Attack Surface Mapping & Recon
You cannot protect what you do not know about. Attack surface mapping goes beyond the quick check and builds a comprehensive inventory of your external assets – including the subdomains and services that day-to-day operations forgot long ago.
Includes the ArgosDNS connector as an additional, resolved subdomain source.
What we check
Here is what the Recon & mapping covers – concrete and verifiable.
- Comprehensive subdomain enumeration from multiple sources
- ArgosDNS connector as an additional, resolved subdomain source
- Web technology detection and service fingerprinting
- Port and service mapping across the whole domain
- Identification of shadow IT, staging and legacy hosts
- Building a searchable asset inventory
Your benefits
What the Recon & mapping actually gives you – beyond the pure technology.
Full visibility
You see your entire external attack surface in one place – including the assets nobody had on their radar anymore.
Uncover shadow IT
Forgotten staging environments and legacy subdomains are a favourite entry point. Mapping surfaces them before an attacker does.
A solid foundation
A clean asset inventory is the basis for every deeper check – from the deep scan to continuous validation.
Spot changes
Newly appearing hosts and services become visible, so sprawl is noticed early.
How it works
- 1
Define scope
Set the domain(s) that belong to the attack surface.
- 2
Broad enumeration
SnapScan pulls subdomains from multiple sources including ArgosDNS and resolves them.
- 3
Map services
Reachable web services are fingerprinted and classified by technology.
- 4
Use the inventory
The result lands as a searchable inventory in the console – the basis for deeper checks.
Typical findings
- Publicly reachable staging environment without protectionhigh
- Forgotten subdomain running an outdated applicationmedium
- Dangling DNS record (subdomain-takeover risk)medium
- Unexpectedly exposed management servicelow
Example finding categories. Actual results depend on your environment.
Use cases
- Building a complete external asset inventory
- Uncovering shadow IT and forgotten subdomains
- Preparing a targeted deep scan or pentest
- Monitoring a growing domain landscape
Frequently asked questions
How is this different from the fast scan?
The fast scan is time-boxed and optimised for quick results. Mapping uses additional sources for the most complete inventory of your attack surface possible.
What is ArgosDNS?
An additional subdomain source fed into recon as an include list – the discovered names are resolved along the way, not just listed.
Can I reuse the inventory?
Yes. The discovered assets are available in the console and form the basis for deep scans, AI pentest and continuous validation.
Goes well with
External scan
The 1-click check for your domain: subdomains, reachable services and known vulnerabilities – in minutes.
Deep scan
The thorough check: active vulnerability tests with verification – not guesses, but proof.
Continuous validation
Security is not a single date: ongoing re-scans, a stable finding history and an always-current risk picture.
Ready for the Recon & mapping?
Start with a free scan or talk to us about the plan that fits your use case.