The terms in your attack-surface analysis, explained

Your attack surface is the total set of points where an attacker could try to get in — internet-facing IPs and ports, web apps and APIs, cloud and SaaS (like Microsoft 365), employee identities and credentials, and devices on and off your network. The external attack surface is the part reachable from the public internet.

A vulnerability scan detects and lists potential weaknesses (e.g., a CVE on an open port). A penetration test goes further and tries to exploit them to prove real, reachable impact. A passing scan does not prove a pentest was performed — PCI DSS 4.0 even treats them as separate controls (Req 11.3.2 for scanning, Req 11.4 for penetration testing).

Exploit validation means actually proving a vulnerability is exploitable in your environment rather than just flagging that it might be. It separates "exploitable" from "theoretical" findings, so teams fix what truly matters instead of drowning in noise.

A CVE (Common Vulnerabilities and Exposures) is a public, uniquely numbered identifier for a known security flaw, e.g. CVE-2024-12345. It lets everyone reference the same vulnerability consistently.

CVSS scores a vulnerability's theoretical severity (0–10). EPSS estimates the probability it will be exploited in the wild soon. CISA KEV is a list of vulnerabilities confirmed actively exploited. Good prioritization combines all three: severe (CVSS), likely (EPSS), and known-exploited (KEV) rises to the top.

These weren't designed to sit on the public internet. Exposed RDP (3389) and SMB (445) are common ransomware entry points; FTP (21) and Telnet (23) often send credentials in clear text. Internet-wide scanners find them within minutes, so an exposed management service is a top-priority finding.

SPF is a DNS record listing which servers may send email for your domain. DMARC is a DNS policy telling receivers what to do when mail fails SPF/DKIM — p=none only monitors, while p=quarantine or p=reject enforce. A missing DMARC record means your domain is easy to spoof in phishing.

Subdomain enumeration discovers the hostnames under a domain (e.g. vpn.acme.com). Certificate Transparency logs are public records of issued TLS certificates that reveal many subdomains. Each one is another door an attacker can try.

PII (Personally Identifiable Information) discovery finds where sensitive data — names, SSNs, payment cards, health records — is stored or exposed. It drives breach impact and compliance with PCI DSS, HIPAA and GDPR.

Both, as separate controls. PCI DSS 4.0 Req 11.3.2 requires regular vulnerability scanning (external scans by an Approved Scanning Vendor); Req 11.4 requires penetration testing. Satisfying one does not satisfy the other.

CTEM is an ongoing program — not a once-a-year audit — that continuously discovers, prioritizes and validates exposures across the whole environment, reducing risk before attackers act. It reflects the shift from point-in-time testing to continuous proof.

Multi-tenant means one console manages many isolated client environments (tenants). For MSPs it's essential — a small team can run security across dozens or hundreds of clients without standing up separate tools per client.