Mapping your exposure
You probably know what your company runs — but do you know what’s actually visible from the outside? Attack surface mapping answers that question. I look at your organization from an attacker’s perspective: what can be found, what’s exposed, and what shouldn’t be.
The goal is straightforward: identify everything that’s reachable before someone with bad intentions does.
Phase one: reconnaissance and scanning
During the first phase I use professional reconnaissance techniques to gather as much information about your publicly attackable services as possible. This includes OSINT (Open-Source Intelligence) techniques and Dorking via public search engines and repositories — the same methods a real attacker would use, just without the malicious intent.
All identified network segments are then analyzed and scanned to find exposed services. This includes host detection techniques and service fingerprinting. I check the retrieved information (like used components and their versions) against publicly known vulnerabilities (CVEs and exploit databases) to gather direct vulnerability intelligence for each identified service.
What often surprises companies at this stage: forgotten staging environments, legacy subdomains that nobody decommissioned, or services running outdated software that nobody was aware of anymore. These are exactly the things attackers look for first.
Phase two: deeper detail checks
After the initial reconnaissance and scanning phase I triage the gathered information and recommend where to go deeper. This is a natural point for an in-between call where you get the first results and decide together where (and how deep) the second phase should focus. You stay in control of which discovered services get a closer look.
This two-step approach also makes sure the targets match your company’s pentest scope — avoiding any unwanted side effects on systems you’d rather leave untouched.
For the targets identified as most interesting from an attack surface perspective, I can execute a deeper blackbox pentest as a follow-up action.
Detailed reporting
The resulting data is processed into several reporting formats, to give high-level overviews and statistics (which can be used in trend detection when compared with previous attack surface mappings) as well as detail reports by host, service, and vulnerability category as direct input into remediation efforts.
After sending the report, an on-site or remote debriefing meeting will be arranged to further discuss the report and any potential questions along with the team members assigned to remediate the findings.
Prerequisites
Attack surface mapping can be executed with no or minimal prior knowledge of your company (blackbox) remote or on-site.
All checks and tests can be executed remotely as well as on-site at your office location. As prerequisites the following input is required to start the analysis:
- IP-Ranges of your company that are defined as in-scope for the attack surface mapping
- Optionally: Domain names of services that should be included in the analysis and checked in more detail
As most attack surface missions are quite individual to your company and current needs: Let’s talk