Mod 06 · Attack Surface Map

Ten surfaces. Identity is the hub.

Every defender protects some combination of these ten surfaces. The center of gravity has shifted: where the perimeter used to be the organizing frame, today it's identity — almost every other surface routes through it. Read this as a map of where threats land, not a vendor roster.

Surface 01 Hub

Identity

What lives here

Accounts, credentials, privilege, machine and non-human identities — the control plane the rest of the surfaces increasingly route through.

Primary threats
  • phishing
  • credential theft
  • MFA fatigue
  • token theft
  • privilege escalation
  • identity-based lateral movement
Defensive categories
  • IAM
  • MFA
  • PAM
  • IGA
  • ITDR
  • CIEM
  • non-human identity
Surface 02

Endpoint

What lives here

Workstations, servers, mobile devices — the historical center of detection-and-response.

Primary threats
  • malware
  • ransomware
  • fileless / living-off-the-land
  • tampering with security agents
Defensive categories
  • EDR
  • EPP
  • NGAV
  • XDR
  • MDR
Surface 03

Cloud

What lives here

IaaS/PaaS workloads, configurations, containers, Kubernetes clusters, serverless functions.

Primary threats
  • misconfiguration
  • exposed storage
  • workload compromise
  • toxic combinations
  • runtime exploits
Defensive categories
  • CNAPP
  • CSPM
  • CWPP
  • CIEM
  • KSPM
Surface 04

SaaS

What lives here

Business apps (Workday, Salesforce, Google Workspace), OAuth grants between them, shadow SaaS the company doesn't know it has.

Primary threats
  • misconfiguration
  • over-permissioned integrations
  • data exposure
  • account takeover via OAuth
  • shadow IT
Defensive categories
  • SaaS security posture (SSPM)
  • identity
  • DSPM
  • CASB
Surface 05

Application & API

What lives here

Custom-built applications, public and internal APIs, source code repositories, build pipelines.

Primary threats
  • injection
  • broken auth
  • business-logic abuse
  • API abuse
  • vulnerability backlog
Defensive categories
  • AppSec
  • API security
  • ASPM
  • WAF
  • SCA
Surface 06

Data

What lives here

Sensitive structured and unstructured data across cloud, SaaS, endpoints — and increasingly, data being ingested by AI/agent systems.

Primary threats
  • exposure
  • exfiltration
  • leakage
  • shadow data
  • ingestion into AI without governance
Defensive categories
  • DSPM
  • DLP
  • data access governance
  • backup / recovery
Surface 07

Network

What lives here

Perimeter, internal segments, remote-access paths.

Primary threats
  • lateral movement
  • command-and-control beaconing
  • exposed services on the public internet
Defensive categories
  • firewall
  • SASE
  • ZTNA
  • SWG
  • NDR
  • network segmentation
Surface 08

Third-party / Supply chain

What lives here

Vendor relationships, software dependencies, SBOM contents, build artifacts from upstream.

Primary threats
  • supply-chain compromise
  • fourth-party risk
  • dependency exploits
  • vendor breach with shared blast radius
Defensive categories
  • TPRM
  • vendor risk ratings
  • SBOM / software attestation
  • ASM
Surface 09

OT / IoT

What lives here

Industrial control systems, connected devices, building automation, medical devices.

Primary threats
  • operational disruption
  • safety impact
  • legacy-system exploits with no patch path
Defensive categories
  • OT security
  • network monitoring
  • segmentation
  • asset visibility
Surface 10

AI / Agents

What lives here

Deployed models, agent permissions, prompts, training and inference data, integrations between LLMs and enterprise systems.

Primary threats
  • prompt injection
  • data leakage to model providers
  • over-permissioned agents acting beyond intent
  • model abuse / jailbreak
Defensive categories
  • AI security (model + agent + data + prompt governance)
  • DSPM for AI data
  • identity for agents and non-human identities