Aspects of the disclosure relate to quantification of attack surfaces in an enterprise computing system. A computing platform may receive indications of usage of a plurality of controls associated with an enterprise computing system. The computing platform may determine, based on a mapping between the plurality of controls and a plurality of attack vectors, one or more controls of the plurality of controls that are mapped to an attack vector. The computing platform may determine respective compliance scores of the one or more controls, and determine, based on the respective compliance scores, a vulnerability score associated with the attack vector. The computing platform may transmit an indication of the determined vulnerability score associated with the attack vector.