Identity Attack Surface: What Infrastructure ASM Vendors Don’t See

Most attack surface management platforms map machines. They enumerate what an organisation owns on the public internet — domains, subdomains, certificates, exposed ports, cloud buckets, forgotten staging environments, third-party SaaS — and rank what looks exploitable. The category name is honest about its scope. It manages the surface that infrastructure presents to an attacker.

What it does not map is the surface that people present.

The distinction has become operationally important. The most expensive intrusions of the past three years did not begin with a misconfigured S3 bucket or an unpatched Apache instance. They began with a LinkedIn page, a leaked credential from an old infostealer log, a deepfake of a CFO’s voice, or a phone number harvested from a public records aggregator. The infrastructure was sound. The people-shaped surface was not.

This piece sits with that gap. It maps what the current generation of ASM, CAASM, and exposure-assessment platforms actually cover as of mid-2026, traces three documented breaches that turned on identity-surface failures the platforms were not designed to see, and proposes a working definition of what an identity attack surface inventory should contain.

The vendor map (May 2026)

The market for attack surface visibility splits into three working categories, plus a fourth Gartner has begun consolidating the others into.

External Attack Surface Management (EASM) discovers internet-facing assets the organisation owns or controls, many of which the organisation has forgotten. The dominant offerings:

• Tenable Attack Surface Management (formerly Tenable.asm, integrated into the Tenable One Exposure Management Platform) maps externally facing assets against an inventory Tenable describes as “more than 5 billion assets.”
• CrowdStrike Falcon Surface (built on the Reposify acquisition) scans the public internet continuously and feeds findings into the Falcon Exposure Management module, with prioritisation handled by ExPRT.AI.
• Microsoft Defender External Attack Surface Management (built on the RiskIQ acquisition) uses recursive discovery from known legitimate assets to infer ownership of related infrastructure, integrated with Defender XDR and Sentinel.
• Palo Alto Cortex Xpanse scans the full IPv4 space several times daily and integrates with XSOAR for automated remediation playbooks.

Cyber Asset Attack Surface Management (CAASM) sits inside the perimeter. It aggregates data from existing security tools (EDR, vulnerability scanners, identity providers, MDM, cloud control planes) into one queryable inventory of assets the organisation already knows about. The leading offerings are Axonius and JupiterOne, with Armis, Qualys CyberSecurity Asset Management, and JumpCloud also competing in the category.

Exposure Assessment Platforms (EAP). In its 2025 Hype Cycle for Security Operations, Gartner declared both CAASM and EASM “obsolete before plateau” and folded them into a broader category, Exposure Assessment Platforms, that combines asset discovery, vulnerability assessment, and attack-path simulation. Vendors have largely accepted the reframing. Tenable One, CrowdStrike Falcon Exposure Management, and Microsoft Security Exposure Management are positioned as exposure platforms with EASM as one input. Axonius now markets the same product line as “asset intelligence.”

What every product in these three categories has in common is the unit of analysis. They count assets: IPs, hostnames, certificates, software components, cloud resources, API endpoints. The asset is technical. The attack surface is, by construction, the set of technical assets reachable to an attacker.

The third surface

There is a fourth category of surface that none of these platforms is designed to inventory: the public, semi-public, and breached information that exists about an organisation’s people. Names, roles, reporting lines, biographical details, photographs, voice samples, personal phone numbers, home addresses, family members, historical email addresses, and credentials those email addresses have leaked attached to.

This surface is reachable to the same attackers, with the same kind of automated tooling. It is searchable across LinkedIn, Companies House and equivalent registries, court records, conference programmes, podcast appearances, X/Twitter, Instagram, people-search platforms (Spokeo, BeenVerified, Whitepages, Intelius and the European equivalents), data-broker B2B records (Acxiom, Experian Marketing Solutions, LexisNexis Risk Solutions), breach-corpus aggregators, and stealer-log marketplaces.

It is also the surface that the most operationally successful intrusions of 2023–2025 leaned on most heavily.

