How Does Automated Asset Discovery Work?
The Problem with Manual Asset Inventories
Most organisations have some form of asset inventory , but keeping it accurate is a persistent challenge. Infrastructure changes, new subdomains are created for marketing campaigns, developers spin up staging environments, cloud resources are provisioned and then forgotten. The result is an inventory that lags behind and leaves security teams with gaps they may not know about.
Automated asset discovery addresses this by continuously enumerating your organisation’s internet-facing assets using the same open-source intelligence (OSINT) techniques and reconnaissance methods that attackers use so that you can find and address exposure before they do.
What is Automated Asset Discovery?
Automated asset discovery is the process of using a combination of passive and active techniques to identify assets which belong to your organisation and are reachable from the internet. Rather than relying on a manually maintained list, the platform builds and updates your asset inventory on your behalf.
Discovery typically starts from a root domain (e.g. example.com) and works outward from there, using a variety of methods to identify related assets.
Discovery Techniques Explained
Certificate Transparency Monitoring
Every time an SSL/TLS certificate is issued for a domain or subdomain, it is logged in publicly accessible certificate transparency (CT) logs. These logs exist to make certificate issuance auditable, but they also serve as a rich source of subdomain intelligence.
By parsing CT logs for certificates issued to your root domain, the platform can identify new or previously unknown subdomains as soon as a certificate is issued for them. This makes CT monitoring one of the most effective passive discovery techniques available.
DNS Enumeration
Domain Name System (DNS) enumeration involves querying DNS records to map out the hostnames, IP addresses, mail servers, and other infrastructure associated with a domain. Techniques include:
- Subdomain brute-forcing: Testing a large dictionary of common subdomain names (e.g.
api.,dev.,staging.,admin.) against the target domain to identify which ones resolve to live hosts. - DNS record analysis: Examining A, AAAA, CNAME, MX, TXT, and other record types to map out infrastructure and identify potential misconfigurations.
Cloud Integration Discovery
For organisations using cloud platforms, native cloud API integrations can pull in an accurate and up-to-date list of provisioned resources directly. Rather than attempting to enumerate cloud assets from the outside, integrations with providers such as AWS and Cloudflare give the platform direct visibility into what resources exist, their configurations, and their exposure.
This is especially useful for identifying:
- Cloud storage buckets with public access enabled.
- Compute instances with unexpected or unnecessary port exposure.
- Content delivery and DNS entries pointing to resources that no longer exist (a common source of subdomain takeover vulnerabilities).
Port Scanning
Once a set of hosts has been identified through passive and active discovery, port scanning is used to determine which network ports are open and accepting connections on each host. This tells the security team what services are exposed and creates a baseline that can be monitored for changes over time.
Port scan results flow directly into the vulnerability and asset management workflows, so any newly exposed service can be immediately assessed and, if necessary, assigned for remediation.
Passive vs Active Discovery
It is useful to understand the distinction between passive and active discovery methods:
| Passive Discovery | Active Discovery | |
|---|---|---|
| Definition | Gathering information from public sources without interacting with the target directly | Sending traffic to or interacting with the target to gather information |
| Examples | CT log monitoring, OSINT, search engine queries | Port scanning, DNS brute-forcing, web crawling |
| Detectability | Undetectable by the target | May appear in logs or trigger alerts on the target |
| Best used for | Initial reconnaissance, ongoing monitoring, stealth | Comprehensive enumeration, service identification |
Both approaches are used in combination to build the most complete picture of your external attack surface. Passive discovery provides broad coverage with minimal noise, while active techniques fill in the gaps and verify what is actually live and reachable.
How New Assets are Handled
When the platform discovers a new asset (whether through CT log monitoring, DNS enumeration, or an integration) it is automatically added to your asset inventory.
Assets can be tagged, assigned to specific teams or environments through tasks, and are linked to any discovered vulnerabilities. This means that from the moment a new asset is discovered, it becomes part of your managed attack surface.
Why Continuous Discovery Matters
A one-time discovery exercise is valuable, but it quickly becomes stale. The real benefit of automated discovery comes from running it continuously:
- A new subdomain created for a product launch is automatically added to your inventory the moment a certificate is issued for it.
- A forgotten staging environment that resurfaces after a DNS change is detected and flagged for review.
- An integration change that exposes a new cloud resource triggers an immediate alert so the team can assess the risk.
This continuous loop of discovery, assess, monitor, and respond is the foundation of a mature external attack surface management programme.
To explore how the Attack Surface Center implements these discovery techniques, see the Automated Discovery feature page .