Calculate your application attack surface from endpoints, weighting by exposure type. Public (3x), authenticated (2x), internal (1x) scoring.
The attack surface of an application is the total set of points where an attacker can attempt to enter or extract data. A larger attack surface means more potential entry points for attackers. Reducing the attack surface is a fundamental security principle — every endpoint, port, API, and interface that doesn't need to be exposed should be eliminated.
This calculator quantifies your attack surface by counting endpoints in three categories weighted by exposure: public endpoints (accessible without authentication, weight 3), authenticated endpoints (require login, weight 2), and internal endpoints (not internet-facing, weight 1). The weighted sum produces a surface score that helps you track reduction efforts and compare the relative exposure of different applications or services.
This measurement provides a critical foundation for capacity planning and performance budgeting, helping teams align infrastructure resources with application requirements and growth projections. Integrating this calculation into monitoring and reporting workflows ensures that engineering decisions are grounded in real data rather than assumptions about system behavior.
You can't reduce what you don't measure. This calculator provides a simple, repeatable metric for attack surface that enables tracking over time, comparing between applications, and setting measurable reduction goals. It's especially useful for quarterly security reviews and architectual decisions. Having accurate metrics readily available streamlines incident postmortems, architecture reviews, and technology roadmap discussions with engineering leadership and product teams.
Surface Score = (Public × 3) + (Authenticated × 2) + (Internal × 1). Public endpoints have the highest weight because they're accessible to any attacker.
Result: Surface Score: 245
With 15 public endpoints (×3 = 45), 85 authenticated endpoints (×2 = 170), and 30 internal endpoints (×1 = 30), the total surface score is 245. Reducing the 15 public endpoints to 8 would save 21 points (the equivalent of removing 21 internal endpoints).
The attack surface includes network endpoints (ports, protocols), application endpoints (APIs, pages), data endpoints (databases, file stores), and human endpoints (social engineering vectors). This calculator focuses on application endpoints, which are the most dynamic and frequently changing component.
Key reduction strategies: remove unused endpoints, consolidate duplicate functionality, move endpoints behind authentication, implement API gateways, use network segmentation, and adopt zero-trust architecture. Each strategy directly reduces the weighted score.
Record your attack surface score monthly or quarterly. Plot the trend alongside your deployment frequency and feature count. A growing application should aim to keep the attack surface growth rate below the feature growth rate through careful endpoint management.
In a zero-trust architecture, the distinction between public, authenticated, and internal blurs because all access requires verification. This effectively reduces the weight of all endpoints and significantly lowers the attack surface score.
Public endpoints are the highest risk because they require no credentials to access and are discoverable by any attacker through scanning. They face the full spectrum of automated attacks, bots, and targeted exploitation attempts.
Any point where external input enters the application: API routes, web pages, form handlers, file upload endpoints, WebSocket connections, GraphQL queries, admin panels, health check URLs, and even error pages that leak information. Sharing these results with team members or stakeholders promotes alignment and supports more informed decision-making across the organization.
Use a combination of: API documentation/OpenAPI specs, web application scanning tools, network port scanning, cloud asset inventory, code analysis (route definitions), and traffic analysis from load balancers or API gateways. Keeping detailed records of these calculations will streamline future planning and make it easier to track changes over time.
There's no universal benchmark — it depends on application complexity. The goal is to minimize the score over time. A score reduction of 10–20% per quarter indicates good progress. Focus especially on reducing public endpoints.
A larger attack surface means more potential locations for vulnerabilities. Statistically, vulnerability density is roughly constant per endpoint, so doubling your endpoints roughly doubles your expected vulnerability count.
Yes. Third-party APIs, webhooks, OAuth callbacks, and embedded widgets all extend your attack surface. Include any endpoint that processes external input, even if the code is maintained by a third party.