Security teams have spent a decade learning to map their attack surface: the assets, services, and entry points an organisation owns and exposes to the internet. Attack surface management (ASM) platforms exist to keep that inventory current. The discipline is mature, well-tooled, and well-understood.
The term threat surface is newer, and the distinction it draws is more than vocabulary. Palo Alto Networks frames it cleanly: an attack surface is the set of points where an attacker could attempt entry; a threat surface is that attack surface considered together with the threat capability actually pointed at it. One side is your exposure. The other side is the adversary holding something that fits it.
If you accept that framing — and it is the standard one — then a tool that inventories only your owned assets is measuring half of the equation. The half it leaves out is the half that decides whether the exposure ever connects to anything. That missing half is where most expensive intrusions of the last three years actually began.
Two halves of one measurement
An attack surface is a property of the organisation. You can enumerate it because you own it: domains, IP ranges, cloud assets, exposed services, certificates. ASM and CAASM platforms do this well, and the better ones do it continuously.
A threat surface is a relationship. It exists only where a real adversary capability lines up against a specific exposure. A misconfigured port that no one has a working exploit for sits on your attack surface but barely registers on your threat surface. A single reused executive password sitting in a stealer log, paired with a help-desk that resets MFA on a phone call, may not appear on your attack surface at all — yet it is one of the largest items on your threat surface.
This is why two organisations with near-identical attack surfaces can carry very different threat surfaces. The difference is not in what they own. It is in what an adversary can already see, buy, or harvest about the people who hold the keys.
What ASM measures, and what it cannot reach
ASM tools are built around assets the organisation controls. That design is a strength for infrastructure and a structural blind spot for everything that determines the adversary half of the threat surface:
- Broker and people-search records that assemble an executive's home address, family, and routines into a targeting packet.
- Infostealer logs containing session cookies and saved credentials harvested from a personal or unmanaged device, often months before they are used.
- OSINT-harvestable identity data — org charts, reporting lines, out-of-office patterns, and the social graph that makes a pretext credible.
None of these live on an asset the company owns, so none of them register in an asset-centric scan. They are not edge cases. They are the documented opening moves of the intrusions that ASM dashboards showed as green at the time.
We have written about each side of this gap separately. The identity attack surface that ASM vendors miss covers the people-shaped exposure that asset inventories cannot represent. The attack surface you don't own covers how that exposure moves onto personal devices and personal lives — and why it widens with seniority rather than narrowing. Read together, they describe the two pieces an asset-centric programme leaves on the table: the surface it cannot see, and the surface it does not own.
If your ASM programme reports a clean asset inventory while your executives' credentials and home details circulate in broker records and stealer logs, you are measuring half of your threat surface. A Corporate Audit maps the other half.
Talk to an AnalystWhy the adversary half is measurable
The instinct is to treat the adversary side as unknowable — you cannot see inside a threat actor's plans, so why try. But the inputs an adversary uses to build a pretext are largely public or purchasable, which means they are observable to a defender willing to look from the same vantage point.
You can search the broker ecosystem for what it returns on a named executive. You can check breach and stealer-log corpora for that person's credentials and their vintage. You can reconstruct the org chart, the reporting lines, and the out-of-office signals an attacker would use to time an approach. This is not speculation about intent. It is enumeration of capability — the same discipline ASM applies to infrastructure, applied instead to the identity layer.
That is the practical meaning of a threat surface. It is not a more dramatic word for attack surface. It is an instruction to measure both halves: the exposure you can already inventory, and the capability already aimed at it. A programme that does only the first will keep reporting green while the second half quietly accumulates.
What this changes in practice
Treating the threat surface as the unit of measurement reorders priorities. An open port with no working exploit drops down the list. A director's reused credential in a recent stealer log, paired with a resettable help-desk, moves to the top — even though no asset scan will ever surface it.
For most organisations the gap is not a tooling failure. ASM is doing exactly what it was built to do. The gap is one of scope: the programme stops at the boundary of owned assets, and the threat surface does not. Closing it means deliberately measuring the human and identity layer the same way infrastructure is already measured — which is the core of what a Corporate Audit sets out to do.
Attack surface tells you what you own. Threat surface tells you what is pointed at it. The organisations that get surprised are almost always the ones who measured only the first and assumed the second would take care of itself.