Attack Surface Estimation Calculator

Industry (Benchmark)
5%/mo
Attack Surface Score34/100
Exposure Score31/100
Risk Levelmedium
Exposuremedium
Reachable20
Critical Exp.3

Risk by Category

Public IP AddressesDomainsCloud AccountsSaaS ApplicationsRemote WorkersIoT DevicesAPIs3P IntegrationsBYOD Devices0255075100

Attack Surface Trend (12 Months)

M0M1M2M3M4M5M6M7M8M9M10M120255075100
Projected growth at 5%/month across all categories

Surface Breakdown

Public IP Addresses (10)33
Domains (5)32
Cloud Accounts (3)33
SaaS Applications (25)44
Remote Workers (50)34
IoT Devices (10)33
Public-Facing APIs (5)32
Third-Party Integrations (10)38
BYOD Devices (20)31

Peer Comparison (tech)

CategoryYoursMedianvs Peers
Public IP Addresses1015Below
Domains58Below
Cloud Accounts35Below
SaaS Applications2540Below
Remote Workers50100Below
IoT Devices105Above
Public-Facing APIs512Below
Third-Party Integrations1020Below
BYOD Devices2030Below

Prioritized Reduction Actions

ActionImpactEffortRatio
Audit and retire unused domains (current: 5)-2low2
SaaS rationalization — eliminate redundant applications (current: 25)-2medium1
Conduct vendor risk assessments and minimize integrations (current: 10)-2medium1
Consolidate or decommission unused public IPs (current: 10)-2medium1
Segment IoT on isolated VLANs with monitoring (current: 10)-2medium1
Deploy API gateway with auth and rate limiting (current: 5)-2medium1
Enforce MDM compliance policies for BYOD (current: 20)-1low1
Deploy zero-trust network access for remote workers (current: 50)-2high0.7
Consolidate cloud accounts and enforce centralized IAM (current: 3)-2high0.7

Top Risk Areas

  • 1. SaaS Applications (score: 44)
  • 2. Third-Party Integrations (score: 38)
  • 3. Remote Workers (score: 34)
  • 4. Public IP Addresses (score: 33)
  • 5. Cloud Accounts (score: 33)

Recommendations

  • Attack surface is within acceptable bounds. Continue regular assessments.

The attack surface of an organization is the sum of every asset an attacker could probe, exploit, or abuse to gain a foothold. This calculator turns nine inventory counts — public IPs, domains, cloud accounts, SaaS apps, remote workers, IoT devices, public APIs, third-party integrations, and BYOD devices — into a single weighted 0-100 exposure score with risk-ranked reduction recommendations.

Formula

Overall = Σ(categoryScore × categoryWeight) / Σ(categoryWeight)

categoryScore
A 0-100 exposure score for each asset class, interpolated against its low/medium/high count thresholds
categoryWeight
The relative importance of the class (e.g. Public IPs 15, APIs 14, IoT 13); all nine weights sum to 100
Overall
The weighted average exposure score, rounded to a whole number on a 0-100 scale

How it works

  1. Enter the count of each asset class your organization exposes. Each class has its own thresholds (for example, public-facing APIs are scored low at 3, medium at 10, and high at 30) so that 8 APIs carry more weight than 8 domains.
  2. Each class is scored 0-100 against its thresholds, then combined into a weighted overall score using class weights (APIs 14, Public IPs 15, IoT 13, Cloud and Remote Workers 12 each, and so on, summing to 100).
  3. The overall score maps to a risk band — low (under 25), medium (25-49), high (50-74), or critical (75+) — and the tool ranks your top risk areas and emits prioritized actions ranked by impact-to-effort ratio.

Worked example

A mid-size company reports 10 public IPs, 5 domains, 3 cloud accounts, 25 SaaS apps, 50 remote workers, 10 IoT devices, 8 public APIs, 10 third-party integrations, and 30 BYOD devices.

  1. Score each class against its thresholds: Public IPs 33, Domains 32, Cloud 33, SaaS 44, Remote Workers 34, IoT 33, APIs 43, Integrations 38, BYOD 38.
  2. Multiply each score by its weight and sum: the weighted total comes to 3,622 across a combined weight of 100.
  3. Divide the weighted sum by the total weight: 3,622 ÷ 100 = 36.22, rounded to 36.

Overall attack surface score of 36, which falls in the Medium risk band (25-49). SaaS applications and public APIs are the highest-scoring areas to address first.

Frequently asked questions

What counts as part of an external attack surface?
Anything internet-reachable or attacker-accessible: public IP addresses, registered domains, cloud accounts, SaaS subscriptions, remote-access endpoints, IoT and BYOD devices, public APIs, and third-party integrations. This tool models all nine of these classes.
Why are some asset classes weighted more heavily than others?
Classes that are more directly exploitable or higher-impact receive more weight. Public IPs (15) and public-facing APIs (14) carry the most weight because they are directly internet-facing, while BYOD devices (6) carry the least.
How do I reduce my attack surface score?
Decommission unused public IPs and domains, consolidate redundant SaaS and cloud accounts, place an API gateway in front of public APIs, segment IoT onto isolated networks, and enforce device management for BYOD. The calculator ranks these actions by impact-to-effort ratio.
Is a lower attack surface score always better?
Generally yes — a smaller, well-controlled surface gives attackers fewer entry points. However, the goal is to eliminate unnecessary exposure, not legitimate assets your business needs. Use the score to spot bloat and shadow IT rather than to block essential services.