A term used to characterize how vulnerable an IT environment is to potential attack. If it is said that an IT environment has a large attack surface, this means there are a large number of potential ways in which a hacker may attack. A small attack surface indicates limited opportunities for attack.