Back to knowledge base

EASM for SMEs and the supply chain: know and manage your external attack surface

Published on June 16, 2026

Most organisations know surprisingly little about what is visible of them from the outside. Not out of negligence, but because the external attack surface constantly grows and shifts: a new subdomain for a campaign, a test environment that stayed online, an integration with a supplier, a certificate about to expire. An attacker only has to find one forgotten door. You have to know them all.

External Attack Surface Management, EASM for short, is about exactly that: keeping continuous sight of everything visible from the internet, so you can manage it before someone else abuses it. This article explains what EASM is, why it matters for SMEs and the supplier chain in particular, and how to approach it with evidence.

In short

What is your external attack surface?

Your attack surface is the sum of all points an outsider can make contact with. Concretely: your domains and subdomains, the ports and services that are open, your TLS certificates, the software versions you reveal to the outside, and admin interfaces that are reachable by accident. That is exactly the outside an attacker reconnoiters before trying anything. To see it up close, read what an attacker sees of your domain.

The hard part is not the known systems. It is the forgotten and unintended things: shadow IT, old test setups, subdomains of a project that finished long ago. How to get a grip on those is covered in shadow IT and your external attack surface.

What EASM is, and what it is not

EASM is a way of working plus the underlying technology to continuously discover, assess and track your external surface. It finds assets you had lost sight of, checks which of them are vulnerable or misconfigured, and tracks how that picture develops.

What EASM is not: a compliance certification, and not a replacement for your broader security. It provides technical insight and evidence, not a legal stamp. Scanning alone does not make you compliant; why that is, is explained in scanning is not NIS2 compliance. EASM is a building block: a strong one, but one of several.

Why this matters for SMEs in particular

Large organisations have security teams watching the attack surface. SMEs usually do not, while their digital footprint grows just as fast. A marketing agency puts a landing page online, a developer tests something on a subdomain, a service is rolled out in the cloud. Each is legitimate, but together they form a surface no one fully oversees.

You cannot protect what you do not have in view. The difference between your official asset list and what is actually online is often your first and most important finding.

Why the chain makes the difference

Your suppliers' external surface is just as visible from the outside as yours. For an attacker, the weakest link in the chain is an attractive entry point. For an organisation that falls under NIS2, that is exactly why the supply-chain duty of care exists: you have to weigh and manage the risks that come in via third parties.

In practice this means you monitor not only your own surface, but also the basic security of the parties you are responsible for. That is how supplier monitoring works: the same reconnaissance, but across your chain, with traceable evidence per finding.

From snapshot to continuous picture

The biggest mistake is treating EASM as an annual scan. Your surface changes every week, so last month's report describes an organisation that no longer exists. Continuous monitoring instead shows a timeline: what was added, what changed, and what was followed up.

That time dimension is also what a regulator, customer or insurer wants to see. Not a one-time "it was fine", but a demonstrable process that keeps running.

How do you start?

  1. Discover from the outside in. First map what is actually visible, separate from your internal register. The difference between the two is your starting point.
  2. Assess and prioritise. Weigh each finding on exposure and impact. A vulnerability on a publicly reachable service weighs more than the same one behind a VPN.
  3. Assign ownership. Each asset and finding gets an owner and a decision: fix, accept or remove.
  4. Monitor continuously and record. Track the surface continuously and keep what was found and when, so you can retrace it later.
  5. Include your chain. Extend the picture to the suppliers you are responsible for.

Exposentry is built for this: NL-sovereign, forensically substantiated monitoring of your external attack surface, for your own domains and your chain. See the pricing or start a scan of your organisation and expose the difference between your register and reality.

Frequently asked questions

What does EASM mean? EASM stands for External Attack Surface Management: continuously mapping and managing everything visible of your organisation from the internet.

What is the difference between EASM and a pentest? A pentest is a deep snapshot of a defined scope. EASM is broad and continuous and flags change. They complement each other.

Is EASM only for large organisations? No. SMEs in particular often have more exposed than they think, and anyone supplying a NIS2-bound customer will deal with it regardless.

How often does my attack surface change? Continuously. That is why a one-off scan is already out of date by the time you read it.

Does EASM also manage my suppliers' risks? With chain monitoring you bring your suppliers' basic security into view, which aligns with the NIS2 supply-chain duty of care.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.