Attack Surface Scanning: What We Cover

This document provides a comprehensive overview of the full scope of work performed during an Attack Surface Monitoring (ASM) scan. It outlines what information is collected from customers, how assets are discovered and validated, how issues are detected, and how results are finalized.

Our scanning engine follows a multi-phase, correlated, and enrichment-driven approach designed to give organizations complete visibility into their attack surface across internet-facing, cloud, and third-party ecosystems.

What Customers Provide as Seed Information

To initiate a scan, we request a set of starting points (“seed information”). These seeds act as reference anchors for identifying assets belonging to your organization.

We support the following seed types:

Domains – Primary domains owned by the organization
Subdomains – Known subdomains or application endpoints
IP / CIDR Blocks – Public IP ranges or individual IPs
GitHub Accounts / Organizations – Repositories and developers tied to the company
Cloud Integrations – AWS, GCP, and others (optional authenticated integrations)

Using these seeds, our platform expands, correlates, and discovers your entire external attack surface.

Phases of the ASM Scan

Phase 1 — Asset Discovery

This phase focuses on finding all possible assets linked to your organization, directly or indirectly, by combining data lakes, cloud integrations, third-party sources, and proprietary discovery engines.

1. Subdomain & Domain Discovery

Query our internal data lake for known subdomains
Pull subdomains from third-party intelligence providers
Discover new subdomains across the internet using keyword and pattern-based techniques
Identify SaaS, shadow IT, and third-party services indirectly linked to your organization

2. Network & IP Expansion

Expand customer-provided CIDR ranges into individual IP addresses
Identify responsive hosts on these IPs
Associate reverse DNS data, hosting providers, and ASN information

3. Cloud Asset Discovery (Authenticated)

From integrated cloud accounts, we enumerate and analyze assets such as:

EC2 instances
Load balancers
API Gateways
Lambda functions
S3 buckets & CloudFront distributions
SageMaker notebooks
Public endpoints and externally exposed services

4. Third-Party Asset Discovery

We collect associated assets from our proprietary third-party data lakes, including:

GitHub commits, repositories, developers, and exposed code
Postman public collections
Docker Hub repositories & container information
Public datasets and third-party API sources

5. Data Correlation & Normalization

To ensure accuracy, we run correlation across:

Subdomains
IPs
Third-party artifacts
Cloud inventory
Internet-wide cross-references

This ensures assets are not stale, random, or incorrectly attributed.

Phase 2 — Asset Validation

In this phase, all collected assets are validated, deduplicated, and filtered to ensure downstream scanning is done only on live, relevant assets.

Key Validation Steps

Liveliness Checks:
Validate whether a domain, subdomain, or IP is currently active
Third-Party Attribution Validation:
Confirm third-party assets actually belong to your organization
Enrichment:
Add metadata like IPs, DNS records, hosting details, and associations
False Asset Elimination:
Remove outdated, dead, or unrelated findings

This ensures all subsequent scans happen on a clean, accurate set of assets.

Phase 3 — Issue Scanning & Enrichment

Once assets are validated, we perform extensive security and configuration scanning to identify issues across infrastructure, cloud systems, code, and third-party exposures.

1. Port Scanning & Service Profiling

Identify all open ports across assets
Determine service type, banner information, and service versions
Capture screenshots for web ports
Profile non-web ports for running services

2. Technology & Hosting Fingerprinting

Identify web stack (frameworks, servers, CMS, JS libraries, etc.)
Detect hosting providers, CDNs, reverse proxies
Collect geolocation and country information

3. Secret Scanning

Performed across:

All domains and subdomains having open web ports
GitHub repositories
Public commits
CI/CD leaks
Cloud keys
Exposed API keys
Hardcoded credentials
Sensitive files and configuration leaks

4. Web Crawling & Deep Inspection

Crawl live web assets to discover hidden or interesting paths
Perform secret scanning within crawled pages
Extract metadata, headers, certificates, and security controls

5. CVE & Vulnerability Assessment

Detect vulnerable technologies
Map versioned software to known CVEs
Identify OWASP Top 10 vulnerabilities
Flag misconfigurations and insecure services

6. Subdomain Takeover Detection

Analyze DNS configurations
Detect orphaned or dangling DNS records
Flag high-risk takeover paths

7. Cloud Misconfiguration Scanning

IAM misconfigurations
Public resources
Overly permissive controls
Exposed endpoints
Security group issues
Cloud vendor-specific misconfigurations

8. Third-Party Correlation

Map discovered assets to your organization using similarity and association analysis
Identify shadow IT usage
Link third-party services used by employees or applications

9. Dark Web Monitoring

Detect leaks associated with provided domains or user emails
Identify mentions, breaches, credential dumps, or discussions
Correlate findings to seed information

Phase 4 — Finalization & Reporting

After all scans are complete, we run correlation logic, remove false positives, and generate the final analysis.

1. False Positive Reduction

Apply automated FP suppression algorithms
Use historical baselines and correlation to reduce noise
Filter out unreachable or irrelevant issues

2. Asset & Issue State Tracking

For each scan cycle, we determine:

Newly discovered assets
Closed assets
Re-opened assets
New issues
Resolved issues
Re-appearing issues

3. Reporting & Delivery

We generate:

Executive summary reports
Detailed issue reports
Cloud posture summaries
Visual graphs & attack surface maps
Historical trend graphs

These provide a clear understanding of exposure, risk, and remediation priorities.

Summary

Our ASM scan provides complete, correlated, and continuous visibility into your attack surface, covering:

Internet-facing assets
Cloud assets
Third-party exposures
Code repositories
Infrastructure misconfigurations
Security vulnerabilities
Dark web risks

With our multi-phase discovery → validation → scanning → reporting pipeline, organizations gain accurate, actionable, and continuously updated insights into their external security posture.

What Customers Provide as Seed Information​

Phases of the ASM Scan

Phase 1 — Asset Discovery​

1. Subdomain & Domain Discovery​

2. Network & IP Expansion​

3. Cloud Asset Discovery (Authenticated)​

4. Third-Party Asset Discovery​

5. Data Correlation & Normalization​

Phase 2 — Asset Validation​

Key Validation Steps​

Phase 3 — Issue Scanning & Enrichment​

1. Port Scanning & Service Profiling​

2. Technology & Hosting Fingerprinting​

3. Secret Scanning​

4. Web Crawling & Deep Inspection​

5. CVE & Vulnerability Assessment​

6. Subdomain Takeover Detection​

7. Cloud Misconfiguration Scanning​

8. Third-Party Correlation​

9. Dark Web Monitoring​

Phase 4 — Finalization & Reporting​

1. False Positive Reduction​

2. Asset & Issue State Tracking​

3. Reporting & Delivery​