Discovery
Surface Monitoring uses multiple discovery methods running on different schedules to build and maintain a comprehensive view of your external attack surface. This page explains each discovery type, its frequency, and what affects discovery accuracy.
Subdomain Discovery
Subdomain discovery is the foundation of attack surface mapping. Surface Monitoring combines several techniques to find subdomains associated with your root domains.
Discovery Methods
- Certificate Transparency (CT) monitoring: Continuously monitors CT logs for certificates issued to your domains. New subdomains are detected as soon as a certificate is logged.
- DNS enumeration: Resolves known DNS record types to discover subdomains through zone relationships, MX records, NS records, and other DNS artifacts.
- Brute-forcing: Uses curated wordlists and learned patterns to discover subdomains that do not appear in CT logs or standard DNS enumeration.
Discovery Frequency
| Asset Status | Frequency |
|---|---|
| Monitored subdomains | Every 72 hours |
| Unmonitored subdomains | Once per month |
Monitored subdomains are those associated with root domains you have added to Surface Monitoring. Unmonitored subdomains are discovered incidentally (for example, through shared IP addresses) but are not part of your actively monitored scope.
IP Address Discovery
IP addresses are discovered through DNS resolution of your subdomains. When a subdomain resolves to a new IP address, the IP is added to your asset inventory.
Frequency: IP discovery occurs instantly when DNS records change. Surface Monitoring checks DNS resolution for monitored subdomains as part of each discovery cycle.
IP addresses may also be discovered through cloud connectors, which provide direct visibility into cloud-hosted infrastructure regardless of DNS configuration.
DNS Record Discovery
Surface Monitoring tracks all DNS record types associated with your domains, including A, AAAA, CNAME, MX, NS, TXT, and SRV records.
Frequency: Every 24 hours for monitored domains.
DNS record changes can trigger policy alerts if you have configured policies for DNS-related events. This is particularly useful for detecting unauthorized changes or dangling CNAME records that could lead to subdomain takeover.
Port Discovery
Open ports are discovered through scanning of IP addresses in your asset inventory. Port discovery runs in tiers based on port commonality:
| Port Range | Frequency |
|---|---|
| Ports 80 and 443 | Every 24 hours |
| Top 200 common ports | Every 48 hours |
| All remaining ports (1-65535) | Every 72 hours |
This tiered approach ensures that the most commonly used web ports are checked frequently while still providing comprehensive coverage of the full port range over time.
Technology Fingerprinting
Surface Monitoring identifies technologies running on discovered assets using fingerprinting techniques powered by the Wappalyzer technology database. This includes:
- Web servers (Apache, Nginx, IIS)
- Programming languages and frameworks (PHP, Django, Express, React, Angular)
- Content management systems (WordPress, Drupal, Joomla)
- E-commerce platforms (Shopify, Magento, WooCommerce)
- CDNs and hosting providers
- JavaScript libraries and their versions
- Analytics and marketing tools
Frequency: Technology fingerprinting runs every 72 hours for monitored assets.
Technology information is valuable for understanding your exposure to specific CVEs and for enforcing technology standards across your organization.
Cloud Connector Discovery
When cloud accounts are connected, Surface Monitoring pulls asset information directly from the cloud provider API. This supplements DNS-based discovery by surfacing:
- Resources without public DNS records
- Internal-facing services exposed to the internet
- Cloud storage buckets and blob containers
- Load balancers and CDN distributions
Cloud connector discovery runs on the provider’s sync schedule, typically within minutes of resource creation.
Discovery Considerations
- Wildcard DNS: Surface Monitoring uses heuristics to intelligently identify and handle wildcard DNS responses, ensuring clean subdomain enumeration.
- DNS-only subdomains: Subdomains that exist only as DNS records without active services are still discovered and tracked in your asset inventory.
- Ephemeral infrastructure: For short-lived assets (such as auto-scaling instances), frequent discovery cycles ensure timely detection. Cloud connectors provide the most comprehensive visibility for dynamic environments.
Next Steps
- Insights — Understand your discovered assets and technologies
- Policies — Create rules that trigger on discovery events
- Configuration — Ensure the scanner can reach your assets