Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Attack Surface

Concept

A foundational idea to recognize and understand.

Context

This is a tactical pattern. Once you have a threat model, you need to understand where an attacker can reach your system. The attack surface is the sum of all those reachable points. Every network port, every API endpoint, every file upload form, every environment variable an agent can read is a point on the surface.

In agentic workflows, the attack surface includes everything the agent can touch: files it can read, commands it can execute, APIs it can call, and content it processes that might contain prompt injection payloads. Understanding this surface is the first step toward shrinking it.

Problem

Systems grow features, integrations, and interfaces over time. Each addition creates new ways for an attacker to interact with the system. Teams often don’t realize how large their attack surface has become until something gets exploited. How do you keep track of all the places where your system is exposed?

Forces

  • Every new feature or integration adds to the surface, but features are what make software useful.
  • Internal interfaces feel safe but can be reached by insiders or through compromised components.
  • Reducing the surface too aggressively can make the system hard to use, debug, or extend.
  • The surface includes not just code you wrote, but every dependency, configuration file, and deployment artifact.

Solution

Enumerate every point where data or control enters your system from outside a trust boundary. This includes network endpoints, user input fields, file parsers, IPC channels, environment variables, configuration files, and any interface exposed to code you don’t fully control, including AI agents.

Then actively work to minimize the surface. Remove features and endpoints that aren’t in use. Disable debugging interfaces in production. Restrict which ports are open. Apply input validation at every entry point. The principle is simple: if an attacker can’t reach it, they can’t exploit it.

Think of it like a building’s exterior. Every door and window is a potential entry point. You don’t brick up all the windows (you need light and air) but you lock the ones that don’t need to be open, and you know exactly which ones exist.

How It Plays Out

A team audits their API and discovers they have forty-seven endpoints, twelve of which were created for an internal tool that was retired six months ago. Nobody removed the endpoints. Several accept unauthenticated requests. Removing the dead endpoints instantly eliminates a quarter of their attack surface.

An agentic coding environment gives an AI agent access to a shell, a file system, and a web browser. The developer realizes this is a large attack surface: the agent could be tricked by malicious content into running destructive commands. They reduce the surface by restricting the agent to a sandbox with read-only access to most directories and a curated list of permitted commands.

Note

The attack surface of a system is not fixed. It changes every time you deploy new code, add a dependency, or grant a new permission. Periodic review isn’t optional; it’s part of maintaining security.

Example Prompt

“Audit our API for unused endpoints. List every endpoint, check which ones have active callers, and flag any that haven’t been called in the last 90 days. Those are candidates for removal.”

Consequences

Understanding your attack surface helps you decide where to invest in defenses. A smaller surface means fewer things to monitor, test, and patch. It also makes threat modeling more tractable: you can focus on the entry points that actually exist rather than hypothetical ones.

The cost is the effort of enumeration and the discipline of removal. Teams resist removing features “just in case.” Dependencies accumulate because removing them feels risky. But every unnecessary entry point is a liability you carry forward indefinitely.

  • Depends on: Threat Model. The threat model identifies which parts of the surface matter most.
  • Uses: Trust Boundary. The surface is defined by what crosses trust boundaries.
  • Enables: Input Validation. Every point on the surface needs validation.
  • Enables: Sandbox. Sandboxing shrinks the effective attack surface.
  • Contrasts with: Blast Radius. Attack surface is about where you can be hit; blast radius is about how far the damage spreads.
  • Contrasts with: Secret. Exposed secrets enlarge the effective attack surface.
  • Enables: Output Encoding. Every output point on the surface needs appropriate encoding.
  • Enables: Vulnerability. Vulnerabilities on reachable surfaces are more dangerous.
  • Related: Shadow Agent – every unregistered agent is an unmonitored entry point.
  • Related: Tool Poisoning – every tool registry and MCP server connection is an attack surface.