Stop Threats, Don’t Just Study Them: How AI Is Transforming Attack Surface Intelligence

Modern organizations succeed by expanding their offerings, updating their technologies, and meeting customers where they are. But the internet is a shared, high-risk environment, and the more you grow, the harder it is to balance your business needs with security. Meanwhile, traditional approaches to managing digital risk can no longer keep pace with an attack surface that expands and evolves by the minute.

One of the most pressing issues is visibility. While 73% of cybersecurity leaders trace the cause of incidents to unknown or unmanaged assets, only 17% of organizations can clearly identify and inventory their exposed digital assets. 

Legacy security solutions also fall dramatically short in the face of emerging AI-powered cyber threats. AI-related vulnerabilities were cited as the fastest-growing cyber risk by 87% of security leaders in 2025. At the same time, 90% of organizations are unprepared to secure their operations against AI-driven attacks.

Beyond financial losses, cyber threats cause operational disruptions, regulatory penalties, and reputational damage. Organizations also face increased human costs, including burnout and staff turnover among security teams, and threats increasingly extend to physical safety risks.  

So, how do you close the gap between what your organization knows and what attackers can find? How do you defend yourself against AI technologies already being weaponized by adversaries who won’t wait for you to catch up?

Read on to find out how AI attack surface intelligence helps organizations discover their hidden digital exposures, separate genuine threats from noise, and move from studying risk to stopping it—in real time.

Why Legacy Cybersecurity Is Failing

Legacy security approaches are no longer enough because your attack surface has moved far beyond your network perimeter, and the volume of sprawl created by digital transformation results in a massive and typically unmanaged risk profile.

Let’s take a closer look at why traditional methods are failing in the modern threat landscape:

1. The Broadening of the Traditional Perimeter

Traditional Attack Surface Management (ASM) was designed for a bygone age where security focused on protecting hard assets within your perimeter firewall. However, because most organizations are now digital by default, the real boundary has moved to external spaces on platforms and services that companies do not own, such as clouds, social media, and third-party registrars. Modern enterprises are also entangled in complex digital supply chains. Every partner portal, supplier invoice system, and SaaS integration creates connection points that attackers can exploit. 

"You have Nth parties that are all connected to all kinds of internal applications and portals that no consumer will ever see," Josh Mayfield, Senior Director of Product Marketing at ZeroFox explains. 

"Any one of those little links could be compromised, and you just don't know it, because you didn't know it existed."

Attackers rely on these blindspots and scan the entire internet with automation, finding everything connected to your organization that you’ve forgotten about. Traditional network-centric approaches cannot influence or control these far-reaching external edges where 81% of modern threats now originate.

2. Focus on "Known Unknowns" vs. "Unknown Unknowns"

Legacy security is often reactive and limited to scanning assets that an organization already knows it owns. Jill Cagliostro, Senior Director of Product Management at ZeroFox, says that, while traditional ASM can check vulnerabilities on a provided list of IPs, it fails to detect "unknown unknowns", such abandoned applications, forgotten Linux hosts, and unmaintained portals that still carry the organization's "fingerprints", but they remain exposed and ready for exploitation. What’s more, as organizations grow through mergers and acquisitions, they frequently lose track of their digital estate even further, making it nearly impossible to maintain a manual asset list.

3. Lack of Threat Context

Traditional approaches can provide an enormous volume of data that leaves organizations no better off, because without integrated threat intelligence, an asset inventory is merely a database that lacks the context needed to prioritize what is actually being targeted. What’s more, most EASM platforms generate an avalanche of notifications, resulting in 30% of alerts being ignored in the typical SOC due to “alert fatigue”. Without knowing if a threat actor is actively exploiting a specific vulnerability, security teams often find themselves "crying wolf" to the rest of the business.

4. The Expansion into the Kinetic and Personal Realm

The attack surface has expanded beyond servers and websites into the real world, with executives facing threats to their physical safety and some organizations facing escalating real-world harassment and disruption.

