External Attack Surface Management (EASM) for SOC 2
External Attack Surface Management (EASM) for SOC 2 is the cybersecurity practice of continuously discovering, categorizing, and monitoring an organization's internet-facing assets to satisfy the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria.
While traditional asset management relies on internal lists, EASM takes an "outside-in" approach. It scans the public internet—just as an attacker would—to identify servers, cloud instances, code repositories, and subdomains that belong to the organization. For SOC 2 compliance, this process provides the necessary evidence that an organization is aware of its entire digital footprint and is actively managing the security of its perimeter.
The Role of EASM in SOC 2 Compliance
SOC 2 audits focus heavily on an organization's ability to demonstrate control over its environment. You cannot secure or audit systems you do not know exist. EASM bridges the gap between policy ("We secure all assets") and reality ("Here is a real-time map of every asset we own").
It primarily supports the Security Trust Services Criteria (Common Criteria), but also impacts Availability and Confidentiality.
Key SOC 2 Criteria Supported by EASM
Implementing EASM directly addresses several specific requirements within the SOC 2 framework.
CC6.1: Logical and Physical Access Controls (Asset Inventory)
The Requirement: The entity must implement logical access security software, infrastructure, and architectures over protected information assets.
The EASM Solution: EASM tools automatically generate a complete, up-to-date inventory of all external assets. This proves to auditors that the organization accounts for "Shadow IT"—assets spun up by employees without IT approval—and brings them under management.
CC7.1: Vulnerability Management
The Requirement: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
The EASM Solution: EASM continuously scans the perimeter for misconfigurations (like missing security headers or open ports) and software vulnerabilities. This provides an automated feedback loop, ensuring that new risks are detected immediately rather than waiting for an annual penetration test.
CC7.2: Security Anomalies (Continuous Monitoring)
The Requirement: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.
The EASM Solution: By establishing a baseline of "known good" assets, EASM detects drift. If a development server is suddenly exposed to the public internet, EASM flags this anomaly, satisfying the requirement for continuous monitoring of system components.
CC6.8: Unauthorized Software Prevention
The Requirement: The entity prevents or detects and acts upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
The EASM Solution: EASM identifies unauthorized software stacks or legacy platforms running on external domains. For example, if a marketing team deploys an unapproved, outdated content management system, EASM detects the technology signature and alerts the security team.
Why EASM is Critical for SOC 2 Type 2 Reports
A SOC 2 Type 2 report evaluates the operating effectiveness of controls over a period of time (typically 6-12 months).
Audit Evidence: Auditors require proof that controls were working throughout the entire period, not just on the day of the audit.
Continuous Logs: EASM platforms provide historical logs showing that the organization was continuously scanning for and remediating new assets throughout the year.
Gap Closure: It minimizes the risk of an auditor finding a public-facing vulnerability that the internal team missed, which could lead to a "qualified opinion" (a failure) in the report.
Frequently Asked Questions
Is EASM required for SOC 2? Technically, no specific tool is mandated. However, the capability to identify and manage all assets (CC6.1) and monitor for vulnerabilities (CC7.1) is required. EASM is often the most efficient way to demonstrate this capability for modern, cloud-native organizations.
How does EASM differ from Penetration Testing for SOC 2? Penetration testing is a simulated attack performed manually (usually once a year) to find deep logic flaws. EASM is an automated, continuous process that maps the attack surface and finds configuration errors 24/7. SOC 2 typically requires both EASM for ongoing hygiene and pen testing for deep validation.
Does EASM help with Shadow IT? Yes, detecting Shadow IT is one of the primary functions of EASM. It identifies assets that employees have created on third-party cloud providers (such as AWS or Azure) using corporate credentials, ensuring they are brought into the SOC 2 scope.
Can EASM replace a vulnerability scanner? No. Internal vulnerability scanners are needed to scan devices behind the firewall (such as employee laptops). EASM focuses strictly on the external, internet-facing perimeter. They are complementary tools.
How ThreatNG Enhances EASM for SOC 2 Compliance
ThreatNG transforms External Attack Surface Management (EASM) from a simple asset list into a dynamic, compliance-driven engine. By automating the discovery and assessment of internet-facing assets, ThreatNG provides the tangible evidence required to satisfy SOC 2 Trust Services Criteria (TSC), specifically regarding Security, Availability, and Confidentiality.
Unlike internal tools that require agents or credentials, ThreatNG takes an "outside-in" approach, auditing the organization as an adversary would. This ensures that the SOC 2 scope is accurate and that controls are effective at the perimeter.
Automated External Discoveryperimeter controls are effective
For SOC 2 compliance, specifically Common Criteria 6.1 (Asset Inventory), organizations must maintain an accurate inventory of system components. ThreatNG automates this process through purely external, unauthenticated discovery.
Shadow IT Detection: ThreatNG identifies unauthorized assets—such as marketing landing pages or development servers hosted on personal cloud accounts—that often bypass standard change management controls.
Cloud & Infrastructure Enumeration: It maps assets across various providers (AWS, Azure, Google Cloud) and technology stacks, ensuring that the auditor sees a complete picture of the digital footprint.
Subdomain Enumeration: The solution discovers all associated subdomains, ensuring that legacy or forgotten sites are included in the SOC 2 audit scope.
Comprehensive External Assessment
ThreatNG goes beyond listing assets by actively testing them for security weaknesses. These assessments map directly to SOC 2 criteria, providing automated evidence of control failures or effectiveness.
Web Application Hijack Susceptibility
ThreatNG evaluates the resilience of web applications against client-side attacks, which is critical for Security (CC6.1, CC6.6) and Confidentiality (C1.1).