A working definition: the identity attack surface of an organisation is the set of public, semi-public, and breached data points about the organisation’s people that an attacker can use to construct a pretext, defeat an authentication step, impersonate a principal, or build a credential against a corporate system. It is people-shaped, not asset-shaped. It has no IP address.

Why the category is structurally hard to sell

Three reasons the gap persists, all incentive-shaped rather than technical.

The data is not enumerable from one API. Infrastructure ASM works because IPv4 is small, port-scanning is fast, and certificate transparency logs are public. The identity surface is scattered across hundreds of indexed and de-indexed sources, each with different opt-out mechanics, different jurisdictions, and different update cadences. There is no single feed an EASM vendor can subscribe to and call it discovery.

The remediation is not a dashboard. Closing an exposed port is a technical action a SOC can take in minutes. Removing a record from a people-search platform is a 30-day legal process with verification steps that vary by jurisdiction. EU residents have GDPR Article 17, UK residents have UK GDPR Article 17, US residents in California have the Delete Act, and US residents elsewhere have the broker’s voluntary process or none at all. This does not fit a SaaS dashboard’s promise of one-click remediation.

The buyer organisation is not always the right party. Removing personal data about an executive requires that executive’s identity verification, authority, and sometimes a notarised affidavit. The CISO procuring the platform cannot click a button to remove the CFO’s home address from a US data broker. Vendor product managers tend to avoid features whose execution depends on the consent of someone who is not the purchasing entity.

The result is that the identity attack surface gets quietly ceded to a different procurement category (executive protection, brand protection, threat intelligence, sometimes anti-fraud) without anyone owning the operational picture as an inventory.

Three documented attack chains

The following intrusions are well-documented in primary sources. Each turned on identity-surface data that infrastructure platforms did not and could not see.

MGM Resorts, September 2023: LinkedIn to Okta in ten minutes

On 11 September 2023, MGM Resorts disclosed a cyber incident that disrupted hotel check-in, casino floor systems, dining, and entertainment across multiple properties. Reservation systems were down for days. The incident contributed approximately $100 million to MGM’s third-quarter losses.

The attack was attributed to Scattered Spider (also tracked as UNC3944), a financially motivated group operating partly in the United States and United Kingdom. The initial access vector was social engineering, not infrastructure compromise.

The documented sequence, per CISA and FBI advisories and reporting based on the threat actor’s own statements:

1. The attackers identified a senior MGM IT employee using LinkedIn: role, name, employer, and tenure.
2. They called MGM’s IT helpdesk and impersonated the employee.
3. The helpdesk authenticated the caller using publicly available identity attributes, none of which were secret, and reset multifactor authentication on the impersonated account.
4. Within approximately ten minutes of the helpdesk call, the attackers had access to MGM’s Okta identity provider and Azure cloud environment.
5. The attackers then escalated to ransomware deployment on internal infrastructure.

No infrastructure attack surface management platform would have flagged the precondition for this attack. The LinkedIn profile was legitimate, the IT employee’s role was correctly disclosed, and the helpdesk verification process used public identity attributes by design. The exploit was a category mismatch between what the helpdesk treated as identity proof and what the attacker had already collected from the identity surface.

Snowflake customer breaches, April–June 2024: credentials from infostealer logs of unknown vintage

Beginning in April 2024, an actor tracked by Mandiant as UNC5537 systematically targeted customer instances of the Snowflake cloud data platform. The intrusions were not a Snowflake-side vulnerability. They were a credential-reuse campaign at scale.

Per Mandiant’s published investigation:

• The threat actor used valid Snowflake account credentials previously stolen via infostealer malware. The credential-collection infections dated back as far as 2020.
• The infostealer families involved included Vidar, RedLine, RisePro, Raccoon Stealer, Lumma, and MetaStealer.
• A consistent pattern across the affected accounts was the absence of multifactor authentication on Snowflake itself, network allow-list restrictions, or both. With no second factor and no IP scoping, a username-and-password pair from a 2020 home-laptop infection still authenticated successfully four years later.
• At least 165 organisations were notified as targeted. Disclosed victims included AT&T (call-detail records on approximately 109 million customers), Ticketmaster / Live Nation (approximately 560 million customer records offered for sale), Santander Bank, Advance Auto Parts, Neiman Marcus, Bausch Health, and LendingTree.

