Attack Surface & Recon

Inventory an org footprint, de-cloak CDN origins, and surface shadow IT from passive data, no packets sent.

Updated July 2026Attack Surface & Recon

Attack Surface & Recon Documentation

De-cloaking an origin behind a CDN or enumerating an org footprint usually means active scans, and active scans leak your intent and trip defenses. WhisperGraph maps the surface from passive data instead: every subdomain, resolving IP, and announcing ASN, with no packets sent. You see the exposure an attacker would, including the shadow IT and forgotten infrastructure a clean asset inventory never shows.

Recon tools answer one question each, a reverse-IP here, a subdomain brute-force there, and none of them join the results into a footprint. The hosting diversity that signals shadow IT, the origin hiding behind a proxy, the ASN that ties it all together: each is a separate, noisy lookup. WhisperGraph reads a graph that has already joined DNS, Certificate Transparency, routing, and ownership, so one hop-bounded query expands a domain to its whole footprint and keeps going where scanners stop.

Everything here is passive. You are querying Whisper's index of public DNS, BGP, WHOIS, Certificate Transparency, and TLS-fingerprint data, not the target's infrastructure. No DNS queries hit their nameservers, no ports get scanned, nothing lands in their logs.

Run it

Each workflow below opens with a live result you can run on your own indicator. Anonymous runs go two hops deep; a free key raises you to three.

WorkflowWhat it does
Attack-Surface MapperDomain to its full external footprint, scored: subdomains, nameservers, mail and SPF senders, registrant, the SaaS/CNAME supply chain, real origins behind a CDN, serving IPs and their threat posture.
Find SubdomainsMap a domain's full subdomain namespace: every host under the apex, counted via the suffix index and listed from the CHILD_OF subtree, each optionally resolved to its IP, location, and announcing network.
Find the real infrastructure behind the CDNDe-cloak a CDN-fronted domain to its real origin IPs, ranked by confidence and corroborated by Certificate Transparency.
Discover assets from Certificate TransparencySurface a domain's certificates, wildcards included, seen in Certificate Transparency, with a first/last-seen timeline.
Detect subdomain takeoverEnumerate a domain's subdomains and flag dangling CNAMEs that point at deprovisioned targets.
Audit shadow-IT hosting diversitySpread an org's subdomain estate across distinct providers, ASNs, and countries to surface fragmented, unmanaged hosting.
Discover externally-visible AI infrastructureMap an org's externally-visible AI and agent footprint (api, mcp, ai, vector, llm, and agent subdomains) from the outside.
CT-SAN sibling-asset discoveryOne domain in, the other hostnames issued certs alongside it: pivoting from CT observations to sibling assets, each enriched with resolving IP, owning ASN, and threat verdict.

Recipes

The copy-paste Cypher for this work lives in External Recon: subdomain enumeration, Certificate Transparency discovery, IP-footprint mapping, CDN de-cloaking, and TLS-fingerprint pivots, each a read against the graph.

For cross-layer techniques that apply across every domain, see Cross-Layer Patterns. To ground an AI agent in the same graph and let it walk the surface itself, see AI & Agents.