Concept

Attack Surface

The attack surface is the sum of all points where an attacker can probe or exploit a system. The classical inventory lists network ports, public APIs, input fields, file uploads, third-party libraries, and the privileged accounts that touch them. Every increase in surface is one more thing to cover; reducing it is cheaper than defending it.

Updated today Reviewed by 7wData

Why it matters

AI systems expand the surface in ways traditional tooling does not catch by default. A model endpoint is an API (classical, the SOC watches it). The prompt is an injection vector (new, no SOC signature). Training data is an integrity surface (new, poisoning happens upstream of the runtime). In an agentic system, the tools the model can call are an authorisation surface nobody enumerated when the agent was wired up. The model’s output is a phishing surface, because the downstream application trusts what the model produces. Each needs its own threat model on top of the classical one. Treating them as “just another API” is how teams under-scope AI security.

Where you’ll encounter it

A pen-test scoping call asks “what is the attack surface on your RAG service” and the honest answer is six, not one: model API, ingestion pipeline, vector store, prompt template, tool integrations, output handling. A threat-model review asks the team to list AI-specific surfaces alongside the classical ones; the gap is where the next incident comes from. A vendor RFP asks “describe the attack surface for the AI components,” and the bidder who only lists the API loses. The pitfall: teams treat the AI surface as an extension of the API surface, miss the data-pipeline and prompt-template surfaces, and ship a partial threat model.

Part of the 7wData AI Glossary. Tracking how concepts like this move in the expert conversation: daily signals at ins7ghts.com.