“We're starting to see the risk of your digital attack surface, like sharing a speaking engagement, becoming more kinetic in business settings, where it's never been like that in my lifetime, and not my parents' either. Traditionally, you weren't putting your life on the line by running a company,” says Cagliostro.

“It's not just websites, domains, credentials, the usual suspects, but it's also things like your brand or social media accounts, your physical location, and your executives or even their child’s school.”

5. The AI-Driven Lowering of Barriers

Finally, traditional manual defenses cannot keep pace with the speed of AI. Evergreen threats such as ransomware, Account Takeovers (ATO), brand impersonations, and domain spoofing are now accelerated by threat actors using AI to generate various types of deepfakes including audio cloning, image manipulation, and puppet master attacks. With 62% of organizations suffering deepfake attacks last year, losses have already hit $1.56 billion. Cybercriminals, even those with little technical expertise, are also now using artificial intelligence as a force multiplier to automate attacks without investing any significant financial resources.  Machine learning technologies can analyze enormous amounts of data to identify weak points, create exploit scripts, and even modify malware on the fly to avoid detection, reducing what once took weeks to just minutes. WEF research reports that 77% of organizations have seen an increase in cyber-enabled fraud and phishing, supercharged by generative AI's ability to scale and localize social engineering attacks.

What is AI Attack Surface Intelligence?

To make up for the deficiencies of traditional cybersecurity solutions, External Attack Surface Management (EASM) tools emerged to give organizations an "outside-in view" of their digital presence, showing you what attackers can see by finding those internet-facing assets like cloud instances, web apps, subdomains, and third-party services that security teams often didn't know about.

But many standard EASM tools stop at visibility and data collection. They help teams “study” or “understand” risk without actually eliminating it. Today’s environment demands an approach focusing not just on what assets exist, but on how vulnerable they are, and how threats can be disrupted, cleanly and quickly.

Rather than just listing assets, AI attack surface intelligence (ASI) combines EASM with Cyber Threat Intelligence (CTI) and Digital Risk Protection (DRP) into one unified threat-informed platform that lets you shift from passive monitoring to active defense. ASI operates on a continuous cycle of three integrated phases: Discovery identifies the full scope of an organization’s digital assets; Validation enriches that inventory with threat intelligence to separate real risks from noise; and Disruption takes automated action to neutralize threats before they cause harm. Each phase feeds into the next, creating a self-reinforcing loop that delivers outcomes: deeper threat contextualization, faster detection and response times, and longer-term cost savings.

ASI is the foundation for Continuous Threat and Exposure Management (CTEM), an approach which makes organizations 3x less likely to suffer a breach.

Here’s how it works:

Discover: Intelligent Asset Discovery

The first pillar of ASI is discovery, identifying an organization’s “digital estate,” including forgotten or abandoned assets often left behind by rapid innovation or mergers.  Traditional methods often work as simple IP scanners, focusing on “known unknowns”, assets you already suspect exist. Here’s how AI-powered attack surface intelligence goes beyond this to uncover the "unknown unknowns": 

• Scale and Speed

AI in cybersecurity uses automated discovery techniques, including browser simulation, to crawl the internet at scale and identify assets and relationships. It uses recon and discovery techniques similar to those attackers employ to find everything connected to an organization, cloud instances, dev servers, forgotten subdomains, and even third-party connections in the digital supply chain. The result is a living inventory that adapts as the digital environment changes.

• Relevance

“Everyone else starts with collecting all the threats out there, tries to find some assets, and then hopes that they have some intelligence that applies to it,” Mayfield says. 

This approach typically swamps customers with a massive amount of raw information, leaving them overwhelmed without improving their security because most of it is irrelevant. 

“We're the only one that starts with your brands, your domains, your people, and your assets. Then we go out and look for the threats against you, rather than go find every possible threat and hope that it means something to you one day.” 

