* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Discovery and Exposure Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-discovery-and-exposure-management/)
* Cloud Discovery and Expos...

# Cloud Discovery and Exposure Management: Unveiling the Hidden Landscape

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-discovery-exposure-management%2F)  
[](https://twitter.com/share?text=Cloud+Discovery+and+Exposure+Management%3A+Unveiling+the+Hidden+Landscape&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-discovery-exposure-management%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-discovery-exposure-management%2F&title=Cloud+Discovery+and+Exposure+Management%3A+Unveiling+the+Hidden+Landscape&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/cloud-discovery-exposure-management/&ts=markdown)  
\[\](mailto:?subject=Cloud Discovery and Exposure Management: Unveiling the Hidden Landscape)  
Link copied  
By [Vishal Kagde](https://www.paloaltonetworks.com/blog/author/vishal-kagde/?ts=markdown "Posts by Vishal Kagde") and [Cameron Hyde](https://www.paloaltonetworks.com/blog/author/cameron-hyde/?ts=markdown "Posts by Cameron Hyde")  
Oct 24, 2023  
6 minutes  
[Cloud Discovery and Exposure Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-discovery-and-exposure-management/?ts=markdown)  
[Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown)  
[Darwin](https://www.paloaltonetworks.com/blog/tag/darwin/?ts=markdown)  
[Shadow Assets](https://www.paloaltonetworks.com/blog/tag/shadow-assets/?ts=markdown)

**Identify shadow cloud assets, assess internet-accessible exposure risks, and remediate previously unmanaged risks with Prisma Cloud.**

Speed and agility in application development often take precedence over security. While rapid innovation can fuel business growth, it can also spawn unknown and unmanaged assets --- commonly referred to as shadow assets. These shadow assets compromise cloud security, exposing organizations to a myriad of risks.

Enter [cloud discovery and exposure management (CDEM)](https://paloaltonetworks.com/prisma/cloud/cloud-discovery-exposure-management), a pivotal CNAPP capability that empowers security teams to identify, assess and remediate hidden cloud assets.

## Rogue Cloud Sprawl Leaves Security Blind Spots

The cloud's inherent flexibility and scalability offer organizations a solid tech foundation for innovation. The same attributes, though, can lead to cloud asset sprawl. Cloud-based IT infrastructure exists in a state of flux with an average 20% of externally accessible cloud services changing every month.^1^ Without continuous visibility, it's easy to lose track of accidental misconfigurations and the steady spread of shadow IT within an organization.

Research from Palo Alto Networks paints a sobering picture. Though difficult to fathom, approximately 30% to 40% of an organization's publicly accessible attack surface is unknown.^2^ In other words, a large portion of an organization's workloads are outside the purview of security teams.

These unknown assets can range from unsecured databases and exposed APIs to rogue virtual machines. The worst part is that attackers can discover and exploit them before internal security teams even know about them.

## Introducing Cloud Discovery and Exposure Management

In our [recent Darwin release](https://paloaltonetworks.com/blog/2023/10/announcing-innovations-cnapp-prisma-cloud), Prisma Cloud introduces cloud discovery and exposure management (CDEM) functionality, giving security professionals an outside-looking-in view of their cloud environment and the critical ability to discover, evaluate, and mitigate unknown and unmanaged internet exposure risks.

By discovering unattributed and internet-exposed assets across Amazon Web Services, Azure, and Google Cloud Platform, Prisma Cloud enables security teams to investigate risks and communicate them to application owners to help facilitate their timely remediation. Prisma Cloud also provides native workflows to convert unmanaged assets into managed assets protected by the continuous, automated monitoring of [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/prisma/cloud/cloud-security-posture-management?ts=markdown).

With [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud/latest?ts=markdown), users can:

* Compile a complete asset inventory that includes managed and unmanaged cloud assets
* Determine internet exposure risks with an outside-in view of shadow IT assets in the public cloud
* Remediate hidden exposures to improve cloud security posture

### Discover Your Unmanaged Assets

Cloud security posture is only as strong as visibility is long. Prisma Cloud provides comprehensive visibility into all your resources --- those within and beyond your security teams' view --- by scanning the entire IPv4 space. In regularly performed scans, it identifies all cloud assets associated with your organization, including shadow resources you unknowingly inherited through any number of common practices.

Taking an attacker's view of internet exposures, Prisma Cloud correlates data from a variety of sources, including IP registration, autonomous system number (ASN) advertisement, certificates and domain name system. It then matches this data to the full set of internet-facing systems and services to attribute assets the organization and provide the organization with accurate ownership details.
![Overview of unmanaged internet exposure risks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306285-1.png)
Figure 1: Overview of unmanaged internet exposure risks

### Exposure Risk Assessment

Identifying rogue assets is only half the battle. Understanding the risks they pose is equally crucial. Once Prisma Cloud identifies and attributes all internet-exposed assets to a specific organization, the platform conducts an exhaustive assessment of internet exposure risk.
![Internet exposure risk findings show insecure Apache services for an unmanaged asset.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/word-image-306285-2.png)
Figure 2: Internet exposure risk findings show insecure Apache services for an unmanaged asset.

