Back to Glossary

Glossary Term

Attack Surface Reduction (ASR)

Minimizing exposed entry points across systems and services to reduce opportunities for attackers.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Attack Surface Reduction (ASR)

1-minute read

What it is

Attack Surface Reduction (ASR) is the practice of removing or minimizing exposed entry points attackers can use across endpoints, cloud services, web apps, identities, and network services. This includes reducing open ports, disabling unnecessary services, tightening configurations, limiting permissions, and removing unused assets.

Why it matters

Most breaches start with easy wins like exposed admin panels, forgotten subdomains, weak configurations, and unpatched services. ASR reduces the number of doors attackers can try, lowering the likelihood of compromise and making security monitoring more effective.

How to reduce risk

  • Maintain an asset inventory that includes external-facing systems and subdomains.
  • Remove unused services, close unnecessary ports, and enforce secure defaults.
  • Apply hardening baselines and continuous patching.
  • Implement least privilege and reduce standing admin access.
  • Continuously monitor for new exposures such as new subdomains, misconfigurations, or leaked credentials.

Related terms

External resources

  • NIST SP 800-53 (security controls supporting exposure reduction): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
  • CIS Controls v8 (foundational practices aligned to ASR): https://www.cisecurity.org/controls/v8