Why the outer perimeter became a separate task
The outer perimeter is no longer equal to multiple addresses in the DMZ. A large company has domains, subdomains, APIs, personal accounts, VPN gateways, email services, partner integrations, cloud resources, test benches, CDN, WAF, DNS zones, certificates and contractor services that look outward. Part of this outline appears faster than the architectural diagram is updated.
This page is useful for CISO, CIO, SOC teams, infrastructure managers, DevOps/AppSec, e-commerce owners, banking and government services, as well as teams preparing for a pentest, information security audit, SOC implementation or vulnerability management program.
The practical meaning is simple: first you need to understand what the company actually shows on the Internet, who owns it, how critical it is for the business, and what findings need to be closed first.
What is usually found outside
Forgotten assets
Old subdomains, test benches, temporary administration panels, archived applications, legacy APIs and contractor resources without a clear owner.
Risky publications
Open VPNs, RDP/SSH, databases, control panels, debug pages, indexing of unnecessary files, incorrect CORS/HTTP headers and weak TLS settings.
Vulnerabilities and versions
Services with known CVEs, outdated components, misconfiguration, signs of virtual patching, lack of WAF/AntiDDoS where the service is already business critical.
Changes without process
A new subdomain, certificate change, open port, publication of an API or cloud resource appears without notification of information security, SOC and the risk owner.
Key Terms, Plainly Explained
| Term | Decoding | Why is it needed in the project? |
|---|---|---|
| ASM / EASM | Attack Surface Management / External Attack Surface Management - management of the attack surface, especially external, accessible from the Internet. | Helps regularly find assets, changes and risks before an attacker exploits them. |
| CVE | Common Vulnerabilities and Exposures - public identifier for a known vulnerability. | Provides a common language for information security, IT, vendors and contractors when setting remediation tasks. |
| CVSS | Common Vulnerability Scoring System - a scale of technical severity of vulnerability. | Useful as a basic assessment, but in itself does not indicate how relevant the vulnerability is to your business. |
| EPSS | Exploit Prediction Scoring System - the probability of exploitation of a vulnerability in the real world in the near future. | Helps distinguish noise from what should be closed faster along with CVSS, KEV and asset criticality. |
| KEV | Known Exploited Vulnerabilities - a catalog of vulnerabilities that have already been exploited by attackers. | Used to prioritize remediation, especially when there are not enough resources to fix everything at once. |
| TLS / DNS / WAF | TLS protects the connection, DNS links the name and address, WAF protects the web application and API at the HTTP level. | Errors in these layers often turn a normal public service into a real entry into an incident. |
| SOC / SIEM / SOAR | SOC - monitoring and response center; SIEM collects and correlates events; SOAR automates response. | Findings from the outer perimeter should not fall into a one-time report, but into the operational response loop. |
How RESTART conducts an audit of the external perimeter
Borders
We fix legal and technical boundaries: domains, brands, IP ranges, clouds, contractors, branches, public accounts, APIs and scanning restrictions.
Asset Discovery
We collect the surface visible from the Internet: DNS, subdomains, services, ports, web/API, TLS certificates, technologies, headers, signs of leaks and shadow assets.
Risk scoring
We normalize findings, remove duplicates, associate them with owners, CVE/CVSS/EPSS/KEV, business criticality, service availability and likelihood of exploitation.
Validation
We check critical findings manually: we separate false positives from real risks, do not disrupt the operation of the production environment and do not replace the audit with an aggressive pentest without agreed boundaries.
Task register
We formulate tasks for IT, information security, DevOps, application owners and contractors: what to close immediately, what to move to a project where a WAF, VPN, segmentation or architecture update is needed.
Control
We set up regular monitoring of changes and reporting: what appeared, what was fixed, where the risk was accepted, what exceptions require a management decision.
How does this relate to business?
For a business, an audit of the external perimeter is valuable not in the number of ports found, but in the reduction of management uncertainty. The manager sees which public services are critical, which risks can stop sales, personal accounts, payments, customer service or integration with partners, and which fixes really affect the risk.
Fewer sudden incidents
It is better to find a forgotten service or a vulnerable VPN during a routine inspection than after an attack, downtime, or publication of data.
