Attack Surface Estimation Calculator
Risk by Category
Attack Surface Trend (12 Months)
Surface Breakdown
Peer Comparison (tech)
| Category↕ | Yours↕ | Median↕ | vs Peers↕ |
|---|---|---|---|
| Public IP Addresses | 10 | 15 | Below |
| Domains | 5 | 8 | Below |
| Cloud Accounts | 3 | 5 | Below |
| SaaS Applications | 25 | 40 | Below |
| Remote Workers | 50 | 100 | Below |
| IoT Devices | 10 | 5 | Above |
| Public-Facing APIs | 5 | 12 | Below |
| Third-Party Integrations | 10 | 20 | Below |
| BYOD Devices | 20 | 30 | Below |
Prioritized Reduction Actions
| Action↕ | Impact↕ | Effort↕ | Ratio↓ |
|---|---|---|---|
| Audit and retire unused domains (current: 5) | -2 | low | 2 |
| SaaS rationalization — eliminate redundant applications (current: 25) | -2 | medium | 1 |
| Conduct vendor risk assessments and minimize integrations (current: 10) | -2 | medium | 1 |
| Consolidate or decommission unused public IPs (current: 10) | -2 | medium | 1 |
| Segment IoT on isolated VLANs with monitoring (current: 10) | -2 | medium | 1 |
| Deploy API gateway with auth and rate limiting (current: 5) | -2 | medium | 1 |
| Enforce MDM compliance policies for BYOD (current: 20) | -1 | low | 1 |
| Deploy zero-trust network access for remote workers (current: 50) | -2 | high | 0.7 |
| Consolidate cloud accounts and enforce centralized IAM (current: 3) | -2 | high | 0.7 |
Top Risk Areas
- 1. SaaS Applications (score: 44)
- 2. Third-Party Integrations (score: 38)
- 3. Remote Workers (score: 34)
- 4. Public IP Addresses (score: 33)
- 5. Cloud Accounts (score: 33)
Recommendations
- ● Attack surface is within acceptable bounds. Continue regular assessments.
The attack surface of an organization is the sum of every asset an attacker could probe, exploit, or abuse to gain a foothold. This calculator turns nine inventory counts — public IPs, domains, cloud accounts, SaaS apps, remote workers, IoT devices, public APIs, third-party integrations, and BYOD devices — into a single weighted 0-100 exposure score with risk-ranked reduction recommendations.
Formula
Overall = Σ(categoryScore × categoryWeight) / Σ(categoryWeight)
- categoryScore
- A 0-100 exposure score for each asset class, interpolated against its low/medium/high count thresholds
- categoryWeight
- The relative importance of the class (e.g. Public IPs 15, APIs 14, IoT 13); all nine weights sum to 100
- Overall
- The weighted average exposure score, rounded to a whole number on a 0-100 scale
How it works
- Enter the count of each asset class your organization exposes. Each class has its own thresholds (for example, public-facing APIs are scored low at 3, medium at 10, and high at 30) so that 8 APIs carry more weight than 8 domains.
- Each class is scored 0-100 against its thresholds, then combined into a weighted overall score using class weights (APIs 14, Public IPs 15, IoT 13, Cloud and Remote Workers 12 each, and so on, summing to 100).
- The overall score maps to a risk band — low (under 25), medium (25-49), high (50-74), or critical (75+) — and the tool ranks your top risk areas and emits prioritized actions ranked by impact-to-effort ratio.
Worked example
A mid-size company reports 10 public IPs, 5 domains, 3 cloud accounts, 25 SaaS apps, 50 remote workers, 10 IoT devices, 8 public APIs, 10 third-party integrations, and 30 BYOD devices.
- Score each class against its thresholds: Public IPs 33, Domains 32, Cloud 33, SaaS 44, Remote Workers 34, IoT 33, APIs 43, Integrations 38, BYOD 38.
- Multiply each score by its weight and sum: the weighted total comes to 3,622 across a combined weight of 100.
- Divide the weighted sum by the total weight: 3,622 ÷ 100 = 36.22, rounded to 36.
Overall attack surface score of 36, which falls in the Medium risk band (25-49). SaaS applications and public APIs are the highest-scoring areas to address first.
Frequently asked questions
- What counts as part of an external attack surface?
- Anything internet-reachable or attacker-accessible: public IP addresses, registered domains, cloud accounts, SaaS subscriptions, remote-access endpoints, IoT and BYOD devices, public APIs, and third-party integrations. This tool models all nine of these classes.
- Why are some asset classes weighted more heavily than others?
- Classes that are more directly exploitable or higher-impact receive more weight. Public IPs (15) and public-facing APIs (14) carry the most weight because they are directly internet-facing, while BYOD devices (6) carry the least.
- How do I reduce my attack surface score?
- Decommission unused public IPs and domains, consolidate redundant SaaS and cloud accounts, place an API gateway in front of public APIs, segment IoT onto isolated networks, and enforce device management for BYOD. The calculator ranks these actions by impact-to-effort ratio.
- Is a lower attack surface score always better?
- Generally yes — a smaller, well-controlled surface gives attackers fewer entry points. However, the goal is to eliminate unnecessary exposure, not legitimate assets your business needs. Use the score to spot bloat and shadow IT rather than to block essential services.