How Surface Monitoring Works
Surface Monitoring follows a five-step process to continuously discover and assess your external attack surface: onboarding, discovery, testing, alerting, and ongoing monitoring.
Step 1: Onboarding
You begin by adding one or more root domains to Surface Monitoring. Each root domain must be verified to confirm ownership. You can also connect cloud provider accounts to expand discovery coverage beyond DNS-based methods.
Step 2: Discovery
Surface Monitoring uses multiple techniques to discover assets associated with your root domains:
Certificate Transparency Monitoring
Surface Monitoring continuously monitors Certificate Transparency (CT) logs to discover new subdomains as SSL/TLS certificates are issued. This catches assets the moment they go live with a certificate.
DNS Enumeration
DNS records for your domains are resolved to discover associated subdomains, IP addresses, CNAME chains, MX records, and other DNS-based relationships.
Intelligent Brute-Forcing
Surface Monitoring uses wordlists and heuristics to discover subdomains that may not appear in CT logs or public DNS records. This includes common naming patterns, environment-specific prefixes, and organization-specific terms learned from your existing assets.
Step 3: Testing
Discovered assets are automatically assessed using payload-based security tests. Each assessment type runs on a specific schedule:
| Assessment Type | Frequency | Description |
|---|---|---|
| Stateless HTTP | Every 144 hours | Tests for common web vulnerabilities using HTTP requests |
| SSL/TLS | Every 24 hours | Checks certificate validity, protocol versions, cipher suites |
| Certificate | Every 24 hours | Monitors certificate expiration, chain issues, CT compliance |
| Subdomain Takeover | Every 8 hours | Detects dangling DNS records pointing to deprovisioned services |
| GCP Bucket Takeover | Every 8 hours | Identifies Google Cloud Storage buckets vulnerable to takeover |
These tests use real payloads to confirm vulnerabilities, reducing false positives compared to signature-based scanning.
Step 4: Alerting
When Surface Monitoring discovers new assets or identifies vulnerabilities, it generates findings. You can configure notifications through:
- Email notifications
- Integration channels (Slack, Microsoft Teams, PagerDuty, OpsGenie)
- Webhooks for custom workflows
- Policy-based alerts for specific attack surface changes
Step 5: Ongoing Monitoring
Surface Monitoring runs continuously. Discovery cycles repeat to find new assets, and assessments re-run on their defined schedules. When a previously identified vulnerability is no longer detected, the finding is automatically marked as fixed.
Auto-Fix Behavior
If a vulnerability is no longer detected during a subsequent assessment cycle, Surface Monitoring automatically transitions the finding status from Active to Fixed. This keeps your findings list current without requiring manual triage of remediated issues.
Auto-fix applies only when the assessment can confirm the vulnerability is no longer present. If an asset becomes unreachable, the finding remains in its current state rather than being marked as fixed.
Discovery and Assessment Pipeline
Root Domains → Discovery (CT, DNS, Brute-force) → Asset Inventory
↓
Cloud Connectors → Additional Assets ──────────→ Asset Inventory
↓
Security Tests
↓
Findings & Alerts
↓
Continuous MonitoringNext Steps
- Discovery — Detailed breakdown of discovery methods and timing
- Results — Understanding findings and severity levels
- Configuration — Configure scanner access and integrations