• High-Fidelity Accuracy

The ZeroFox AI model now achieves 99% accuracy in telling authentic assets from noise, up from roughly 63% just months ago. This prevents security teams from having to manually track down every internet-facing asset and filter out false positives.

“Our AI capability allows for more precise detection through billions of reference tables for faster, more accurate first touch,” Mayfield says. 

"So discovery can happen quicker and with greater fidelity, greater confidence, without having to remove things that weren't true in the first place. That is a time suck, and it's eliminated with our AI discovery.”

• Clustering and Relationships

AI clusters massive datasets to find trends and hidden relationships, identifying ownership using advanced reconnaissance that continuously collects clues from DNS records, SSL certificates, IP allocations, and even GitHub references.

Attack surface discovery becomes even more powerful when it is guided by threat intelligence signals. Threat actors often discuss vulnerabilities, infrastructure, or service providers they intend to target inside deep and dark web forums long before an attack becomes visible on the public internet.

Monitoring these criminal ecosystems can reveal what technologies adversaries are actively probing. If attackers begin discussing exploits targeting a specific hosting provider, SaaS platform, or web framework, organizations can immediately prioritize discovery of those asset types within their own environment.

• Discovery Visualization

Effective ASI shows a "discovery path" for every asset—exactly how the platform found it (for example, through a shared SSL certificate). This transparency builds trust in the data and helps analysts understand relationships between discovered assets. Screenshot enrichment captures visual evidence of web-facing assets, letting analysts quickly spot unauthorized login portals or clone sites built for fraud.

Validate: Threat Intelligence and Context

According to the WEF, 77% of organizations have deployed AI-enabled cybersecurity tools, yet only 39% have AI-powered threat intelligence and risk prioritization. Validation is needed to transform the raw information gathered by AI into actionable intelligence by integrating threat data that reveals which assets are actually at risk and from whom.

Leading platforms like ZeroFox continuously monitor over 100M+ domains and URLs, along with millions of posts across deep and dark web forums, encrypted channels, and underground marketplaces where threat actors coordinate campaigns and exchange exploit intelligence.By combining an asset inventory with billions of correlated threat intelligence signals and validating discovery data against adversary behavior and vulnerability databases (like CVEs and CISA KEV), organizations can move beyond meaningless noise and focus only on real threats. For example, if attackers are discussing Linux exploits or new vulnerability chains inside dark web forums, AI-driven attack surface intelligence can cross-reference that intelligence with your external assets and immediately flag whether your organization has exposed Linux infrastructure that may be targeted next. 

“The reality is, if there's no known exploits and no threat actors are targeting that kind of asset, regardless of the severity, it can wait if your business needs it to,” Cagliostro notes. 

“However, if you have something that's internet accessible, that a threat actor who's known to target your industry is actively exploiting, and it's on the CISA known exploit list, then you probably want to prioritize that more urgently.”

For attack surface intelligence to deliver its full value, it must plug directly into existing operational ecosystems. That means integration with SIEMs to add context to otherwise “noisy” alerts, SOAR playbooks for automated quarantine and response, ticketing systems like ServiceNow for faster remediation, and communication platforms like Slack and Microsoft Teams for real-time collaboration. When a threat surfaces, the platform detects it, enriches alerts, and triggers automated workflows without anyone typing a command.

This tight integration of threat intelligence delivers value beyond optimizing AI in cybersecurity.

“Being able to have these more strategic conversations of, this is what the external attack surface looks like, these are all the ways bad guys could exploit us, and having more targeted conversations on what to prioritize to reduce the risk to your business means you're protecting yourself, you're increasing your security,” Cagliostro says.

“But that also helps you operate more confidently in every other aspect of your business to expand into new markets, to develop new services and products, and to avoid regulatory fines in the process.”

Disrupt: Automated Response and Mitigation

Unlike traditional EASM, the best ASI platforms do more than identify issues, they support remediation and disruption. AI attack surface intelligence paired with the wider ZeroFox platform enables automated, proactive responses that close the loop on the continuous cycle.

