Frequently asked questions

What is Attack Surface Management?

Attack Surface Management answers two questions on a continuous loop: what does our organization have facing the internet, and is any of it at risk? It builds a live, always-up-to-date inventory of your assets, including domains, subdomains, IP addresses, web applications, cloud assets, and the technologies behind them, then runs automated security assessments to catch vulnerabilities that can be exploited by an external attacker.

We already run regular penetration tests. Do we still need ASM?

Yes. Penetration tests evaluate the security of a defined set of assets at a specific point in time. The results show a snapshot of the security posture of those specific assets when the test was performed.

ASM is broad and continuous. It often discovers assets that were never included in a penetration test scope in the first place, including forgotten infrastructure and shadow IT. It also catches when assets that were previously secure become vulnerable because of new risks that appear between pentest engagements.

How does Oneleet ASM reduce false positives?

Oneleet ASM validates vulnerability findings using attacker-inspired techniques, including safe exploit attempts where appropriate, to confirm whether an exposure is realistically exploitable from the internet. This substantially cuts alert false positives.

How quickly can we get started and see results?

All you need is a domain name. Oneleet ASM works from the outside in and discovers assets the same way an external attacker would. There are no agents to deploy or complex integrations to set up. You can get started in just a few minutes, and actionable results typically appear within 1–2 hours.