Features
Automated Asset Discovery Without Active Scanning
Attack surface management isn't just about the assets you know, it's about uncovering the ones you don't. Automated Discovery runs continuously in the background to identify assets, subdomains, and external threats associated with your organisation, without touching your infrastructure.
Discover Assets Unknown to You
Attack Surface Center’s automated discovery capabilities passively identify your organisation’s assets across your external attack surface without sending traffic to your infrastructure. Our automated reconnaissance discovers subdomains, IP addresses, web applications, and forgotten infrastructure that could expose your organisation to cyber threats.
Unlike active vulnerability scanning, which sends traffic to your systems, the automated discovery tools use passive techniques that include certificate transparency log analysis, DNS intelligence, OSINT data sources, and curated subdomain wordlists to map your attack surface without touching your infrastructure. This non-invasive approach discovers assets continuously without operational impact, scan notifications, or potential service disruptions.
Automated discovery runs continuously in the background, identifying new assets as they’re exposed and detecting shadow IT resources created outside your normal IT processes. From newly deployed cloud instances to forgotten development subdomains, our passive reconnaissance provides comprehensive visibility into your expanding attack surface.
Surface what you don't know you're missing
Shadow IT, forgotten cloud resources, and legacy infrastructure are among the most common sources of serious breaches. Automated Discovery helps you find these before attackers do, without requiring manual effort or active probing of your systems.
Fully passive
All automated discovery tools work from public intelligence sources only. No traffic is directed at your assets, so there’s zero operational impact.
Always running
Once configured, discovery runs automatically on a recurring basis. There’s no scheduling required, as findings appear when they’re identified.
Directly actionable
Discovered assets are automatically created or updated in your inventory, appear on the Attack Surface Map, and are available for scanning immediately.
No manual work
Verification of your root domains is a one-time step. After that, discovery maintains your inventory without any ongoing intervention.
Discover Subdomains You Didn't Know Existed
Over time, organisations accumulate subdomains from old projects, third-party services, and development environments. Automated subdomain enumeration combines curated wordlists, certificate transparency log analysis, and intelligence-led techniques to surface these systematically, keeping your inventory complete.
- Intelligence-led enumeration: We combine curated subdomain wordlists with intelligence-led techniques to maximise coverage across your domain's namespace.
- Automatic asset creation: Newly discovered subdomains are automatically added to your asset inventory and reflected in the Attack Surface Map, ready for scanning or manual review.
Keep Your Asset Inventory in Sync with DNS
Your DNS is constantly evolving where new subdomains are added, records change, and shadow IT appears without warning. DNS Intelligence automatically identifies DNS records across every domain in your organisation on a regular cadence, surfacing new assets and keeping your inventory accurate without any manual work.
- Continuous DNS resolution: Automatically resolves DNS for every tracked domain, giving you a complete picture of your DNS infrastructure.
- Certificate Transparency monitoring: TLS certificates issuance is captured from public CT logs, often providing the earliest available signal that a new subdomain or service has been deployed. We also enumerate historical CT data to surface any subdomains that may have been missed in the past.
- Subdomain discovery via DNS: CNAME, MX, NS, and SRV records that point to subdomains of your own domains are automatically created as new assets in your inventory, with no manual review needed.
- Runs automatically in the background: DNS records are resolved automatically on a recurring schedule. New records and subdomains added by your team appear in your inventory without any action on your part.
- Foundation for change detection: Resolved records are stored across runs, enabling future alerting when records change unexpectedly for an early indicator of infrastructure moves, misconfigurations, or takeover risk.
Automatically Detect Email Security Misconfigurations
Weak or missing email authentication records are a leading enabler of phishing and domain spoofing attacks. Automated discovery continuously checks your domains for SPF, DMARC, DKIM, and MTA-STS configurations, surfacing gaps before attackers can exploit them.
- SPF record analysis: Automatically retrieve and evaluate SPF records for each of your domains, identifying missing records, overly permissive configurations, and syntax errors that could allow spoofing.
