External attack surface
Your external attack surface is everything reachable from the internet: exposed services, public-facing applications, VPN endpoints, open ports and management interfaces that should not be public. It is what an attacker enumerates first.
External Attack Surface Management (EASM) tools scan your perimeter from the outside to discover this footprint. It is the obvious place to start because it is where unauthenticated attackers begin.
Internal exposure
Internal exposure is what an attacker can reach after they get a foothold — through phishing, a compromised credential, or a single exposed service. It is defined by segmentation, internal access paths and how freely traffic can move between systems and zones.
Modern attacks assume the perimeter will eventually be breached. Once inside a flat network, an attacker can move laterally to high-value systems with little resistance — which is how a minor compromise becomes a major breach.
Why you need both views
- External-only security ignores lateral movement after a breach
- Internal-only security ignores how attackers get in initially
- Real attacks chain external entry with internal movement
- Defense in depth requires hardening both surfaces
How firewalls shape both
Firewalls sit at the heart of both surfaces. At the perimeter, they determine your external attack surface — what is exposed to the internet. Internally, their segmentation rules determine how far an attacker can move once inside.
Analyzing firewall configuration therefore improves both views at once: FirewallScan surfaces internet-facing exposure and weak internal segmentation in the same review, helping you shrink your external surface and contain internal movement together.