mail records once and never revisit them. The average UK SMB has at least two significant misconfigurations on their primary domain and several more on parked or legacy domains.
Attackers know this. Business email compromise (BEC) — where criminals spoof your domain to defraud your clients — is the most financially damaging cybercrime category for UK businesses, according to the NCSC. Most BEC attacks succeed because the target domain has no DMARC policy, or has one set to p=none (monitor only, no enforcement).
How often should you scan?
At minimum, scan your primary domain every quarter. Scan after any infrastructure change — new hosting, new mail provider, new subdomain — immediately. Some organisations run weekly scans on their full domain portfolio to catch newly issued certificates (which can indicate shadow IT or an attacker obtaining a cert for a typosquat domain).
Start for free
VP Shield runs the full six-check passive scan on any domain at no cost, no login, no installation. Enter a domain, get results in under two minutes. For organisations that want continuous monitoring, a scheduled review, or a full written report, contact VantagePoint Networks.