- DMARC policy assessment: Check for the presence and enforcement level of DMARC policies across your domains. Weak or missing DMARC records leave your brand open to impersonation and phishing.
- DKIM key discovery: Probe for published DKIM selector records to confirm signing keys are in place. Missing or misconfigured DKIM records undermine email authentication even when SPF and DMARC are present.
- MTA-STS enforcement checks: Verify whether MTA-STS policies are published and correctly configured for your domains, ensuring inbound mail transport is protected against downgrade and interception attacks.
Detect Typosquatting and Phishing Domains Targeting Your Brand
Attackers frequently register domains that look like yours through misspellings, homoglyphs, and hyphenated variants, to conduct phishing campaigns against your customers and staff. Our typosquatting detection tools monitor for these registrations and surface them as potential threats.
- Lookalike domain monitoring: Continuously search for registered domains that could be used to impersonate your organisation, including misspellings and character substitutions.
- Homoglyph detection: Identify domains that use visually similar characters (e.g. rn vs m, 0 vs o) that are easily missed by users but trivial for attackers to register.
- Hyphenated and variant detection: Surface hyphenated versions and common structural variants of your domains that could serve as convincing phishing endpoints.
- Collaborative investigation: Findings are created as vulnerabilities in your inventory. Your team can investigate, assess the threat level, and coordinate blocking at the edge.
IP Address and Email Discovery
Beyond domain and subdomain discovery, automated tools surface the IP addresses and email addresses associated with your organisation to give you a more complete picture of your external footprint and potential social engineering exposure.
- Passive IP enumeration: Identify IP addresses associated with your domains through DNS resolution, WHOIS data, and other passive intelligence sources without scanning those addresses directly.
- Email address discovery: Surface email addresses associated with your domains from public sources. Useful for understanding your phishing exposure and social engineering risk.
- WHOIS enrichment: Retrieve registration details for discovered domains and IP ranges, providing additional context about ownership and hosting relationships.
How Automated Discovery Works
Attack Surface Center’s automated discovery operates entirely through passive reconnaissance, gathering intelligence about your attack surface without sending any traffic to your infrastructure.
Domain Verification
After you verify domain ownership, our automated discovery tools begin continuous monitoring. Verification ensures we only discover assets you’re authorised to enumerate.
Continuous Intelligence Gathering
Our systems continuously monitor certificate transparency logs, passive DNS databases, OSINT sources, and other intelligence feeds for information about your domains and subdomains.
Asset Identification
Discovered subdomains, IP addresses, and infrastructure are automatically validated, classified, and enriched with contextual information about hosting providers, technologies, and security posture.
Automatic Inventory Updates
Valid assets automatically populate your asset management system with details including DNS records, IP addresses, hosting provider, identified technologies, and last discovery date.
Attack Surface Map Integration
Newly discovered assets are immediately reflected on the Attack Surface Map, giving you a visual representation of your evolving attack surface in real time.
No Infrastructure Impact
Automated discovery never sends traffic to your assets, eliminating concerns about scan-induced outages, rate limiting, security control triggers, or operational disruptions.
Identify assets and potential threats without lifting a finger
Sign up free. Automated discovery runs from your first verified domain with no configuration required.
Common questions
Once you’ve subscribed and verified your root domain names, the available automated discovery tools run regularly in the background without any scheduling or manual invocation required. Findings are automatically imported into your asset inventory.
No. All automated discovery tools use passive, intelligence-led techniques. They work from public data sources only and never send traffic directly to your assets. There is zero operational impact.
Yes. Users with the appropriate permissions can toggle individual discovery tools on or off at any time from the automations settings page.
Discovery runs automatically on a regular cadence based on your plan. Starter plans run automations monthly; Advanced plans run them daily for near-continuous coverage.
Yes, the team are actively working on expanding automated discovery to cover additional external and internal attack surface scenarios. Sign up and stay updated on future releases.