Attack-Surface Mapper

See your organisation the way an attacker does. Give it a domain and it maps the full external footprint — every subdomain, the name and mail servers, who registered it, the third-party services it leans on, and the wider web of sites it connects to — and scores the exposure. The starting point for shrinking what's reachable from the outside.

How it uses the graph

Traverses the DNS, email, BGP, WHOIS, threat-intel, TLS, GeoIP, physical layers of the graph, in 28 steps:

How it walks the graph28 steps
01Asset verdict

Scoring the domain with explain()…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
02Asset class

Identifying the domain's vendor and class…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
03CT-log subdomains

Mining CT logs for certificate-named subdomains…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
04Nameservers

Finding the domain's nameservers…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
05Subdomain-takeover candidates

Finding CNAMEs pointing at dangling targets…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
06Supply-chain / SaaS dependencies

Inventorying third-party CNAME / SaaS dependencies…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
07Mail servers

Finding the domain's mail servers…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
08SPF authorized senders

Reading the domain's SPF-authorised senders…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
09DMARC reporting

Reading the domain's DMARC report recipients…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
10Registrar & registrant

Reading registrar, registrant and email…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
11Sibling domains (registrant-email pivot)

Pivoting on the registrant email to co-registered domains…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
12Look-alike / typosquat domains

Enumerating registered look-alike domains…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
13Real origins (de-CDN)

De-CDN'ing to the real origin IPs…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
14Resolving IPs

Resolving the apex to its IPs…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
15Serving network (IP → ASN)

Tracing serving IPs to ASN, country and threat…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
16Cloud regions

Mapping serving prefixes to their cloud region…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
17Hosting-network reputation

Assessing each serving ASN's reputation with explain()…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
18Physical footprint

Tracing serving ASNs to the datacenters they sit in…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
19TLS fingerprints

Collecting the serving IPs' TLS fingerprints…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
20Neighborhood threat

Counting flagged domains on the serving IPs…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
21Total subdomain count

Total subdomain count…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
22Subdomain hosting map

Subdomain hosting map…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
23Hosting diversity

Hosting diversity…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
24Domains hosted on this ASN

Domains hosted on this ASN…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
25Branded name search

Branded name search…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
26Inbound web links

Inbound web links…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
27Outbound web links

Outbound web links…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical
28Mutual web links

Mutual web links…

DNSemailBGPWHOISthreat-intelTLSGeoIPphysical

Why each step runs

  1. 01Asset verdict. Sets the headline threat verdict for the asset before the surface is enumerated, framing how risky the footprint is.
  2. 02Asset class. Reads host-class and roles so a CDN or shared platform reads as structure rather than as an attacker-controlled asset.
  3. 03CT-log subdomains. Reads CT_OBSERVATION names to recover subdomains that issued TLS certs — hosts DNS enumeration alone may miss.
  4. 04Nameservers. Walks NAMESERVER_FOR (excluding root servers) to name the DNS operators the domain delegates to — its control-plane dependency.
  5. 05Subdomain-takeover candidates. Flags subdomains whose ALIAS_OF target no longer resolves — classic subdomain-takeover candidates an attacker can claim.
  6. 06Supply-chain / SaaS dependencies. Walks every subdomain ALIAS_OF target to inventory the third-party SaaS the namespace delegates to — the supply-chain attack surface, where a target with target_ips=0 is also a takeover candidate.
  7. 07Mail servers. Walks MAIL_FOR to surface the mail exchangers, part of the email attack surface and a spoofing/relay consideration.
  8. 08SPF authorized senders. Enumerates every SPF mechanism (include/ip/a/mx/exists/redirect) and its target, the full set of hosts allowed to send as the domain.
  9. 09DMARC reporting. Surfaces the DMARC_REPORTS_TO recipients, indicating whether email-authentication reporting is configured and where it lands.
  10. 10Registrar & registrant. Captures the WHOIS ownership trail — registrar, organisation, contact email — the human/legal layer of the surface.
  11. 11Sibling domains (registrant-email pivot). Pivots on the apex's WHOIS registrant email to the other domains it registered (privacy/role addresses excluded, expansion capped per email so a shared address can't explode) — the org-expansion step the single-domain pass skips. HIGH-confidence only when the email is exact and the portfolio is small; corroborate before trusting.
  12. 12Look-alike / typosquat domains. Generates typo/homoglyph variants of the apex and keeps only the REGISTERED ones — the brand/typosquat surface. Most are owned by unrelated parties; score each before alerting.
  13. 13Real origins (de-CDN). Runs whisper.origins to reconstruct the true server addresses behind any CDN — the real infrastructure the edge hides.
  14. 14Resolving IPs. Pins the addresses the domain resolves to, the anchor the serving-network, TLS and threat steps all key off.
  15. 15Serving network (IP → ASN). Resolves IP→prefix→ASN with country and IP threat flags, naming the network that serves the domain and its reputation.
  16. 16Cloud regions. Maps each serving prefix to its CLOUD_REGION (e.g. aws:eu-west-1) — exact data-residency and blast-radius the country-level GeoIP alone misses.
  17. 17Hosting-network reputation. Runs explain() on each serving ASN for its neighborhood reputation — a high-abuse hosting network is a real signal the per-IP threat view misses, even when the domain's own IPs are clean.
  18. 18Physical footprint. Walks AS_PRESENT_AT to the physical facilities the serving ASN occupies — the supply-chain/physical layer no subfinder/Shodan pipeline can reach. Inert on prod until the physical layer is loaded; kept enabled so it activates on the next data refresh.
  19. 19TLS fingerprints. Reads EMITS_TLS_FINGERPRINT to capture each address's TLS stack signature, a clustering and posture signal across the surface.
  20. 20Neighborhood threat. Measures how many co-tenants on the domain's own IPs are already threat-listed — how risky the hosting neighbourhood is.
  21. 21Total subdomain count. Reports the true size of the domain's namespace so the surface enumeration is framed against the real total.
  22. 22Subdomain hosting map. Ties each subdomain to the IP, prefix and network that host it, showing exactly where the externally exposed surface lives.
  23. 23Hosting diversity. Counts how many subdomains sit on each hosting network, showing whether the footprint is concentrated on one provider or spread across many.
  24. 24Domains hosted on this ASN. When the input is an ASN, enumerates the domains living inside that network's address space so the surface can be mapped network-first.
  25. 25Branded name search. Surfaces every registered hostname that begins with the given string, catching related or brand-impersonating names outside the direct subdomain tree.
  26. 26Inbound web links. Lists the sites that hyperlink to the domain, mapping its inbound web-link graph and who references it.
  27. 27Outbound web links. Shows which external sites the domain links out to, part of its web-facing surface and third-party exposure.
  28. 28Mutual web links. Finds reciprocal hyperlinks between the domain and its peers, which often signal partnerships or affiliations worth investigating.