What the relevant ASM platforms did show: the Snowflake-tenant subdomain. What they did not show: that an employee at a SaaS administrator’s home computer had been infostealer-infected in 2021, that the resulting credential pair was for sale on a Russian-language Telegram channel by 2022, and that no MFA had been enforced when that credential reached the corporate Snowflake instance in 2024. The compromised assets were not on the corporate attack surface. They were on the identity attack surface: old, leaked, indexed, and waiting.

Arup, January 2024: a video call where every other participant was synthetic

In January 2024, an employee in the Hong Kong finance office of the British engineering firm Arup received an email purporting to come from the firm’s UK chief financial officer, requesting a confidential transaction. The employee was suspicious and treated the email as likely phishing.

A subsequent video conference invitation followed. The employee joined the call and saw multiple senior Arup colleagues, including the CFO, on screen. The faces and voices matched the people he recognised. The call addressed him by name and discussed the transaction in plausible operational terms.

Following the call, the employee executed 15 separate wire transfers totalling approximately HK$200 million (~US$25 million) to five Hong Kong bank accounts controlled by the attackers. The fraud was discovered when the employee later contacted Arup’s actual UK headquarters about the “secret transaction” and was told no such meeting had taken place.

Hong Kong police confirmed in February 2024 that the entire video conference, with the exception of the victim, had been synthetic; every other participant was a deepfake generated from publicly available video and audio of Arup executives.

The source material for the deepfakes was, by the nature of the firm’s profile, abundant and public. Arup is a 16,000-person engineering firm whose senior staff appear in industry conference recordings, LinkedIn videos, podcast interviews, and corporate communications archives. None of that material was a security control failure on Arup’s part. It was the normal output of a public-facing technical leadership. It was also, in 2024, sufficient feedstock for a $25 million synthetic-media fraud.

The technical attack surface was not implicated. The identity attack surface (face, voice, hierarchy, reporting line, the existence of a UK-to-HK reporting structure, and the plausibility of a “secret transaction” framing for a publicly listed engineering firm working on confidential client projects) was the entire vector.

What an identity attack surface inventory contains

If the gap is real, the question is what closing it would actually look like as an inventory. Drawing the boundary tightly: an identity attack surface inventory enumerates the public, semi-public, and breached data points that compose a working pretext or credential against an organisation’s people. By role, an inventory of this shape covers at least the following layers.

Per-individual identity layer. For each named principal (board members, named executives, senior technical staff, named legal counsel, named family-office staff): full names and known aliases, current and historical home addresses, personal phone numbers, personal email addresses, dates of birth where indexed, identifying photographs and video, voice samples of usable length, family member names where publicly linked, vehicle registration data where public, and political donation records where public.

Credential layer. For each personal email address, work email address, and known username: appearances in known breach corpora (Have I Been Pwned and equivalents), appearances in stealer-log marketplaces (Hudson Rock and equivalents), and appearances in credential-stuffing combo lists. For each, the password material and approximate vintage where recoverable.

Reporting and pretext layer. Org chart data inferable from LinkedIn and corporate filings, reporting lines and approval authorities inferable from press releases and SEC EDGAR filings, recent named-staff departures and arrivals, vendor relationships inferable from case studies and press, and travel patterns inferable from conference programmes.

Aggregator layer. Each individual’s presence on people-search platforms by jurisdiction (US: Spokeo, BeenVerified, Whitepages, Intelius, Radaris, etc.; EU: equivalent national aggregators), each individual’s presence in B2B data-broker records (Acxiom, Experian Marketing Solutions, LexisNexis Risk Solutions, Oracle Data Cloud, Data Axle), and each individual’s presence in archive layers (Wayback Machine, regional press archives, conference recording archives).

Familial-extension layer. For high-target principals, the same enumeration extended to spouses, dependent children where age-appropriate, and adult family members whose exposure provides a path back to the principal.

