Getting Started with Surface Monitoring
This guide walks you through setting up Surface Monitoring for the first time. By the end, you will have a monitored domain with cloud connectors feeding asset discovery.
Prerequisites
- A Detectify account with Surface Monitoring enabled
- Administrative access to your domain’s DNS records (for verification)
- Cloud provider credentials (optional, for cloud connectors)
Step 1: Add a Root Domain
A root domain is the starting point for all discovery. Surface Monitoring discovers subdomains, IP addresses, and services branching from each root domain you add.
- Navigate to the Surface Monitoring section in your Detectify dashboard
- Select Add domain
- Enter your root domain (e.g.,
example.com) - Choose your verification method
Step 2: Verify Domain Ownership
Before Surface Monitoring begins scanning, you must verify that you own the domain. This prevents unauthorized scanning of domains you do not control.
DNS TXT Record Verification
- Copy the verification TXT record value provided by Detectify
- Add a TXT record to your domain’s DNS zone with the provided value
- Return to Detectify and select Verify
- DNS propagation may take up to 24 hours, though most records propagate within minutes
Alternative Verification Methods
Detectify supports additional verification methods depending on your setup. Check the verification dialog for all available options for your domain.
Step 3: Connect Cloud Accounts
Cloud connectors provide additional discovery coverage by pulling asset information directly from your cloud provider accounts. This surfaces assets that may not be discoverable through DNS alone.
Supported Cloud Providers
| Provider | What It Discovers |
|---|---|
| AWS | EC2 instances, ELBs, S3 buckets, CloudFront distributions, Route 53 records |
| Azure | Virtual machines, load balancers, App Services, DNS zones |
| GCP | Compute instances, Cloud Storage buckets, Cloud DNS records |
| Cloudflare | DNS records, proxied domains |
| GoDaddy | DNS records, registered domains |
| DigitalOcean | Droplets, load balancers, DNS records |
| Alibaba Cloud | ECS instances, SLB, DNS records |
| IBM NS1 | DNS zones and records |
To connect a cloud account:
- Navigate to Settings > Cloud connectors
- Select your cloud provider
- Follow the provider-specific setup instructions to create a read-only access role or API key
- Enter the credentials and select Connect
Cloud connectors use read-only access and do not modify your cloud infrastructure.
Step 4: Review Initial Discoveries
After verification, Surface Monitoring begins discovering assets associated with your domain. Initial discovery typically completes within 72 hours, though many assets appear within the first few hours.
What to Expect
- First hours: Certificate Transparency results and DNS enumeration surface known subdomains
- First 24 hours: IP addresses are resolved, port scanning begins on common ports (80, 443)
- First 72 hours: Full subdomain brute-forcing completes, all port ranges are scanned, technology fingerprinting runs
Reviewing Discoveries
Navigate to the Assets view to see discovered domains, subdomains, IP addresses, and technologies. Each asset shows:
- When it was first discovered
- Associated IP addresses and DNS records
- Detected technologies and versions
- Open ports and services
- Any identified vulnerabilities
Step 5: Configure Notifications
Set up notifications to stay informed about new discoveries and findings:
- Navigate to Settings > Integrations
- Connect your preferred notification channels (email, Slack, Microsoft Teams, or others)
- Optionally, create Policies to receive alerts for specific attack surface changes
Next Steps
- Discovery — Understand discovery timing and methods in detail
- Policies — Set up rules to monitor for specific changes
- Configuration — Configure scanner access through your WAF or firewall