Skip to content
All services
Recon · full visibility

Attack Surface Mapping & Recon

You cannot protect what you do not know about. Attack surface mapping goes beyond the quick check and builds a comprehensive inventory of your external assets – including the subdomains and services that day-to-day operations forgot long ago.

Available from plan Starter.Engine: Recon (reconftw)

Includes the ArgosDNS connector as an additional, resolved subdomain source.

What we check

Here is what the Recon & mapping covers – concrete and verifiable.

  • Comprehensive subdomain enumeration from multiple sources
  • ArgosDNS connector as an additional, resolved subdomain source
  • Web technology detection and service fingerprinting
  • Port and service mapping across the whole domain
  • Identification of shadow IT, staging and legacy hosts
  • Building a searchable asset inventory

Your benefits

What the Recon & mapping actually gives you – beyond the pure technology.

Full visibility

You see your entire external attack surface in one place – including the assets nobody had on their radar anymore.

Uncover shadow IT

Forgotten staging environments and legacy subdomains are a favourite entry point. Mapping surfaces them before an attacker does.

A solid foundation

A clean asset inventory is the basis for every deeper check – from the deep scan to continuous validation.

Spot changes

Newly appearing hosts and services become visible, so sprawl is noticed early.

How it works

  1. 1

    Define scope

    Set the domain(s) that belong to the attack surface.

  2. 2

    Broad enumeration

    SnapScan pulls subdomains from multiple sources including ArgosDNS and resolves them.

  3. 3

    Map services

    Reachable web services are fingerprinted and classified by technology.

  4. 4

    Use the inventory

    The result lands as a searchable inventory in the console – the basis for deeper checks.

Typical findings

  • Publicly reachable staging environment without protectionhigh
  • Forgotten subdomain running an outdated applicationmedium
  • Dangling DNS record (subdomain-takeover risk)medium
  • Unexpectedly exposed management servicelow

Example finding categories. Actual results depend on your environment.

Use cases

  • Building a complete external asset inventory
  • Uncovering shadow IT and forgotten subdomains
  • Preparing a targeted deep scan or pentest
  • Monitoring a growing domain landscape

Frequently asked questions

How is this different from the fast scan?

The fast scan is time-boxed and optimised for quick results. Mapping uses additional sources for the most complete inventory of your attack surface possible.

What is ArgosDNS?

An additional subdomain source fed into recon as an include list – the discovered names are resolved along the way, not just listed.

Can I reuse the inventory?

Yes. The discovered assets are available in the console and form the basis for deep scans, AI pentest and continuous validation.

Goes well with

Ready for the Recon & mapping?

Start with a free scan or talk to us about the plan that fits your use case.