Attack Surface Mapping

Mapping Your Exposure

Attack Surface Mapping checks your public exposure as a company to attacks! During the analysis phase I use professional reconnaissance techniques to gather as much information about your publicly attackable services as possible. This includes the use of OSINT (Open-Source Intelligence) techniques and Dorking via public search engines and repositories.

All identified network segments are analyzed and scanned to identify as many exposed services as possible. This includes host detection techniques as well as service fingerprinting. I then check the retrieved information (like used components, and their versions) against publicly known vulnerabilities (CVEs and exploit databases) to gather direct vulnerability intelligence for the identified services.

Phase Two: Deeper Detail Checks

After the initial reconnaissance and scanning phase I triage the gathered information to recommend where to go deeper in phase two: This is a perfect point for an in-between conf-call where you retrieve the first results to decide where (and how deep) this second phase should focus on. That way you’re always in control of which discovered services are deeper checked next. That two-step approach also ensures that the targets are matching the pentest scope of your company to avoid any unwanted side effects.

For the targets identified as most interesting from an attack surface perspective I can execute a deeper blackbox pentest as a follow-up action if desired.

Detailed Reporting

The resulting data is processed into several reporting formats, to give high-level overviews and statistics (which can be used in trend detection when compared with previous attack surface mappings) as well as detail reports by host, service, and vulnerability category as direct input into remediation efforts.

After sending the report an on-site or remote debriefing meeting will be arranged to further discuss the report and any potential questions along with the team members assigned to remediate the findings.


Attack surface mapping can be executed with no or minimal prior knowledge of your company (blackbox) remote or on-site.

All checks and tests can be executed remotely as well as on-site at your office location. As prerequisites the following input is required to start the analysis:

  • IP-Ranges of your company that are defined as in-scope for the attack surface mapping
  • Optionally: Domain names of services that should be included in the analysis and checked in more detail

As most attack surface missions are quite individual to your company and current needs: Let’s talk