Assessment Detail: The platform analyzes HTTP response headers on discovered subdomains. It checks for the presence and correct configuration of headers like Content-Security-Policy (CSP), HTTP Strict-Transport-Security (HSTS), and X-Frame-Options.
Example: If ThreatNG detects a subdomain missing the Content-Security-Policy (CSP) header, it flags a "High" severity risk. This finding provides evidence that the organization is susceptible to Cross-Site Scripting (XSS) attacks, alerting the security team to update web server configurations before the audit.
Subdomain Takeover Susceptibility
This assessment validates controls related to Availability and Change Management (CC8.1) by identifying "dangling" DNS records.
Assessment Detail: ThreatNG performs DNS enumeration to find CNAME records pointing to third-party services (like AWS S3, Heroku, or GitHub) that are no longer in use. It cross-references these against a comprehensive vendor list to verify if the resource is unclaimed.
Example: A scan identifies a subdomain
promo.example.compointing to an abandoned AWS S3 bucket. ThreatNG flags this as a takeover risk, enabling the organization to remove the DNS record and demonstrate to auditors that it effectively manages asset decommissioning.
Data Leak and Privacy Susceptibility
ThreatNG continuously scans for sensitive data exposure, supporting Confidentiality (C1.1) and Privacy (P1.1) criteria.
Assessment Detail: The engine looks for sensitive files in open cloud storage buckets, credentials or secrets in public code repositories, and Personally Identifiable Information (PII) in archived web pages.
Example: ThreatNG discovers an archived version of a "Contact Us" page that inadvertently displays customer email addresses. This finding allows the organization to request a takedown from the archive service, mitigating a privacy violation.
SOC 2 Aligned Reporting
Reporting is the bridge between technical findings and audit satisfaction. ThreatNG provides specialized reporting features that translate EASM data into compliance artifacts.
Security Ratings: The platform assigns letter grades (A-F) to risk categories. A "Passing" grade serves as a high-level metric for management reviews, demonstrating a commitment to maintaining a secure posture.
External GRC Assessment: ThreatNG generates reports that map specific technical vulnerabilities (e.g., "Missing DMARC Record") directly to compliance frameworks. This allows the compliance team to instantly identify which SOC 2 controls are at risk based on external reality.
Continuous Monitoring
To satisfy SOC 2 Type 2 requirements for "operating effectiveness over a period of time," monitoring must be continuous. ThreatNG fulfills Common Criteria 7.2 (Monitoring System Components) by constantly observing the attack surface.
Drift Detection: The system establishes a baseline and alerts on deviations. If a previously secure server suddenly opens Port 22 (SSH) to the public, ThreatNG triggers an alert.
Historical Logging: The platform maintains a history of scans and ratings, providing the auditor with a longitudinal view of the organization's security performance throughout the audit period.
Deep-Dive Investigation Modules
ThreatNG provides specialized modules that enable security teams to thoroughly investigate findings, demonstrating the Incident Response (CC7.3) capabilities required by SOC 2.
Domain Intelligence
This module focuses on the broader risks associated with the organization's domain portfolio.
Functionality: It analyzes domain permutations to identify potential typo-squatting and checks for the presence of mail records (MX) on these lookalike domains.
Example: The module identifies a registered domain
examp1e.com(typo-squatting) that has active MX records. This indicates a high likelihood of a phishing campaign. The security team uses this intelligence to block the domain and update email filters, proving they are proactively managing brand and phishing risks.
Subdomain Intelligence
This module provides granular technical details for individual assets.
Functionality: It breaks down the technology stack, security headers, and hosting environment for specific subdomains.
Example: During an investigation, an analyst uses this module to confirm that a "Shadow IT" subdomain is running an end-of-life version of PHP. This detail allows the team to pinpoint the specific remedial action (upgrade or decommission), validating the Vulnerability Management (CC7.1) process.
Intelligence Repositories
ThreatNG enriches its findings with external threat data, enabling a Risk Assessment (CC2.1) approach that prioritizes threats based on real-world activity.
DarCache Dark Web: Monitors for compromised credentials associated with the organization's domain. Finding leaked passwords enables immediate remediation (password resets) and validation of access controls.
DarCache Ransomware: Tracks active ransomware groups and their tactics. This helps prioritize patching for vulnerabilities known to be exploited by these groups.
DarCache Vulnerability: Aggregates data on known exploits (KEV) and prediction scores (EPSS), helping teams focus on vulnerabilities that are actually being weaponized.
Cooperation with Complementary Solutions
ThreatNG acts as a force multiplier for the broader security stack, providing the external context that internal tools lack.
Governance, Risk, and Compliance (GRC) Platforms
ThreatNG feeds objective, automated evidence into GRC platforms.
How it Helps: While the GRC tool tracks the policy ("All data must be encrypted"), ThreatNG validates the technical reality (checking SSL certificates). It can automatically update control status based on scan results, reducing manual data entry.
Security Information and Event Management (SIEM)
ThreatNG provides external threat intelligence to the SIEM.
How it Helps: It sends alerts about new typo-squatted domains, exposed buckets, or dark web findings to the SIEM. This allows the SOC team to correlate external risks with internal logs, such as checking if any employee visited a malicious domain found by ThreatNG.
Vulnerability Management (VM) Systems
ThreatNG expands the scope of internal VM tools.
How it Helps: Internal scanners only check known IP ranges. ThreatNG discovers unknown assets (Shadow IT) and shares their IP addresses with the VM tool, ensuring they are included in the regular patch management cycle.
Penetration Testing Teams
ThreatNG accelerates the reconnaissance phase for pen testers.
How it Helps: By providing a pre-validated map of the attack surface—including open ports, subdomains, and potential takeover targets—ThreatNG allows pen testers to skip the discovery phase and focus immediately on exploiting deep-seated vulnerabilities, leading to a more rigorous SOC 2 pen test.
