Stop Chasing Threats: Top Insights from 2025 SANS ASM Survey

Alert fatigue, fragmented visibility, and unquantifiable business risks are pushing traditional security operations to their limits. 

The latest data highlights a clear shift in how enterprises approach attack surface management and risk operations. The SANS Survey on Attack Surface Management (ASM) for 2025, which gathered insights from 235 cybersecurity professionals, points to a growing move away from reactive threat hunting to proactive, automated, and business-aligned risk management. 

This shift aligns closely with the Risk Operations Center (ROC) framework, which unifies risk management across the entire attack surface, from IT, security, compliance, cloud, and OT into a single, dynamic view.

Here are the top three insights the research reveals about how organizations’ expectations for ASM platforms are evolving. 

Insight 1: Unified Visibility Is No Longer Optional

The survey highlights growing frustration with fragmented security stacks. Organizations increasingly want unified risk visibility and automated responses from platforms that integrate with existing SIEMs, ITSMs, and cloud-native tools.  

• 55% of organizations expect ASM platforms to protect both internal and external assets simultaneously
• 37% of respondents want ASM platforms to improve their visibility into external exposures
• Only 28% say that their ASM platform effectively identifies sensitive files across  their environment

Traditionally, organizations managed internal networks and external perimeters separately using different tools, disparate metrics, and isolated workflows. Over time, this siloed approach created visibility gaps and delayed incident response. The research highlights a growing demand for unified visibility across the entire attack surface. 

Over a third of respondents (37%) reported an urgent need to improve visibility into their external attack surface. As enterprises accelerate cloud adoption and rely more heavily on third-party vendors, the external attack surface continues to expand dynamically. Unknown shadow IT and misconfigured cloud buckets increasingly lead to compliance violations and financial risk. 

One alarming finding the research unearthed is that only 28% of existing ASM platforms effectively identify sensitive files across the environment. Since threat actors frequently target sensitive data during attacks, organizations lacking this visibility face a greater risk of data breaches, compliance violations, and financial penalties. 

Security teams are increasingly looking for platforms that reduce these blind spots by connecting visibility, prioritization, and autonomous remediation into a more operational workflow.

Insight 2: Automation Is Now Essential for Modern Risk Operations

• 59% of organizations require daily scanning of their environments
• 67% expect their ASM platforms to provide mitigation recommendations
• 58% prefer a hybrid model combining manual and automated operations

In the era of agentic AI models like Claude Mythos, attackers can identify exploitable weaknesses in minutes instead of days. Security teams can no longer rely solely on traditional patching cycles. The survey results reinforce the growing importance of automation across asset discovery, remediation guidance, and response workflow. 

More than two-thirds of respondents (67%) expect explicit mitigation recommendations directly from their ASM platform. Identifying exposure is no longer enough. Organizations increasingly expect platforms to help accelerate remediation and reduce operational overhead. 

Security leaders are moving away from platforms that only identify vulnerabilities and misconfigurations. They want automated workflows that help teams respond faster, prioritize effectively, and reduce exposure.

As AI increasingly handles a high volume of repetitive tasks, such as asset discovery, continuous monitoring, and remediation guidance, security teams can focus on the exposures that create the greatest business risk.

Insight 3:  Business Context Matters More Than CVSS Alone

• 89% of surveyed organizations expect their ASM platforms to provide measurable risk quantification
• 30% want their ASM tools to prevent exploitation of exfiltrated data
• 35% want their ASM platforms to provide current information on vulnerabilities across their environment

Traditional vulnerability management focuses on technical severity scores. But modern enterprises prioritize asset context and business impact. 

Not every critical vulnerability merits the same urgency. Financial and operational risk increasingly determine where remediation resources are allocated.

The survey findings show a growing demand for continuous, automated visibility into vulnerabilities and emerging threats. More than a third of organizations (35%) want current information on vulnerabilities across their environment, including whether each vulnerability is actively exploited or has publicly available proof-of-concept exploits. 

Organizations no longer invest in security platforms just to generate alerts. They expect measurable business outcomes. Executive leadership and board members require clearer justification for security investments. The SANS survey findings reflect a clear demand for platforms that translate technical findings into actionable, business-aligned risk intelligence.

Therefore, a comprehensive risk management strategy must map technical exposure to business impact so organizations can determine exactly how much capital to spend on mitigating, accepting, or transferring risk.

How Does a Risk Operations Center (ROC) Meet the Evolving Priorities in Cybersecurity Today

The industry is steadily moving away from reactive firefighting to proactive, risk-aligned security. Organizations adopting an ROC approach gain integrated visibility across all assets, continuous risk quantification, and prioritized remediation tied directly to business outcomes. Automated mitigation and real-time scans reduce compliance risk and accelerate time-to-value, while hybrid workflows preserve human expertise where it matters most. 

A ROC, powered by agentic AI, serves as the operational command center for modern cyber risk management. It moves beyond traditional, siloed security approaches by unifying risk management across IT, security, and compliance to cloud and OT environments into a single, dynamic view.

By combining asset inventories, vulnerability intelligence, compliance data, and business context, a ROC helps organizations continuously prioritize and reduce risk. The ROC elevates continuous threat exposure management (CTEM) by bringing together people, processes, and technology into a more operationalized approach to risk reduction. This includes:

• Remediation Operations that support patching and additional remediation options, including compensating controls, risk acceptance, and risk transfer
• Risk Quantification in financial terms that helps security leaders communicate effectively with executive leaders and boards
• Continuous Compliance that helps organizations remain always audit-ready by hardening and adhering to benchmarks, reducing risk

Implications for Qualys Customers

The survey highlights three fundamental truths about modern enterprise security today. First, continuous visibility across both internal and external assets is mandatory. Second, business context must drive remediation priorities. Third, automation is necessary to manage the sheer scale of modern infrastructure.

Organizations cannot remediate everything. But they can reduce business risk more effectively by understanding what matters most and prioritizing resources accordingly. 

The SANS survey confirms a broader industry shift away from reactive threat chasing toward automated, context-driven risk operations. Organizations that embrace this approach will be better positioned to reduce the risks that matter most to the business.

Conclusion

The shift highlighted in the SANS survey reflects a broader transformation in cybersecurity operations. Organizations are no longer looking for platforms that simply generate alerts. They are looking for operational models that unify visibility, automate response, and align remediation efforts with business risk.

This is where the Risk Operations Center (ROC) model becomes increasingly important. By combining continuous visibility, business-contextual prioritization, and automated remediation workflows, organizations can move from reactive threat management to proactive risk reduction.

As cyber risk grows more dynamic and complex, the organizations that succeed will be those that operationalize security around measurable business outcomes, not just technical findings.

Start your 30-day trial of Qualys Enterprise TruRisk™ Management (ETM) and experience unified, risk-based exposure management in action.