Skip to content

Getting Started with Escape's Attack-Surface Management (ASM)

Escape ASM gives security teams a single source of truth for every external *and internal* Asset in their Code-to-Cloud estate.\ With just a primary domain—and, optionally, read-only cloud or code integrations—it performs agent-less, non-intrusive discovery and then immediately runs a surface-level security test against each asset it finds.

Why it matters: you don’t just know what you have; you get an instant first-pass assessment of its exposure.

The resulting ASM appears in five filterable, sortable, searchable tables that let you zero in on the riskiest hosts, APIs, and web apps in seconds.

ASM + DAST: Coverage Meets Depth

Escape is the first platform where ASM and DAST work in native symbiosis:

Layer What it delivers How they interact
ASM (Coverage) Discovery + Surface Security Testing of every asset—internal or external Feeds a continuously updated asset list (with basic risk signals) into…
DAST (Depth) Deep, business-logic testing with authenticated flows, fuzzing, and complex attack simulations …so security teams can target the most critical or high-value assets first, without wasting crawl time on unknowns.

Think of ASM as your radar and DAST as your guided missile: together they ensure maximum breadth and depth of protection.

How It Works

  1. Input – Supply a domain such as example.com and any optional read-only integrations.
  2. Discovery – Escape combines open-source reconnaissance, proprietary AI, and integration data to enumerate external and internal assets.
  3. Surface Security Testing – For every discovered asset, ASM runs lightweight checks (open-port audit, headers, TLS hygiene, unauthenticated endpoint probes, etc.) to flag obvious misconfigurations or exposures.
  4. Deep Testing (Optional) – Select any asset (or the whole ASM) to queue for DAST, which performs stateful, business-logic testing.
  5. Output & Automation – Findings flow to your SIEM, ticketing, or chat tool via “Finding Destination Integrations” for rapid triage and remediation.

A simplified version of how Escape ASM technically works

Supported Application Assets

Category Description ASM Surface Tests DAST Deep Tests
Hosts DNS records, IPv4, IPv6 Port scan, banner grab, TLS config, common CVEs Authenticated service abuse, protocol fuzzing
API Services REST, GraphQL, gRPC, WebSocket, SOAP Endpoint enumeration, schema diff, OWASP top-10 lite Auth-aware fuzzing, business-logic abuse, BOLA, IDOR
Web Apps MPAs, SPAs, front-end deployments Tech fingerprint, security headers, basic crawl Session-handling, CSRF, privilege escalation
Work in progress: Repositories Git projects linked via SCM Ownership mapping, secret-scan preview Full code/CI pipeline scanning (future roadmap)

Fingerprinted Asset Characteristics

  • Reachability – External (region-aware) or internal
  • Status – Monitored, Out of Scope, False Positive, Deprecated
  • Environment – Production, Staging, Development
  • Technology Stack – Frameworks & runtimes
  • Cloud Hosting – AWS, Azure, GCP, OVH, Akamai, etc.
  • Edge / Firewall – Cloudflare, AWS ELB, Azure WAF, etc.
  • Authentication Method – Keycloak, Auth0, API Key, etc.
  • Code Owners – Pulled from connected SCM to speed assignment
  • …and dozens of additional metadata points that power search, filtering, and risk scoring.

ASM Scanners

Escape ASM operates as a collection of specialized scanners, each designed to discover, validate, and monitor specific asset types across your environment. This approach ensures comprehensive coverage while maintaining performance and scalability. Here's how the ASM execution process works:

1. Asset Input and Validation

Each ASM scanner processes a single asset, either manually created or discovered automatically during the initial discovery phase. Upon receiving the asset, the scanner first performs a validation step. This validation checks the asset's status, reachability, and basic configurations, ensuring that the asset is legitimate and operational.

2. Asset Fingerprinting

Once an asset is validated, the scanner fingerprints metadata such as its environment, technology stack, cloud hosting, and authentication methods. This fingerprinting phase ensures that each asset is uniquely identified and categorized, which is critical for subsequent analysis and monitoring.

3. Asset Discovery and Exploration

Following validation and fingerprinting, the scanner enters the discovery phase, exploring the asset's connections and dependencies. This phase identifies related assets across the environment. For example, discovering a web application may reveal associated API services, databases, or other interconnected components. This cascading discovery ensures the full scope of the attack surface is mapped, including assets that were not initially visible.

ASM Execution

Once an asset is discovered, Escape ASM handles it differently depending on whether it is new or existing:

  • New assets are scanned immediately to map the organization’s attack surface and identify any immediate risks. The scan also triggers the discovery of related or dependent assets, creating a cascading exploration across the environment.
  • Existing assets are scanned periodically at random intervals each week. These re-scans detect misconfigurations, environmental changes, deprecate legacy assets, and identify any new assets in the organization. This ensures that the attack surface remains continuously updated.

Viewing ASM Scans for a Single Asset

ASM scans for an individual asset can be viewed via the asset side panel:

  1. Go to Escape ASM All Assets
  2. Locate the desired asset in the table
  3. Click on the asset to open the side panel
  4. Navigate to the Profile tab\ Asset profile tab
  5. Click on ASM Profile to access the profile view
  6. Open the History tab to see the full scan history for this asset\ Asset scan history

Restarting ASM Scans

If an asset undergoes significant environmental changes or if an error occurs during scanning, individual ASM scans can be manually restarted via the Profile tab by clicking the New Scan button. This triggers an immediate revalidation and discovery process for the asset.

Index

  •    Quick Start

  •    Asset Management

  •    Configuration Reference

  Integrations

  • akamai-logo1-svg    Akamai

  • Icon_24px_AppigeeAPIPlatform_Color   Apigee

  •    AWS

  •    Axway

  •    Azure DevOps

  •    Azure

  •    Bitbucket

  •    Cloudflare

  •    GCP

  •    GitHub

  •    GitLab

  •    Kong Gateway

  •    Kong Konnect

  •    Kubernetes

  • mulesoft-logo   Mulesoft

  •    Postman

  •    Wiz