Use casesAttack surface & recon

Faster in WhisperAttack surface & recon

Attack-Surface Mapper

Domain → its full external footprint, scored: subdomains (DNS + CT), nameservers, mail & SPF senders, registrar/registrant, the real origins behind any CDN, and the IPs/ASN/TLS/threat posture of everything that serves it.

LayersDNSemailBGPWHOISthreat-intelTLSGeoIP

2/ 100Clean

Verdict

50 subdomain(s) enumerated
2 serving IP(s) are threat-listed
2 threat-listed co-tenant(s) share the serving IPs
SPF authorizes 20 third-party sender(s)
8 nameserver(s), 6 mail server(s)

Sources: abuse-ch-urlhaus

40 nodes · 41 edges

50 subdomain(s) (50 DNS), 8 nameserver(s), 6 mail server(s) for github.comDNS
SPF authorizes 20 third-party sender(s) to send mail as github.comSPF
1 real origin IP(s) de-cloaked behind the CDN/WAForigins
4 subdomain(s) point at a dangling CNAME — possible subdomain takeoverDNS
2 of the serving IP(s) are themselves threat-listedthreat-intel
2 threat-listed domain(s) share github.com's serving IPs — a hot neighborhoodthreat-intel

Asset class1 row

host	vendor id	canonical name	category	roles	host class	band
github.com	github	Github	saas	DNS_OPERATORMAIL_RECEIVERORIGIN_AS	multi_tenant_user_content	DERIVED

Subdomains50 rows

subdomain
0.github.com
000.github.com
00010011.github.com
001.github.com
002.github.com
003.github.com

+44 more in the full run

Nameservers8 rows

nameserver
ns-421.awsdns-52.com
ns-520.awsdns-01.net
dns1.p08.nsone.net
dns2.p08.nsone.net
dns3.p08.nsone.net
dns4.p08.nsone.net

+2 more in the full run

Subdomain-takeover candidates4 rows

subdomain	dangling target
communication.github.com	communication.github.com.cname.campaign.adobe.com
importer2.github.com	porter-production-1232719825.us-east-1.elb.amazonaws.com
info.github.com	157-gqe-382.mktoweb.com
media.github.com	alambic-origin.github.com

Mail servers6 rows

mail server
aspmx.l.google.com
alt1.aspmx.l.google.com
alt2.aspmx.l.google.com
alt3.aspmx.l.google.com
alt4.aspmx.l.google.com
github-com.mail.protection.outlook.com

SPF authorized senders20 rows

mechanism	authorized	target type
SPF_IP	192.30.252.0/22	PREFIX
SPF_IP	167.89.101.192/28	PREFIX
SPF_IP	192.254.112.98/31	PREFIX
SPF_INCLUDE	_netblocks.google.com	HOSTNAME
SPF_INCLUDE	_netblocks2.google.com	HOSTNAME
SPF_INCLUDE	_netblocks3.google.com	HOSTNAME

+14 more in the full run

DMARC reporting1 row

dmarc recipients
dmarc@github.com

Registrar & registrant1 row

registrar	registrant email	organization
iana:292	hostmaster@github.com	github hostmastergithub,

Real origins (de-CDN)1 row

ip	confidence	methods	asnName
62.253.227.114	8	spf	NTL - Virgin Media Limited

Serving network4 rows

ip	ip threat	ip level	prefix	asn	network	country
140.82.121.3	true	LOW	140.82.121.0/24	AS36459	GITHUB - GitHub, Inc.	DE
140.82.121.4	true	LOW	140.82.121.0/24	AS36459	GITHUB - GitHub, Inc.	DE
20.205.243.166	false	LOW	20.192.0.0/10	AS8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation	SG
4.228.31.150	false	∅	4.224.0.0/12	AS8075	MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation	BR

Neighborhood threat2 rows

ip	threat neighbors	sample
20.205.243.166	2	cstatchemical.com141941.xyz
140.82.121.4	1	cstatchemical.com

The one query behind this

▾

CALL explain($domain)

Snapshot from a max-depth run on Jun 26, 2026. Run it again for live data. attack-surface

Try this in Console

Free tier — no credit card. Runs up to 3 hops deep; Pro goes to 5.

What it solves

Scoping an external footprint usually means active scans that leak your intent and trip defences. This rebuilds the same picture from passive data, so recon stays quiet.

The map pulls subdomains from DNS and certificate transparency, the nameservers and mail/SPF senders, the registrar and registrant, the likely real origins behind a CDN, and the addresses, network, TLS, and threat posture underneath. It runs passively, so nothing touches the target.

The old way5 tools / tabs≈ 45 min

Run several scanners, then reconcile their overlapping, partial results.

Amass
Censys
a CT log search
SPF and DNS checkers

Dig deeper

Read the how-to

The documentation for this flow — the queries explained, with variants you can adapt.

Open the documentation →

Related flows

All use cases →

Faster in Whisper

Indicator Investigation

Drop in any domain, IP, ASN, or prefix and get back a verdict you can defend, with the evidence and sources attached.

Faster in Whisper

Blast Radius

Pick one piece of infrastructure and see what breaks if it disappears, from the domains it serves to the owner and datacenter behind it.

Only in Whisper

Digital Infrastructure Mapping

One indicator, mapped to its real owner and full footprint, even behind privacy WHOIS, then graded for how concentrated it is.

Only in Whisper

Attack Path Analysis

From one foothold, the structure an attacker would lean on: the choke points, the pivots that survive IP rotation, and how close it sits to known-bad.