Key insight
Attack surface is every point where someone could possibly try to get in, added together. It is not the same idea as blast radius: surface is everything an attacker could attempt, radius is what happens once one attempt succeeds. Every new tool an AI agent is given is one more door, and few teams ever go back to check which old ones are still open.
Imagine two houses on the same street, built to the exact same floor plan. One has a single, sturdy front door, and every window is shut and latched. The other has that same front door, plus a side door nobody uses anymore, two windows propped open for air, and a spare key sitting under the mat out of habit. Nobody has broken into either house yet. But one of them plainly offers a burglar far more to try. Security people call that plain idea an attack surface, and this article builds it up from nothing, then looks closely at why software, and especially AI agents, tend to grow theirs without anyone quite deciding to.
1 · The everyday word behind the term
Set computers aside for a moment. A surface, in the ordinary sense, is simply the outer boundary of something, the part that touches the outside world. A ball has a small, smooth surface. A sponge, with all its holes and folds, has an enormous surface for its size, even though both objects might fit in the same hand. Add the word “attack” in front of it, and the meaning barely changes: an attack surface is every point on that outer boundary where something from outside could actually get in or interact.
The house example makes this concrete. Every door, every window, and every hidden key is one distinct point where a burglar could try something. Add them all together, and you get the house’s attack surface: not a measure of how likely a break-in is, just a plain count of every place one could even be attempted.
Attack surface never asks “has anyone tried this yet.” It only asks “could someone try this at all.” A door nobody has ever knocked on still counts.
2 · The three kinds of attack surface every system has
Translate the house into a computer system and the same idea splits into three broad categories, and almost every real system carries some amount of all three at once.
- Network surface. Every address and every port a computer will answer traffic on. A server that only answers on one well-guarded address has a small network surface; one that answers on dozens of forgotten addresses left over from old projects has a large one.
- Software surface. Every piece of code that actually runs, because more running code simply means more total lines where a mistake could be hiding, whether that code is a core feature or a rarely used option nobody remembers exists.
- Human surface. Every person who can be tricked, rushed, or persuaded into doing something they should not, through a fake email, a fake phone call, or a fake request that looks like it came from somewhere trusted.
3 · How attack surface differs from blast radius
These two terms sound alike and get confused constantly, but they measure two completely different moments. Attack surface is every point where an attacker could possibly try something, measured before anything happens. Blast radius is everything that could plausibly be affected once one of those attempts actually succeeds, measured after a compromise begins spreading outward. A system can have a small surface and a huge radius: one tightly guarded door that, once picked, opens straight into every room in the building. Or it can have a huge surface and a small radius: a hundred loosely secured doors, each of which only opens into one small, walled-off closet. Reducing surface makes a compromise less likely to start. Reducing radius makes a compromise, once it does start, matter less. A serious security program needs both, and treating them as the same problem tends to leave one of the two completely unaddressed.
“How many ways in do we have” and “how far does one bad way in reach” are different questions with different answers and different fixes. Ask both, separately, on purpose.
4 · A worked example: one forgotten API endpoint
A company builds a small internal tool that exposes an API, short for application programming interface, a defined way for other software to ask a system to do something, over the network. Six months later, the tool is retired and its main features are moved elsewhere, but one old endpoint, a single specific address the API still answers on, is quietly left running because nobody was assigned to confirm every piece was actually turned off. Nobody used it, nobody tested it, and it never showed up in any dashboard anyone actually looked at. It still fully counted as part of the company’s attack surface every single day it kept answering traffic, whether or not a single person, malicious or otherwise, ever sent it a request.
5 · Why AI agents grow attack surface faster than anything before them
An AI agent, software that decides on its own which tools to call and which actions to take, is usually made more useful by giving it more tools: a way to read files, a way to send email, a way to browse the internet, a way to call an outside service. Each one of those tools is a brand-new door on the house, and teams add them quickly, because a more capable agent is the whole point of building one. What almost never happens with the same urgency is a matching review that removes the tools a task no longer needs, the way the house example’s side door was never actually removed once nobody used it anymore.
The result is an attack surface that only ever grows, one integration at a time, quietly, in the background of ordinary feature work, with no single moment where anyone consciously decided “now we have too many doors.” A crafted piece of content the agent processes only has to find one of those doors still propped open; it does not need to pick the lock on all of them.
6 · Shrinking attack surface on purpose
- Inventory first. You cannot close a door you do not know exists. List every network address, every running feature, and every tool an agent can call.
- Disable what is unused. A feature, port, or tool nobody has used in months is a door with no purpose left, only risk left.
- Patch what remains. Every piece of software you keep running should be kept current, since an old, unpatched version is a door with a known-broken lock.
- Train the human surface. People remain part of the surface no matter how good the software gets, so ongoing awareness of phishing and social engineering stays necessary.
- Review on a schedule, not by accident. Surface reduction that only happens during an audit, rather than on a standing calendar, drifts right back upward the moment the audit ends.
7 · A simple test you can run this week
1. Pick one system, or one AI agent, that matters to you.
2. List every network address it answers on, every feature it runs, and every tool it can call.
3. For each item, ask when it was last actually used, by anyone, for anything real.
4. Disable or remove anything that fails that test.
Whatever is left afterward is your real, current attack surface — not the one you assumed you had.
8 · Glossary — every short-form term, spelled out
- Attack surface
- Every point where an attacker could possibly try to get in, added together, regardless of whether anyone has tried any of them yet.
- Network surface
- Every address and port a computer will answer traffic on.
- Software surface
- Every piece of running code, since more code means more chances for a mistake to hide in it.
- Human surface
- Every person who can be tricked, rushed, or persuaded into doing something they should not.
- Blast radius
- Everything that could plausibly be affected once one attempt actually succeeds, measured after a compromise begins, as distinct from attack surface, which is measured before anything happens.
- API (application programming interface)
- A defined way for one piece of software to ask another to do something, usually over a network.
- AI agent
- Software that decides, on its own, which tools to call and which actions to take in order to complete a task.
Attack surface is every point where someone could possibly try to get in, whether or not anyone ever has.
It splits into three kinds — network, software, and human — and most real systems carry all three.
Attack surface and blast radius measure different moments: before an attempt versus after a compromise starts.
AI agents grow attack surface fast because every new tool is a new door, and cleanup rarely keeps pace with capability.
Inventory, disable the unused, patch what remains, and review on a fixed schedule, not by accident.
References
- NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations — attack surface reduction controls, National Institute of Standards and Technology. csrc.nist.gov
- OWASP Foundation, Attack Surface Analysis Cheat Sheet, Open Worldwide Application Security Project. owasp.org