Skip to Content
Attack Surface ManagementTroubleshooting

Troubleshooting

This page covers common issues you may encounter with Surface Monitoring and how to resolve them.

Discovery Issues

Subdomains Not Being Found

Surface Monitoring uses Certificate Transparency logs, DNS enumeration, and brute-forcing to discover subdomains. Some subdomains may not be found if:

  • No DNS records exist: Subdomains that have been removed from DNS or never had public DNS records cannot be discovered through DNS-based methods.
  • No certificates issued: Subdomains that do not have SSL/TLS certificates will not appear in Certificate Transparency logs. Internal-only subdomains that use private CAs are not logged in public CT.
  • Non-standard naming: Subdomains using highly unique or random names may not be found through brute-forcing. Brute-force discovery relies on wordlists and learned patterns.
  • Recent creation: Newly created subdomains may take up to 72 hours to appear in discovery results, depending on the discovery method.

Resolution: Connect cloud accounts to improve discovery coverage. Cloud connectors discover assets directly from your cloud provider, regardless of DNS configuration. You can also manually add specific subdomains if they are not being discovered automatically.

IP Addresses Missing

IP addresses are discovered through DNS resolution of your subdomains. Missing IPs typically indicate:

  • The subdomain’s DNS record does not resolve to an IP (e.g., it is a CNAME to a CDN)
  • The IP was discovered but belongs to a CDN or shared hosting provider and is listed under that context

Resolution: Check the DNS records for the affected subdomain. If the subdomain uses a CNAME chain, the final IP resolution is tracked. Cloud connectors can surface IPs that are not directly exposed via DNS.

Scanning Issues

WAF Blocking Scanner Traffic

If your Web Application Firewall (WAF) blocks Detectify’s scanner, assessments will return incomplete or inaccurate results. Symptoms include:

  • Findings showing generic connection errors
  • Expected vulnerabilities not being detected
  • Assets appearing as unreachable despite being online

Resolution: Allowlist the Detectify scanner IP addresses and user agent in your WAF configuration. See Configuration for the current scanner IPs and user agent string.

Assets Showing as Unreachable

If an asset appears in your inventory but assessments report it as unreachable:

  • Verify the asset is publicly accessible from the internet
  • Check for IP-based access restrictions or geo-blocking that might affect requests from Ireland (EU scanner location)
  • Confirm DNS resolution is returning a valid, routable IP address
  • Check for firewall rules that may be blocking the scanner IPs

Incomplete Port Scan Results

Port scanning runs on a tiered schedule (24 hours for ports 80/443, 48 hours for top 200, 72 hours for full range). If you expect ports to appear that are not showing:

  • Wait for the full 72-hour scan cycle to complete
  • Verify the ports are open from an external perspective (not just internal)
  • Check that no firewall rules are blocking the scanner IPs on those ports

Technology Fingerprinting Issues

Incorrect Technology Detection

Technology fingerprinting is based on patterns in HTTP responses, HTML content, JavaScript files, and HTTP headers. Occasionally, fingerprinting may:

  • Report false positives if a technology’s signatures overlap with another technology
  • Miss technologies that do not expose detectable signatures in their public-facing responses
  • Report outdated versions if version detection relies on static file hashes that have not been updated

Resolution: Technology fingerprinting results should be treated as indicators rather than definitive inventories. Cross-reference with your own deployment records for critical decisions. Report persistent inaccuracies to Detectify support for investigation.

Technologies Not Updating After Changes

After deploying changes to your infrastructure, technology fingerprinting may take up to 72 hours to reflect the new state. This is the standard fingerprinting cycle time.

Finding Issues

Expected Vulnerability Not Reported

If you know a vulnerability exists but Surface Monitoring has not reported it:

  • Verify the asset is being reached by the scanner (no WAF blocks or network restrictions)
  • Check the assessment schedule — the specific assessment type may not have run yet
  • Surface Monitoring tests for specific vulnerability classes; not all vulnerability types are covered
  • The vulnerability may require authenticated access that Surface Monitoring does not have

Finding Marked as Fixed but Vulnerability Still Exists

Auto-fix marks a finding as Fixed when the subsequent assessment no longer detects it. This can happen if:

  • The WAF is now blocking the scanner, preventing detection
  • The asset has become unreachable
  • The vulnerability’s detectable signature changed but the underlying issue remains

Resolution: Verify remediation independently. If the finding was incorrectly marked as Fixed, it will reappear as a Regression in the next successful assessment.

Next Steps

  • Configuration — Review and update scanner access settings
  • Results — Understand finding statuses and lifecycle
  • Discovery — Learn about discovery methods and timing
Last updated on
ResultsOverview