Attack-Surface Mapper
See your organisation the way an attacker does. Give it a domain and it maps the full external footprint — every subdomain, the name and mail servers, who registered it, the third-party services it leans on, and the wider web of sites it connects to — and scores the exposure. The starting point for shrinking what's reachable from the outside.
How it uses the graph
Traverses the DNS, email, BGP, WHOIS, threat-intel, TLS, GeoIP, physical layers of the graph, in 28 steps:
Scoring the domain with explain()…
Identifying the domain's vendor and class…
Mining CT logs for certificate-named subdomains…
Finding the domain's nameservers…
Finding CNAMEs pointing at dangling targets…
Inventorying third-party CNAME / SaaS dependencies…
Finding the domain's mail servers…
Reading the domain's SPF-authorised senders…
Reading the domain's DMARC report recipients…
Reading registrar, registrant and email…
Pivoting on the registrant email to co-registered domains…
Enumerating registered look-alike domains…
De-CDN'ing to the real origin IPs…
Resolving the apex to its IPs…
Tracing serving IPs to ASN, country and threat…
Mapping serving prefixes to their cloud region…
Assessing each serving ASN's reputation with explain()…
Tracing serving ASNs to the datacenters they sit in…
Collecting the serving IPs' TLS fingerprints…
Counting flagged domains on the serving IPs…
Total subdomain count…
Subdomain hosting map…
Hosting diversity…
Domains hosted on this ASN…
Branded name search…
Inbound web links…
Outbound web links…
Mutual web links…
Why each step runs
- 01Asset verdict. Sets the headline threat verdict for the asset before the surface is enumerated, framing how risky the footprint is.
- 02Asset class. Reads host-class and roles so a CDN or shared platform reads as structure rather than as an attacker-controlled asset.
- 03CT-log subdomains. Reads CT_OBSERVATION names to recover subdomains that issued TLS certs — hosts DNS enumeration alone may miss.
- 04Nameservers. Walks NAMESERVER_FOR (excluding root servers) to name the DNS operators the domain delegates to — its control-plane dependency.
- 05Subdomain-takeover candidates. Flags subdomains whose ALIAS_OF target no longer resolves — classic subdomain-takeover candidates an attacker can claim.
- 06Supply-chain / SaaS dependencies. Walks every subdomain ALIAS_OF target to inventory the third-party SaaS the namespace delegates to — the supply-chain attack surface, where a target with target_ips=0 is also a takeover candidate.
- 07Mail servers. Walks MAIL_FOR to surface the mail exchangers, part of the email attack surface and a spoofing/relay consideration.
- 08SPF authorized senders. Enumerates every SPF mechanism (include/ip/a/mx/exists/redirect) and its target, the full set of hosts allowed to send as the domain.
- 09DMARC reporting. Surfaces the DMARC_REPORTS_TO recipients, indicating whether email-authentication reporting is configured and where it lands.
- 10Registrar & registrant. Captures the WHOIS ownership trail — registrar, organisation, contact email — the human/legal layer of the surface.
- 11Sibling domains (registrant-email pivot). Pivots on the apex's WHOIS registrant email to the other domains it registered (privacy/role addresses excluded, expansion capped per email so a shared address can't explode) — the org-expansion step the single-domain pass skips. HIGH-confidence only when the email is exact and the portfolio is small; corroborate before trusting.
- 12Look-alike / typosquat domains. Generates typo/homoglyph variants of the apex and keeps only the REGISTERED ones — the brand/typosquat surface. Most are owned by unrelated parties; score each before alerting.
- 13Real origins (de-CDN). Runs whisper.origins to reconstruct the true server addresses behind any CDN — the real infrastructure the edge hides.
- 14Resolving IPs. Pins the addresses the domain resolves to, the anchor the serving-network, TLS and threat steps all key off.
- 15Serving network (IP → ASN). Resolves IP→prefix→ASN with country and IP threat flags, naming the network that serves the domain and its reputation.
- 16Cloud regions. Maps each serving prefix to its CLOUD_REGION (e.g. aws:eu-west-1) — exact data-residency and blast-radius the country-level GeoIP alone misses.
- 17Hosting-network reputation. Runs explain() on each serving ASN for its neighborhood reputation — a high-abuse hosting network is a real signal the per-IP threat view misses, even when the domain's own IPs are clean.
- 18Physical footprint. Walks AS_PRESENT_AT to the physical facilities the serving ASN occupies — the supply-chain/physical layer no subfinder/Shodan pipeline can reach. Inert on prod until the physical layer is loaded; kept enabled so it activates on the next data refresh.
- 19TLS fingerprints. Reads EMITS_TLS_FINGERPRINT to capture each address's TLS stack signature, a clustering and posture signal across the surface.
- 20Neighborhood threat. Measures how many co-tenants on the domain's own IPs are already threat-listed — how risky the hosting neighbourhood is.
- 21Total subdomain count. Reports the true size of the domain's namespace so the surface enumeration is framed against the real total.
- 22Subdomain hosting map. Ties each subdomain to the IP, prefix and network that host it, showing exactly where the externally exposed surface lives.
- 23Hosting diversity. Counts how many subdomains sit on each hosting network, showing whether the footprint is concentrated on one provider or spread across many.
- 24Domains hosted on this ASN. When the input is an ASN, enumerates the domains living inside that network's address space so the surface can be mapped network-first.
- 25Branded name search. Surfaces every registered hostname that begins with the given string, catching related or brand-impersonating names outside the direct subdomain tree.
- 26Inbound web links. Lists the sites that hyperlink to the domain, mapping its inbound web-link graph and who references it.
- 27Outbound web links. Shows which external sites the domain links out to, part of its web-facing surface and third-party exposure.
- 28Mutual web links. Finds reciprocal hyperlinks between the domain and its peers, which often signal partnerships or affiliations worth investigating.