Skip to Content
PlatformUse CasesAttack Surface Visibility

Attack Surface Visibility

Most organizations have more internet-facing assets than they realize. Shadow IT, forgotten staging environments, acquired company domains, and developer-provisioned cloud resources create blind spots that attackers can exploit. Detectify’s Surface Monitoring product provides continuous discovery and monitoring of your external attack surface.

The Visibility Problem

Common sources of unknown attack surface:

  • Shadow IT — Teams provisioning cloud resources, SaaS applications, or subdomains without going through central IT
  • Acquisitions — Domains and infrastructure inherited from acquired companies that were never fully inventoried
  • Development and staging — Temporary environments that persist after projects end
  • Third-party services — DNS records pointing to services that have been decommissioned, creating dangling DNS entries
  • Historical assets — Old marketing sites, deprecated API endpoints, and legacy applications that remain accessible

How Surface Monitoring Discovers Assets

Subdomain Enumeration

Surface Monitoring discovers subdomains through multiple techniques:

  • DNS brute forcing — Testing common subdomain patterns against your root domains
  • Certificate Transparency logs — Monitoring CT logs for certificates issued to your domains
  • DNS record analysis — Following CNAME chains, MX records, and other DNS entries
  • Web crawling — Extracting linked domains and subdomains from discovered web pages
  • Public data sources — Aggregating subdomain data from public datasets

Technology Fingerprinting

For each discovered asset, Surface Monitoring identifies:

  • Web server — Apache, Nginx, IIS, Cloudflare, and others
  • Application framework — React, Angular, Django, Rails, Spring, and others
  • CMS platform — WordPress, Drupal, Contentful, and others
  • Cloud provider — AWS, Azure, GCP hosting identification
  • Third-party services — CDNs, analytics, marketing tools, and other embedded services
  • Software versions — Where detectable, specific version numbers of running software

Port Discovery

Surface Monitoring scans for open ports beyond the standard HTTP/HTTPS ports, identifying:

  • Non-standard web server ports
  • Database services exposed to the internet
  • Administrative interfaces on unusual ports
  • Development tools and debugging endpoints

Continuous Change Detection

Surface Monitoring does not perform a one-time scan. It monitors continuously and alerts on changes:

  • New subdomains — A previously unknown subdomain appears
  • New open ports — A port that was closed is now open
  • Technology changes — A web server or framework version changes
  • DNS changes — Records are added, modified, or removed
  • Certificate events — SSL/TLS certificates approaching expiration or newly issued

From Visibility to Action

Discovery alone is not enough. Surface Monitoring connects visibility to security testing.

Automatic Vulnerability Assessment

As Surface Monitoring discovers assets, it runs Crowdsource modules against them to identify:

  • Known CVEs affecting detected technologies
  • SSL/TLS misconfigurations
  • Security header misconfigurations
  • Exposed administrative interfaces
  • Dangling DNS entries vulnerable to subdomain takeover

Feeding Application Scanning

Assets discovered by Surface Monitoring can be promoted to Application Scanning for deep security testing. This creates a workflow where:

  1. Surface Monitoring discovers a new subdomain
  2. Your team reviews and classifies the asset
  3. The asset is added to Application Scanning for full payload-based testing
  4. Ongoing monitoring detects future changes

Asset Classification and Grouping

Organize discovered assets by:

  • Business unit or team — Group assets by the team responsible for them
  • Environment — Distinguish production from staging, development, and test environments
  • Risk level — Classify assets by the sensitivity of the data or functionality they expose
  • Technology — Filter by technology stack for targeted security campaigns

Common Findings from Attack Surface Discovery

Organizations typically discover:

  • Forgotten staging environments with default credentials
  • Subdomains pointing to decommissioned cloud services (subdomain takeover risk)
  • Internal tools accidentally exposed to the internet
  • Legacy applications running outdated software with known CVEs
  • Development databases or administrative interfaces on non-standard ports

Next Steps

Last updated on
OverviewContinuous Security Testing