Attack surface management has spent the last few years catching up to a problem that keeps getting larger. The SANS 2025 Attack Surface Management (ASM) Survey, authored by SANS principal instructor Chris Dale and based on responses from 235 cybersecurity professionals, frames it well in its title: “Hackers Don’t Wait—Why Should We?” The data behind that question is what makes this survey particularly relevant to where Infoblox is taking Digital Risk Protection Services (DRPS), part of Infoblox Exposure Management.
Where our Sapio research examined how 550 security leaders are responding to AI-driven external threats, the SANS findings tell a complementary story about what teams now expect from the platforms they buy: unified coverage, business-aligned risk and action; NOT more alerts.
What 235 Security Pros Just Told SANS They Want
A few data points from the survey stand out for how directly they map to the gap Digital Risk Protection Services is built to close:
- 55 percent of respondents explicitly demand ASM solutions that provide unified coverage of both external and internal assets, significantly outpacing those who prioritize external-only or internal-only coverage. Teams are done buying separate tools for separate sides of the perimeter.
- 37 percent rank understanding their external attack surface as their top desired outcome, signaling that external exposure is no longer a secondary concern but the primary use case driving ASM investment.
- 89 percent expect ASM platforms to quantify risk for every asset and demonstrate business impact, not just produce findings. The bar has moved from technical reporting to executive-grade risk intelligence.
- More than two-thirds (67 percent) expect explicit mitigation recommendations directly from their ASM platform. Identifying exposure isn’t enough. Teams expect platforms to accelerate remediation and reduce operational overhead.
- Only 28 percent of existing ASM platforms effectively identify sensitive data across the environment, a significant gap given how often sensitive data exposure leads to breach, fraud and regulatory penalties.
- About a third (35 percent) want current information on vulnerabilities, including whether each is actively exploited or has publicly available proof-of-concept exploits, reinforcing that real-world exploitability, and not raw counts, is what drives prioritization.
The throughline is hard to miss. Security leaders are moving away from fragmented, alert-driven tools and toward unified, automated, business-aligned risk operations. They want platforms that connect external visibility to internal context, translate findings into business risk, and shorten the distance between discovery and disruption.
Why Most Attack Surface Tools Miss the Half That Hurts
Most ASM offerings still center on internet-facing assets the organization owns: domains, IPs, certificates, exposed services, cloud misconfigurations. That’s important, but it’s only half of the external risk story. The other half lives on attacker-controlled infrastructure: lookalike domains, phishing kits, fraudulent ads, rogue mobile apps, executive impersonation, leaked credentials and brand abuse across the open web, social platforms and the deep and dark web.
Three operational realities make this side particularly painful:
- Visibility without Action: Traditional ASM surfaces what exists; it rarely disrupts what’s actively abusing it. The 37 percent of respondents naming external exposure as their top outcome are explicit that visibility alone isn’t enough.
- Sensitive-Data Blind Spots: With only 28 percent of ASM tools effectively detecting sensitive-data exposure, leaked credentials and customer data circulate on dark web forums and paste sites long before defenders are aware.
- Manual Takedown Drag: Even when external threats are found, removing them traditionally requires analyst-driven evidence collection, registrar coordination and weeks of follow-up, which is work that doesn’t scale against attackers who leverage AI to spin up new infrastructure in minutes.
From Findings to Disruption
Digital Risk Protection Services is built for exactly the operating model SANS respondents describe: unified coverage, automated action, measurable business outcomes and tight integration with the workflows teams already run.
- On Unified Internal and External Coverage (55 percent): Digital Risk Protection Services pairs Axur-powered external discovery and disruption with Protective DNS, part of Infoblox Threat Defense™. External attacker infrastructure is taken down on the outside while managed users, devices and workloads are blocked at the DNS layer on the inside, providing one continuous loop and not two disconnected programs.
- On External Exposure as the Top Desired Outcome (37 percent): Digital Risk Protection Services continuously discovers brand abuse, phishing infrastructure, fraudulent ads, rogue apps and impersonation across web, social, ads, app stores and underground forums, then validates real abuse with multi-modal AI that catches campaigns keyword- and domain-similarity tools miss.
- On Risk Quantification and Business Impact (89 percent): Every action is tracked with defensible evidence, clear status and full audit history, designed to support the executive-friendly reporting and outcome metrics SANS respondents say they need to justify investment.
- On Explicit Mitigation Recommendations (67 percent): Digital Risk Protection Services doesn’t stop at findings. AI-driven validation initiates evidence-backed automated takedowns end to end, with sub-four-minute first notifications to service providers after threats are detected, a roughly nine-hour median time from attack confirmation to removal, a 98.9 percent success rate, 86 percent of removals fully automated and 15-day stay-down monitoring to prevent recurrence.
- On the Sensitive-Data Discovery Gap (only 28 percent effective): Digital Risk Protection Services continuously monitors paste sites, dark web forums, breach databases and underground marketplaces for exposed credentials, payment data, source code and sensitive records, correlated back to the affected brand and prioritized by likelihood of fraud or account takeover.
- On the Speed of Attacker Innovation: Pairing automated external takedown with DNS-layer blocking compresses the exposure window. Managed users are protected within minutes while removal proceeds, and DNS intelligence expands every confirmed takedown into the broader attacker campaign rather than chasing one-off domains.
One Loop, Inside and Out
Digital Risk Protection Services is the first phase of Infoblox Exposure Management. The next phases, which will include External Attack Surface Management (now available in early access) and Cyber Asset Attack Surface Management, directly address the unified internal-and-external operating model the SANS data shows the market is asking for. Outside-in discovery of internet-facing assets, DNS- and DDI-powered ownership context, and integrated risk quantification will close the loop from external threat to internal accountability, in the same continuous cycle.
The Bottom Line
If your team is investing in attack surface management, the SANS 2025 data is a clear signal of where the market is heading: unified coverage of internal and external assets, business-aligned risk, automated mitigation and faster time to action. Digital Risk Protection Services delivers that today on the side of the perimeter where threats originate and connects it to the DNS-layer enforcement and internal context Infoblox is uniquely positioned to provide.
Read the SANS 2025 Attack Surface Management Survey, then talk to us about how Digital Risk Protection Services can help you act on what the research is telling you.
About Author
