* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* Cloud Attack Surface Mana...

# Cloud Attack Surface Management: See What Other CNAPPs Miss

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fclosing-cloud-gap-attack-surface-management%2F)  
[](https://twitter.com/share?text=Cloud+Attack+Surface+Management%3A+See+What+Other+CNAPPs+Miss&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fclosing-cloud-gap-attack-surface-management%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fclosing-cloud-gap-attack-surface-management%2F&title=Cloud+Attack+Surface+Management%3A+See+What+Other+CNAPPs+Miss&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/closing-cloud-gap-attack-surface-management/&ts=markdown)  
\[\](mailto:?subject=Cloud Attack Surface Management: See What Other CNAPPs Miss)  
Link copied  
By [Jason Williams](https://www.paloaltonetworks.com/blog/author/jason-williams/?ts=markdown "Posts by Jason Williams")  
Jun 24, 2025  
4 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Cloud ASM](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-asm/?ts=markdown)  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)  
[CSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/cspm/?ts=markdown)

New cloud services spin up daily, and many outside the view of security teams. While this accelerates innovation, it creates a growing number of internet-exposed assets and services that attackers can easily find---and exploit.

To close these visibility gaps, we're introducing Cloud Attack Surface Management (ASM) as part of Cortex Cloud. Before diving into the technology, let's look at why ASM is needed to secure the modern cloud.

## What Attackers Know That You Don't

Cloud environments don't stand still. Teams regularly deploy new services, scale infrastructure, and adopt new tools---all of which reshape the external attack surface in real time. With each change, new exposures can slip through unnoticed.

According to the [2024 Unit 42 Attack Surface Threat Report](https://start.paloaltonetworks.com/2024-asm-threat-report.html), organizations add or update more than 300 cloud services every month. These new services alone are responsible for nearly a third of all high- or critical-severity cloud exposures.

Attackers move just as fast, [scanning the entire IPv4 space in minutes](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report?ts=markdown) for exposed vulnerabilities. Once inside, they often exfiltrate data within a single day. Many of these breaches begin with systems no one realized were publicly accessible.

Organizations have embraced cloud-native application protection platforms (CNAPP) to secure their clouds, but CNAPPs only protect the cloud environments they're connected to. Anything outside that scope, like shadow cloud assets, remains invisible to security teams, opening blind spots that attackers can exploit.

## Cortex Cloud for Attack Surface Management

Today, we're introducing Cortex Cloud ASM to uncover the attack surface other CNAPPs miss with proven outside-in visibility from Cortex Xpanse, the world's #1 ASM solution. It enables security teams to discover and secure internet-exposed cloud assets to reduce the external attack surface.

Unlike siloed tools, Cortex Cloud combines the internal visibility of a CNAPP with external attack surface intelligence, giving teams the visibility and confidence they need to secure their external cloud footprint.

## Eliminate Cloud Blind Spots

Cortex Cloud continuously scans the internet across all 65,535 network ports using a CFAA-compliant engine that avoids intrusive behavior. Each scan uses purpose-built payloads---not penetration testing---to detect externally exposed assets, services and web applications across cloud environments.

Cortex Cloud automatically maps assets to your organization with precision using AI-driven attribution. It actively correlates internet scan observations with domain registration records, DNS data and SSL certificates to link each asset back to your environment, even when deployed outside of sanctioned processes.

Once it discovers an asset, Cortex Cloud adds it to an inventory of unmanaged cloud services actively running in your environment. Identified from an external attacker's perspective, the unmanaged services might include VMs, storage buckets, databases, load balancers, serverless functions, identity services, APIs and other publicly accessible infrastructure across AWS, Azure and GCP. Though often operate outside the visibility of traditional tools, the assets become trackable, attributable and actionable with Cortex Cloud.
![External surface inventory indexes internet-facing services](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340920-1.png)
Figure 1: External surface inventory indexes internet-facing services

## Prioritize Critical Exposures

Cortex Cloud ASM continuously detects and validates exposure risks across both managed and unmanaged assets. With over 800 built-in rules, it detects internet-facing vulnerabilities, misconfigurations and other exposures, helping security teams focus on real issues that increase their external attack surface.

Cloud ASM performs daily scanning using protocol-validated techniques. Every finding includes rich context such as IP address, port, certificate metadata, DNS records and cloud ownership---enabling security teams to assess and respond quickly.
![Critical vulnerabilities detected by external scanning engine](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340920-2.png)
Figure 2: Critical vulnerabilities detected by external scanning engine

## Drive Attack Surface Reduction with Context

Cortex Cloud combines the inside-out configuration analysis of a CNAPP with the outside-in exposure validation of an ASM solution.

By linking externally exposed assets to internal context such as misconfigurations, entitlements and potential lateral movement paths, security teams gain the clarity needed to understand which exposures pose the most severe risk. Cloud ASM also verifies known exposures detected by Cortex Cloud's network analysis engine, giving security teams high confidence insights.

By integrating ASM capabilities into a CNAPP, Cortex Cloud helps organizations cut through noise to focus on high-impact exposures and attack paths before they are exploited.
![Internet-exposed VMs have access to a datastore used to train AI models.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/06/word-image-340920-3.png)
Figure 3: Internet-exposed VMs have access to a datastore used to train AI models.

## Experience Cloud ASM

Cortex Cloud is the first CNAPP to deliver ASM capabilities, helping organizations discover and protect their cloud's internet attack surface.

Want to see Cortex Cloud ASM in action? Try our [self-paced product tour](https://cloud-demo.paloaltonetworks.com/share/ec7ztqvieggr) to get firsthand experience. If you're ready to speak to an expert about how Cortex Cloud can help your organization, then request a [personalized demo](https://start.paloaltonetworks.com/cortex-cloud-posture-demo).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud ASM](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-asm/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### What's New in Cortex Cloud](https://www.paloaltonetworks.com/blog/cloud-security/attack-surface-dspm-fim/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### Where Cloud Security Stands Today and Where AI Breaks It](https://www.paloaltonetworks.com/blog/2025/12/cloud-security-2025-report-insights/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown)

[#### Cortex Cloud Stands Alone to Secure Mission-Critical Workloads with FedRAMP High and Moderate](https://www.paloaltonetworks.com/blog/cloud-security/cortex-cloud-stands-alone-to-secure-mission-critical-workloads-with-fedramp-high-and-moderate/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Introducing Cortex Cloud --- The Future of Real-Time Cloud Security](https://www.paloaltonetworks.com/blog/2025/02/announcing-innovations-cortex-cloud/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### Nikesh Arora on Mad Money](https://www.paloaltonetworks.com/blog/2024/12/nikesh-arora-on-mad-money/)

### [AI Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/ai-security-posture-management/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### Precision AI and Scale: Recapping Prisma Cloud Innovations from August](https://www.paloaltonetworks.com/blog/cloud-security/ai-product-updates-august-2024/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language