This is the inventory that the documented attack chains in the previous section would have made visible as risk before exploitation. It is not the inventory any infrastructure ASM, CAASM, or EAP product is designed to produce, because none of these data points has an IP address.

For the methodology of how PI Solutions runs this kind of audit, see How a Mirror Investigation Runs and the broader executive identity-pack analysis.

Where it sits next to the existing categories

A coverage matrix, as the categories actually behave in 2026:

Surface category	Unit of analysis	What it sees	What it does not see
EASM / EAP (external)	IPs, hostnames, certificates, exposed services	Owned and forgotten internet-facing assets	People, breached credentials of unknown vintage, deepfake source material
CAASM / Asset Intelligence (internal)	Devices, identities, software, cloud resources known to existing tools	Inventory completeness, control coverage gaps	Anything outside the org’s existing telemetry
Vulnerability Management	CVEs against known assets	Patchable software flaws on known infrastructure	Anything not a CVE
Identity Attack Surface (gap)	Per-person enumerable exposure across public, semi-public, and breached sources	Pretext material, credential-leak provenance, deepfake feedstock, aggregator presence	Network-level technical exposure (covered by EASM)

The four categories are complementary, not substitutes. A mature exposure programme covers all four. The gap is operationally addressable; it is not addressable by buying a license.

For organisations subject to NIS2, the relevance is direct: Article 21(2)(d) supply-chain security and Article 21(2)(g) human-factor security both have identity-surface inputs that infrastructure ASM does not enumerate. We treat that mapping in Digital Exposure as a NIS2 Risk Vector.

What this means in practice

The platforms above are not deficient products. They are correctly scoped to the surface they were built to manage. The error is treating the output of any one of them as a coverage statement about attack surface in general, when in fact they cover infrastructure attack surface.

Three operational implications follow.

First, the question to put to any vendor whose pitch begins “we cover your full attack surface” is: which of the four columns above do you cover, and which do you not cover. The truthful answer for every vendor in the first section is that they cover the first two columns and not the second two.

Second, identity-surface enumeration belongs to a different operational discipline than infrastructure scanning. It draws on OSINT methodology, public-records research, breach-corpus interrogation, jurisdictional opt-out workflow, and direct erasure submission under GDPR Article 17 and equivalents. The deliverable is a per-person inventory and a closure plan, not a CVE list. The team running it cannot be the same team running the infrastructure scanners; the skills and the tooling do not overlap.

Third, the procurement structure that has historically held identity-surface work (executive protection budgets, brand protection budgets, fraud-team budgets) tends to underspend it because the work is not visible until exploitation. The Arup loss was $25 million; the Snowflake-customer aggregate disclosure liability is unbounded; the MGM cost was approximately $100 million in a single quarter. Each of these intrusions began on a surface no one had the operational responsibility to inventory.

The category gap is closing, but slowly, and not on the procurement side first. It is closing in the post-incident reports, where the same pattern has now appeared often enough that boards have begun asking the question infrastructure ASM cannot answer: what is exposed about us as people?

Sources

Vendor product references (verified May 2026)

• Tenable Attack Surface Management — product page
• Tenable One Exposure Management Platform — data sheet
• CrowdStrike Falcon Surface — product page
• Microsoft Defender External Attack Surface Management — overview
• Palo Alto Cortex Xpanse — product page
• Axonius — Cyber Assets platform
• JupiterOne — CAASM platform

Gartner category framing

• Gartner Hype Cycle for Security Operations 2025 — CAASM and EASM “obsolete before plateau”

MGM Resorts incident, September 2023

• Scattered Spider attribution and methodology
• MGM Resorts attack timeline

Snowflake customer breaches, 2024

• Mandiant — UNC5537 Targets Snowflake Customer Instances
• Cloud Security Alliance — Unpacking the 2024 Snowflake Data Breach

Arup deepfake fraud, January 2024

• CNN — Arup confirmed as victim of $25M deepfake scam
• World Economic Forum — Lessons learned from a $25M deepfake attack