Table of Contents
This article is part of the Quantum Snake Oil Dictionary — a series examining terms used in quantum technology marketing. The series is divided into Red Flag Terms (terms with no established technical meaning that almost always signal hype or fraud) and Misused Terms (legitimate concepts routinely stripped of context in marketing). This entry is a Red Flag Term.
“Removes the Attack Surface”
A note before we begin. This entry examines claims that a product “removes,” “eliminates,” or leaves “no” attack surface. I am not writing about any specific company or product. Reducing attack surface is a real and valuable goal. Removing it entirely is not a goal, because it is not achievable, and a vendor who claims to have done it has told you something important about the vendor.
There Is No Such Thing as Zero Attack Surface
A system’s attack surface is the sum of all the points where an attacker could try to get in or extract data: network interfaces, software dependencies, configuration, credentials, the people who operate it, the physical hardware. Good security work shrinks that surface. It removes unused services, narrows permissions, patches dependencies, and limits who can touch what.
What it cannot do is reduce the surface to nothing, because a system that does useful work must accept input, process data, and produce output, and each of those is a point of contact. A system with no attack surface is a system with no function. The moment data is decrypted to be read, a key is loaded to be used, or a person logs in to do their job, surface exists. This is not pessimism. It is the definition of what a working system is.
Encryption Relocates the Surface, It Does Not Remove It
Strong cryptography is one of the best tools for shrinking and shifting attack surface, which is exactly why the overclaim is tempting. Encrypt data at rest and an attacker who steals the disk gets ciphertext instead of secrets. The exposure has moved from the data to the key.
That move is the point worth understanding. Encryption relocates the valuable target. It does not delete it. After you encrypt everything, the attack surface becomes the key management, the implementation that performs the cryptography, the endpoints where data must be decrypted to be used, and the humans who hold access. Those are smaller and better-defended targets than plaintext lying in the open, which is real progress. They are not the absence of a target. A vendor who says encryption removed the attack surface has skipped the part where the surface moved to the keys.
The Absolute-Security Tell
Claims of completeness are among the most durable warning signs in the field, and they predate quantum marketing by decades. “Unbreakable,” “unhackable,” “zero exposure,” and “no attack surface” all make the same move: they replace a measurable, bounded claim with an absolute one. Security professionals distrust absolutes for a simple reason. Real systems are evaluated by how much risk they carry and how it is managed, never by a promise that risk has reached zero. As the long history of cryptographic snake oil shows, the vendors most confident that they have eliminated all risk are usually the ones who have looked least hard for it.
The accurate version of the claim is quantitative. A good architecture reduces attack surface, names what remains, and explains how the residual risk is contained. A snake-oil version skips the measurement and jumps to elimination, because elimination sounds stronger and asks the buyer to stop counting.
Questions to Ask a Vendor
“What attack surface remains after your product is deployed, and how is it defended?” Every honest answer includes a remainder: keys, endpoints, operators, dependencies. An answer of “none” is the finding.
“Where did the protected target move to?” Good security relocates value to a smaller, harder target. Ask the vendor to name it. If they cannot, they have not thought in those terms.
“How would an attacker who already has a foothold on an endpoint proceed?” This bypasses the perimeter framing and tests whether the vendor has modeled the surface that always remains.
The Bottom Line
Reducing attack surface is one of the most useful things a security product can do. Removing it is not something any product can do, because a system that functions must expose points of contact, and encryption moves the valuable target rather than erasing it. Treat “removes the attack surface” the way you would treat “unbreakable”: as a claim that has crossed from engineering into marketing. The trustworthy version tells you what surface remains and how it is held. The other version tells you to stop asking.
Quantum Upside & Quantum Risk - Handled
My company - Applied Quantum - helps governments, enterprises, and investors prepare for both the upside and the risk of quantum technologies. We deliver concise board and investor briefings; demystify quantum computing, sensing, and communications; craft national and corporate strategies to capture advantage; and turn plans into delivery. We help you mitigate the quantum risk by executing crypto‑inventory, crypto‑agility implementation, PQC migration, and broader defenses against the quantum threat. We run vendor due diligence, proof‑of‑value pilots, standards and policy alignment, workforce training, and procurement support, then oversee implementation across your organization. Contact me if you want help.
