Attack surface encompasses network interfaces, applications, APIs, physical access points, user accounts, third-party integrations, and human vulnerabilities that adversaries might exploit. As organizations adopt cloud services, IoT devices, and remote work, attack surfaces expand dramatically. A financial services firm's attack surface includes customer-facing mobile apps, employee laptops, payment processing APIs, branch networks, and partner connections. Attack surface management involves continuously discovering assets, assessing vulnerability exposure, prioritizing based on risk, and reducing unnecessary exposure through decommissioning, patching, segmentation, and access restrictions.