The platform identifies risks based on more than 650 predefined policies across 12 categories, each meticulously crafted to address specific vulnerabilities. It can spot publicly exposed databases, for instance, and insecure file-sharing services, such as unencrypted FTP servers and unclaimed S3 buckets.

Prisma Cloud's CDEM capabilities also detect exploitable vulnerabilities and misconfigurations that enable privileged access to your environment, such as insecure open SSH and LDAP configurations. While identifying risks is crucial, prioritizing them transforms a list of vulnerabilities into actionable steps.

### Risk Remediation

Prisma Cloud equips security teams with guided risk reduction workflows to remediate and triage findings.

#### Communicate Asset Context

Once security teams identify asset exposure details, they can easily communicate them within their organization using Prisma Cloud's native workflows. Prisma Cloud provides details such as cloud account name, cloud provider, IP address, exposed services listing, port number, certificate details, asset ownership attribution information (like whois server, \[registrar name\]), and risk findings (expired certificates, weak cryptography, outdated software versions, etc.). By quickly conveying relevant information to asset owners, internal security teams can quickly address risks.

#### Onboard Accounts for Internal Management

While external visibility into cloud assets is a critical part of a security strategy, organizations still need to ensure ongoing internal insight and management. Using the asset context and findings, Prisma Cloud admins can convert unmanaged assets to managed, gaining full internal visibility and control.

## Navigating Complex Cloud Use Cases with CDEM

Cloud discovery and exposure management addresses a variety of use cases.

**Eliminating Shadow Cloud Deployments**

Detect new VMs, databases and other resources in the cloud to keep security teams immediately aware of the appearances of unapproved workloads. Easily identify and reduce risks associated with rogue cloud assets by onboarding them to Prisma Cloud for ongoing security posture management.

**Monitoring for Configuration Changes**

Detect configuration changes to existing workloads when previously approved resources are reconfigured in a way that violates governance and compliance policies.

**Streamlining Mergers and Acquisitions**

Improve due diligence on security related to mergers and acquisitions by identifying newly added cloud assets and integrating them into the managed network without creating accidental exposures.

**Boosting Zero-Day Response**

Assess risk and reduce exposure to the latest CVEs by reducing mean time to detect (MTTD) and mean time to respond (MTTR) --- without additional analysts.

**Improving Compliance and Audits**

Leverage complete, accurate asset lists to reduce audit duration and save costs on third-party audit and compliance processes.

**Boost the Value of Cloud Security Tools**

Improve cloud asset coverage and, as a result, the ROI of existing cloud [vulnerability management](https://www.paloaltonetworks.com/cyberpedia/what-Is-vulnerability-management?ts=markdown) tools, such as [CSPM](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-security-posture-management?ts=markdown).

## Integrated with Industry Leading CNAPP

Prisma Cloud stands out as the only [CNAPP](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform?ts=markdown) provider offering both CSPM and CDEM functionalities to effectively fortify your organization's cloud security posture. With [Prisma Cloud](https://www.paloaltonetworks.com/prisma/whyprisma?ts=markdown), you gain a holistic view of every asset across your ecosystem that identifies known and unknown assets. Armed with the dual inside-out and outside-in perspective, your teams will finally grasp the scope and context of the threats at their door --- and have the horsepower to eradicate them.

## Learn More

Tune in to our on-demand webinar, [CNAPP Supercharged: A Radically New Approach to Cloud Security](https://start.paloaltonetworks.com/prisma-cloud-new-innovations-for-the-future-of-cloud-security-webinar-on-demand.html), to learn about Prisma Cloud's latest innovations and how to streamline app lifecycle protection. And don't miss an opportunity to test drive best-in-class code-to-cloud security with a [30-day Prisma Cloud trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial?ts=markdown).

**References**

1. [*2023 Cortex Xpanse Attack Surface Threat Report*](https://www.paloaltonetworks.com/resources/research/2023-unit-42-attack-surface-threat-report?ts=markdown), Palo Alto Networks, September, 2023.
2. [*2022 Cortex Xpanse Attack Surface Threat Report Vol. 2.1*](https://start.paloaltonetworks.com/2022-asm-threat-report), Palo Alto Networks, July, 2022.

*** ** * ** ***

## Related Blogs

### [Cloud Discovery and Exposure Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-discovery-and-exposure-management/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown)

[#### Peekaboo! We See Connections Between Your Shadow and Sanctioned Clouds](https://www.paloaltonetworks.com/blog/cloud-security/cdem-closes-security-gap/)

### [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### Taking an Application-Centric Approach to Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/application-dna-prioritize-risks/)

### [Cloud Discovery and Exposure Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-discovery-and-exposure-management/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### Where to Start When Dealing with Shadow Cloud Assets](https://www.paloaltonetworks.com/blog/cloud-security/cloud-discovery-exposure-management-cspm-counterpart/)

### [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### How CSPM Will Shape the Future of Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/cspm-shapes-future-cloud-security/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### Elevate Cloud Security with the Flexibility and Simplicity of Custom Dashboards](https://www.paloaltonetworks.com/blog/cloud-security/custom-security-dashboards-data-assessment/)

### [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### API Discovery Made Simple](https://www.paloaltonetworks.com/blog/cloud-security/api-discovery-security/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language