The sum of all points where an attacker could try to enter or extract data from a system or organization.
The attack surface is every exposed entry point an attacker might target: open ports, exposed services, web applications, APIs, user accounts, and even people who can be socially engineered.
Reducing the attack surface, by disabling unused services, limiting exposure, and removing unnecessary access, is a fundamental way to lower risk. Attack surface management is the ongoing practice of tracking and shrinking it.
KaitoSec