Attack Surface Management Software
Independent guidance for enterprise security software buyers
Subscribe →
Guide

The M&A attack surface problem

The deal closes on a Friday. By Monday, your security team owns everything the acquired company ever stood up, forgot about, misconfigured, or abandoned.

Eighteen months of your life have been burned away doing due diligence over financial statements, customer contracts, regulatory exposure, and litigation risk. But how much effort was spent examining the external attack surface? It probably got a questionnaire and a penetration test report from a year ago.

What attackers see on Monday morning is different from what your security team sees. They see a newly acquired subsidiary whose old security team is gone or distracted, whose integration into your controls environment hasn't started, and whose infrastructure is a documented gap. Ransomware groups monitor acquisition announcements. A fresh close is a targeting signal.

This isn't a failure of due diligence process design. Security due diligence in M&A operates under NDA constraints that limit what the acquiring team can actually test before close. It is point-in-time by nature, conducted against a target that has every incentive to present its best posture. What it cannot tell you is what an attacker observes from the internet on day one of your ownership.

What you inherited that you don't know about yet

Acquired infrastructure carries the security posture of the previous owner. That posture may be significantly weaker than your baseline, and it is now your problem in ways that weren't true twenty-four hours ago.

Things that should scare you:

  • Internet-facing assets that were never inventoried
  • Certificates that have been expiring for six months with nobody assigned to renew them
  • Cloud instances provisioned by a development team three years ago that still have production credentials in their environment variables
  • Subdomains that were spun up for a marketing campaign and never decommissioned
  • Credentials from the acquired company's domain that have been circulating on breach databases since a 2023 incident that the previous security team handled quietly

None of this shows up in the questionnaire responses. Some of it shows up in the pen test report if the tester happened to find it. All of it is on the internet, visible to anyone running seedless discovery against the acquired company's domains, from the moment the deal was announced.

The first actions that matter

Don't wait till after integration planning is complete. Don't wait till after the new CISO relationship is established. On day one, do these things:

  • Run seedless discovery against every domain associated with the acquired company
  • Flag anything running end-of-life software or carrying expired certificates as an immediate priority regardless of apparent criticality — these are the low-effort targets that get exploited in the first weeks
  • Identify any assets that are dual-homed, with interfaces on both the acquired company's network and the internet, because these are the lateral movement paths into your environment that didn't exist before the close
  • Pull breach database coverage for the acquired company's email domain and treat any exposed credentials as active

None of this requires waiting for the integration plan. All of it can be done with the domains and company name you have on close day.

Day One Close Security actions that cannot wait
Step 01
Seedless Discovery
Run zero-input discovery against all acquired domains. Map the raw internet footprint before integration work begins.
Step 02
Triage Edge Services
Flag expired certificates and end-of-life software as P0 regardless of apparent criticality. These are the first-week targets.
Step 03
Audit Dual-Homed Assets
Identify interfaces bridging the acquired network and the internet. These are lateral movement paths into your environment that didn't exist yesterday.
Step 04
Breach Database Sweep
Pull breach database coverage for the acquired company's email domain. Treat any exposed credentials as active and force immediate rotation.

The EASM program gap this exposes

Most EASM programs are scoped to the acquirer's known infrastructure. Adding an acquisition to scope is a manual process that requires someone to remember to do it while they are also managing an active integration. This is exactly the kind of process that fails under real conditions.

Platforms that update their organizational entity models automatically when public acquisition data becomes available close this gap without relying on a manual step during the highest-stress period of the integration calendar. Platforms that require manual scope configuration require someone to take that action under pressure, at exactly the moment when the team has the least capacity to do it.

If your organization runs an active acquisition program, how your EASM platform handles scope expansion at close is a procurement criterion worth evaluating explicitly, not a feature to discover after the first missed acquisition window.