True disruption capability extends beyond technical remediation to deliver threat elimination at scale across 180+ platforms including social media, marketplaces, forums, and the deep and dark web. 

Through ZeroFox’s Global Disruption Network—a partnership with 80+ ISPs, registrars, hosts, and platforms—organizations can actively remove threats, block malicious domains, and effectively exile adversaries from the internet in minutes, not days. When a threat is confirmed, it gets neutralized through automated or analyst-assisted takedowns, content remediation, and domain enforcement—with a 98% success rate for executive, brand, and domain takedowns. And the platform watches for rebounds so threats taken down, stay down. 

“That Discover, Validate, Disrupt cycle, nobody else does those three things in that sequence, in that way,” Mayfield says. 

“Everybody else goes the opposite direction. They go hobnobbing with the threat actors, understand what their favorite malware is, and what their sandbox infrastructure and their shoe size is, and then come back to the organization and say, ‘Is this relevant to you?’ And for so many companies, for years, the answer was ‘No’, because they're coming from the wrong starting point. We're the only one that starts with you.”

That’s the philosophy, Here are a few outcomes and scale indicators customers typically care about:

• Mean Time to Resolution (MTTR) slashed from 18 days to just 5
• 60% drop in redundant findings using ASI with vulnerability management platforms
• 12B+ correlated threat intelligence data points
• 100M+ domains and URLs analyzed daily
• 8M+ disruption actions performed annually
• 1M+ successful takedowns performed annually
• 1,000+ dark web forums continuously monitored
• 100+ elite operatives

ZeroFox for AI Attack Surface Intelligence + Human Expertise

Even when using the most powerful AI in cybersecurity, protecting your business is a cat-and-mouse game: the moment one adversary tactic is stopped, they pivot to another. Ultimately, AI shouldn’t replace security teams; it should amplify what they can do, to give analysts back time, sanity, and control to focus on the hardest and most valuable security operations.

While AI seamlessly handles repetitive, high-volume tasks across all three phases—discovery, validation, and disruption—the best attack surface intelligence follows a “Trust but Verify” model. Left to its own devices, AI can make incorrect decisions or miss the nuanced behavior of a threat actor. 

Industry data shows why human oversight matters: 48% of organizations say that AI currently struggles with complex contexts, and 41% cite the need for human validation as a key challenge in AI adoption. 

“Computers are not people. You can't just let AI produce results and not check it. It requires oversight, " agrees Cagliostro. 

“When you look at AI, it's very flexible and able to accomplish many use cases, but that makes it volatile and comes with risks. AI can make mistakes, especially when you have a lot of conflicting data sets that have opposite answers in them. AI isn't well-suited to make a decision on which one's right.”

“The AI used by every company faces these problems, no matter what their marketing says.”

This is where human judgement complements automation. Human threat intelligence expertise is essential to validate AI findings, cut false positives, and bring context to what adversaries are actually trying to accomplish, turning raw AI findings into true attack surface intelligence.

"AI takes you so far, but then ZeroFox's human expertise adds the magic," Cagliostro explains.

“Right now, AI in cybersecurity puts a lot of ownership on the consumer to validate, to understand, and to ultimately process the results of it.”

"But at ZeroFox, we have eyes on it, on its results, constantly validating and refining what the AI is able to do and how it produces. So that way you can focus on just doing your job. We'll deal with the AI."

This approach works because it's backed by threat intelligence experts who've spent their entire careers thinking like adversaries and who know what attackers are actually planning, not just what the data suggests they might do.

“We have a team of industry veterans who have been in the threat intel space for as long as it's existed commercially,” Cagliostro says. 

“Our threat intel analysts know how to put themselves in the minds of the adversary, keep pace with the changing attack vectors, and understand exactly how bad guys are trying to exploit organizations, so we can always stay ahead of them.” 

Ready to stop studying threats and start stopping them? Request a demo to discover how ZeroFox Attack Surface Intelligence can transform your external security posture.