AS-301f · Module 3

The Surface Map as Living Document

3 min read

An attack surface map created in January and not updated until June is a historical artifact, not a security tool. The living surface map is updated continuously — by automated discovery, deployment pipeline integration, drift detection, and periodic reconciliation. It reflects the current state of the system within hours, not months. The map is the foundation for every other security decision: what to monitor, what to patch, what to defend, and what to decommission.

Do This

  • Store the surface map in a queryable database, not a static document — queries enable automated analysis and alerting
  • Version the map so you can compare the current surface against any historical state — surface growth trends reveal architectural drift
  • Make the map accessible to security, operations, and development teams — shared visibility produces shared accountability

Avoid This

  • Maintain the map in a spreadsheet updated manually — manual processes produce stale data
  • Restrict map access to the security team only — developers who cannot see the surface cannot reduce it
  • Treat the map as a compliance artifact rather than an operational tool — if it is not used daily, it is not maintained daily