Attack Surface
The Attack Surface module provides continuous discovery, inventory, and monitoring of every externally-facing digital asset tied to your organization. In modern enterprises, the attack surface extends far beyond known web servers -- it includes forgotten subdomains, shadow IT applications, third-party JavaScript loaded on your pages, misconfigured SSL certificates, and SSO integrations you may not even know exist. ShadowMap makes this invisible surface visible and actionable.
Why Attack Surface Visibility Matters
Most breaches begin with assets the security team did not know about. Common blind spots include:
- Forgotten staging environments left running after a project ends, often without patching or monitoring.
- Shadow IT applications spun up by business units outside the IT procurement process.
- Expired SSL certificates that force users onto insecure connections or break service entirely.
- Third-party scripts injected by marketing teams without security review, creating supply-chain risk.
- Deprecated SSO endpoints that still accept authentication, bypassing current identity policies.
- Open redirects on legitimate domains that attackers weaponize for phishing campaigns.
Continuous attack surface monitoring closes these gaps by discovering assets the way an attacker would -- from the outside in.
How Discovery Works
ShadowMap uses multiple discovery methods, running continuously so that new assets appear within hours of deployment:
| Method | What It Finds |
|---|---|
| DNS enumeration | Subdomains, MX records, TXT records, NS delegations, CNAME chains |
| Certificate Transparency (CT) logs | SSL certificates issued for your domains, including wildcard and SAN entries, revealing hosts you may not have registered in your asset inventory |
| Web crawling and spidering | Web applications, embedded JavaScript trackers, SSO login endpoints, redirect chains, technology stacks, and linked third-party resources |
| App store scanning | Mobile applications on Google Play Store and Apple App Store that reference your brand name or associated keywords |
| Cloud source import | Assets imported from your connected cloud providers (AWS, Azure, GCP) via the Cloud Sources integration, ensuring cloud-hosted infrastructure is included in scope |
| Passive intelligence feeds | Data from threat intelligence sources that reference your domains, IPs, or certificates |
Each discovered asset is enriched with metadata (hosting provider, geolocation, technology stack, risk score) and correlated across modules so you can see, for example, which SSL certificate protects which web application on which subdomain.
Modules
| Module | Description |
|---|---|
| Web Applications | All discovered web applications with risk scoring, status workflow, and deep detail views covering SSL, threat exposure, and confidence attribution |
| Mobile Applications | Genuine and potentially unauthorized mobile apps found on Google Play Store and Apple App Store, with static analysis and extract capabilities |
| SSL Certificates | Complete SSL/TLS certificate inventory with grade scoring, expiry tracking, issuer details, and linked application mapping |
| JS Trackers | Third-party JavaScript trackers detected across your web applications, grouped by provider with account-level visibility |
| Single Sign-On | SSO provider configurations (OAuth, OIDC, SAML) detected across your domains, revealing authentication dependencies and shadow IT |
| Links & Redirects | External links and redirect chains found in your web properties, classified by type and risk status |
Workflow Integration
Attack Surface findings feed into the broader ShadowMap platform:
- Alerts are generated when new high-risk assets are discovered or existing assets change state (e.g., SSL certificate expires, new subdomain appears).
- SLA policies can be applied so that newly discovered critical-risk assets must be triaged within your defined time window.
- Dashboard widgets aggregate attack surface metrics into your executive overview.
- Reports include attack surface trends for stakeholder communication.
- Vulnerability scanning can be triggered against discovered web applications through the Vulnerability Scan settings.
Related
- Asset Inventory -- Domains, subdomains, IP addresses, and cloud assets
- Dashboard Overview -- Aggregated risk metrics across all modules
- Vulnerability Overview -- Vulnerability scan results for discovered assets
- Cloud Sources -- Connect cloud providers to import hosted assets
- SLA Policies -- Define response time requirements for attack surface findings