CREST-Aligned Continuous Attack Surface Monitoring (ASM) for UK Businesses
Attack surface management is no longer an annual snapshot — it’s a continuous discipline. Our ASM service provides 24/7 external asset discovery, exposed-service detection, certificate monitoring, and credential-leak alerting. Sector-aware, analyst-validated, SOC-ready.
Penetration testing is a snapshot. Attack surface management is continuous.
Annual pen tests show your security posture on the day of testing. The day after, a developer spins up a new subdomain. A team migrates a service to a new cloud account. An acquired company brings 200 unaudited domains. Your attack surface drifts. Real attackers find these gaps before your next pen test.
Our attack surface monitoring continuously discovers your external assets via Shodan, Censys, certificate transparency log mining, dark-web monitoring, and BGP-route observation. Every change is detected, validated by an analyst, and pushed to your SOC. Reports satisfy ISO 27001 Annex A.5.7 (Threat Intelligence), A.8.8 (vulnerability management), align with NCSC vulnerability management guidance, and provide DORA-acceptable evidence of continuous attack-surface awareness.
CONTINUOUS COVERAGE AREAS
What Attack Surface Monitoring Covers
Twelve continuous monitoring streams — surface, deep, and dark web. Real-time alerts, analyst-validated.
Asset Discovery
Continuous discovery of new IPs, subdomains, cloud resources, SaaS apps, exposed admin panels — anything routable from the internet.
Certificate Transparency
Real-time monitoring of certificate transparency logs for newly-issued certs against your domain space — catches typosquats, supply-chain SaaS, and shadow IT.
Subdomain Takeover
Continuous dangling-DNS detection. New CNAME pointing to deprovisioned cloud resources flagged within 24 hours.
Credential Breach Corpus
Continuous cross-reference of company / employee email addresses against breach data corpus (BreachCompilation, Collection #1-5, COMB, recent dumps).
Exposed Services
Shodan / Censys monitoring for exposed RDP, SSH, VPN, RPC, databases, message queues — anything your firewall shouldn’t allow.
SSL/TLS Posture
Continuous monitoring of TLS configuration, expiring certs, weak ciphers, deprecated protocols, certificate-pinning gaps.
SaaS Footprint
Discovery of SaaS apps registered with your domain — Slack workspaces, Jira instances, Confluence pages, GitHub orgs.
Dark Web Mentions
Mentions of your brand, executives, infrastructure, or credentials on dark web forums, marketplaces, and Telegram cybercrime channels.
Brand Impersonation
Typosquat domains, fake social profiles, lookalike SaaS apps, phishing kits targeting your customers / employees.
BGP & DNS Drift
Monitoring for BGP hijacks, DNS hijacks, NS record drift, MX record changes — early warning of routing-level attacks.
M&A Asset Discovery
When you acquire a company, we automatically discover their public attack surface within 48 hours — accelerates due diligence.
Supplier Attack Surface
Optional monitoring of your top 50 suppliers — early warning of partner exposures that could affect you.
FOUR-PHASE METHODOLOGY
Attack Surface Monitoring — From Asset Discovery to SOC-Ready Alert
Continuous monitoring. Analyst-validated alerts. Real-time SOC integration. Never raw scanner noise.
Initial Discovery
Continuous Collection
Analyst Validation
Real-Time Reporting
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
ASM Reports Mapped to Every Framework
ASM evidence accepted across compliance frameworks where continuous monitoring is a control requirement.
ISO 27001 A.5.7 + A.8.8
Threat Intelligence (A.5.7) and Vulnerability Management (A.8.8) — ASM provides the continuous evidence ISO auditors increasingly require.
NCSC Vulnerability Management
Aligned to NCSC continuous vulnerability management guidance.
FCA / PRA Operational Resilience
ASM supports Important Business Service threat awareness and severe-but-plausible scenario monitoring.
NIS2 + DORA
Continuous attack-surface awareness is a DORA Article 9 requirement and supports NIS2 essential-services obligations.
SOC 2
CC7.4 incident detection — ASM provides continuous external posture awareness SOC 2 auditors expect.
Cyber Essentials Plus
ASM exceeds CE+ baseline and demonstrably supports overall cyber maturity scoring during recertification.
TRANSPARENT PRICING
Transparent Attack Surface Monitoring Pricing
All tiers include 24/7 monitoring and analyst-validated alerts. Price varies by asset count, supplier scope, and reporting cadence.