Clear task plan
Findings are turned into tasks with owners, deadlines, severity and business criticality, rather than remaining a PDF report without movement.
Ready for pentest and SOC
Pentesting becomes more accurate, and the SOC receives context on external assets, priorities and expected events.
Provability for audit
There is an asset map, history of changes, accepted risks, corrections, exceptions and management reporting.
World practices and Russian context
In international practice, auditing the external perimeter fits well with logic NIST Cybersecurity Framework 2.0: govern, identify, protect, detect, respond, recover. The organization first understands assets and risk, then builds protection, monitoring and response. CIS Controls v8 highlight the practicality of inventory, configuration management, and protection against the most common attacks.
Useful for prioritizing vulnerabilities FIRST EPSS, CVSS and data on already exploited vulnerabilities. A MITRE ATT&CK helps link external reconnaissance, initial access and further steps of the attacker into a clear chain of risk. Annual Verizon Data Breach Investigations Report useful as an external benchmark for typical incident scenarios and the role of public services, vulnerabilities, credentials and web applications.
In the Russian context, the external perimeter is especially important for systems with personal data, ISPD, CII, GIS, financial services, e-commerce, personal accounts and public APIs. It relates to the threat model, technical controls, logging, vulnerability management, procurement of information security/information protection systems, and response preparedness.
The role of AI in external surface auditing
AI is useful not as an “automated auditor”, but as an amplifier of engineering work. It helps you map domains, brands, IPs and certificates, group similar findings, explain risk in human language, draft issues in ITSM/Jira, link CVEs to EPSS, KEV and asset criticality, and quickly find changes between two perimeter slices.
In RESTART projects, the AI environment must be secure: without sending private data to external services without approval, with logging, roles, source verification and human verification for critical decisions. AI can speed up the analysis of findings, but the final decision on risk, operation and remediation remains with the responsible engineers and system owners.
What does the customer get?
| Artifact | How to use |
|---|---|
| Outer surface map | Domains, subdomains, IP, services, web/API, TLS, cloud resources, owners, criticality and controversial areas of responsibility. |
| Risk register | A normalized list of findings with priority, business context, recommendations and a flag where manual validation is needed. |
| Troubleshooting task register | Challenges for IT, Information Security, DevOps, AppSec, Application Owners and Contractors: Quick Actions, Design Fixes, Exceptions and Deadlines. |
| Architecture Guidelines | Where you need WAF, AntiDDoS, VPN/CIPF, segmentation, TLS/DNS update, closing legacy, changing API publication or connecting to SOC. |
| Management report | A short management picture: what is critical, what is already being fixed, what decisions require budget, owner or risk taking. |
Where the outer perimeter is included in other projects
The external perimeter audit can be launched separately, but more often it becomes the first layer for related information security tasks. Before the pentest, it helps to clarify the scope and not waste time on garbage goals. In vulnerability management, it provides a real list of public assets. For SOC - adds context and priorities. For network security - shows which publications, rules and services need to be reviewed.
Frequently asked questions
How does an external perimeter audit differ from a pentest?
An external perimeter audit answers the question: what can we see from the Internet and what risks need to be prioritized. Pentesting takes a deeper look at agreed upon goals and operational scenarios. In practice, an audit often comes before a pentest so that the boundaries of the test are more precise.
Do you need access to the internal network?
For a basic EASM audit, no: work is carried out with a publicly accessible surface and agreed external sources. But owner validation, criticality, and resolution require interviews, CMDB/ITSM data, DNS, cloud, WAF/SIEM, and responsible teams.
How often should the outside perimeter be checked?
For companies with active releases, branches, contractors and clouds, a one-time check quickly becomes outdated. A rational format is regular monitoring of changes and separate checks before major releases, audits, pentests or architecture changes.
What to do with false positives?
They need to be not just removed, but explained: why the finding is not applicable, who confirmed the exception, when to revise it. That's why RESTART combines automatic asset discovery with engineering validation and a clear task register.
Is it possible to start with a short stage?
Yes. Typically, 10-15 business days are enough to collect an initial map of the external surface, highlight critical risks, determine quick measures and propose the next step: elimination, pentest, SOC integration, WAF/AntiDDoS or VM program.
Let's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