Depends on monitoring scope
≤50 IPs, ≤25 subdomains, 50 employee email addresses, brand monitoring, monthly digest. 1 sector profile.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on monitoring scope
50-200 IPs, 25-100 subdomains, 500 emails, supplier monitoring (top 25), real-time critical alerts, weekly digest.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on monitoring scope
Unlimited IPs/subdomains, full employee monitoring, full supplier monitoring (top 100), real-time SIEM integration, monthly threat-actor reports.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Attack Surface Monitoring for Your Sector
Attack surface drift varies dramatically by sector. We tailor monitoring to your industry’s actual risk profile.
Fintech
FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SaaS
Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
Healthcare
NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
Insurance
FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
Law
Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
Public Sector
CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.
What You Actually Get
Five things that distinguish our service from automated scans and box-tick competitors.
What You Get From Attack Surface Management
Discovery-First, Continuous
Analyst-Validated, Never Noise
Real-Time SOC Integration
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
What is attack surface monitoring (ASM)?
Attack surface monitoring (also called attack surface management) is the continuous discovery, inventory, and analysis of an organisation’s external-facing assets. ASM finds shadow IT, forgotten subdomains, M&A inheritance, exposed services, and credential leaks before attackers exploit them.
How is ASM different from a one-off pen test?
A pen test is a point-in-time assessment. ASM is continuous. Your attack surface drifts daily — new subdomains, cloud resources, SaaS apps. ASM catches drift in real time. Most organisations combine ASM with annual pen testing for full coverage.
How quickly are alerts delivered?
Critical alerts (e.g., your company on a ransomware leak site, exposed RDP server appearing on Shodan) are delivered within 1-4 hours of analyst validation. Standard alerts within 24 hours. Weekly digest at agreed time. Monthly threat reports on a fixed cadence.
How much does ASM cost in the UK?
Baseline (SMB) £600-£1,200/month. Mid-market (most commonly commissioned) £1,200-£3,500/month. Enterprise £3,500+/month. Annual contracts with monthly billing. Setup fee of £1,500-£3,000 covers initial asset baseline and sector profiling.
Do you discover M&A targets?
Yes. When you provide an M&A target’s domain, we run an accelerated 48-hour discovery against their public attack surface. This dramatically accelerates cyber due diligence and gives the security team early visibility into inherited risk.
Does ASM include credential breach monitoring?
Yes. Continuous cross-reference of your company / employee email addresses against the breach data corpus (BreachCompilation, Collection #1-5, COMB, daily-updated breach feeds). Includes recent dumps within hours of disclosure.
Can ASM detect subdomain takeover?
Yes. Continuous dangling-DNS monitoring against your registered domain space. New CNAME records pointing to deprovisioned cloud resources (GitHub Pages, Heroku, S3, Azure CDN) flagged and validated within 24 hours.
Does ASM monitor cloud edge (AWS / Azure / GCP)?
Yes. ASM covers cloud edge surface — load balancers, public S3 / Blob containers, CloudFront origins, Lambda function URLs, API Gateway endpoints. Shadow cloud accounts (AWS sub-accounts, Azure subscriptions) often discovered through certificate transparency.
Can you integrate with our SIEM / SOC tools?
Yes. Alerts delivered via email, Slack, Microsoft Teams, ServiceNow, Jira, or custom webhook. For enterprise tier, direct integration with SIEM (Splunk, Sentinel, QRadar, Elastic) via API or syslog. STIX / TAXII supported.
Does ASM satisfy ISO 27001 A.5.7 and A.8.8?
Yes. ISO 27001:2022 introduced A.5.7 (Threat Intelligence) and updated A.8.8 (Vulnerability Management). Our ASM deliverables — sector profile, continuous monitoring records, alert workflow — provide the evidence required for ISO 27001 audit.
Can you also run pen tests against discovered assets?
Yes. We frequently combine ASM with annual external penetration testing — ASM discovers assets, then targeted pen testing validates exploitability. Bundled engagements typically save 15-20% versus separate contracts.
Do you sign NDAs?
Yes. Standard NDA before any sector profile or asset inventory is shared. We operate under a project-specific master agreement that includes data handling, intelligence-sharing protocols, and breach notification clauses.
Book an Attack Surface Monitoring Scoping Call
30 minutes with a CREST-certified ASM analyst. Initial baseline and pricing within 24 hours. No sales pipeline.
