Security Engineering
Custom Security Tool — External Attack Surface Discovery
Custom software for mapping and monitoring an organization’s external attack surface — finding exposed systems, services, and risky changes before attackers do.
Overview
Organizations rarely have a single, tidy list of everything they expose to the internet. Subdomains spin up overnight, shadow IT appears on new cloud projects, and old services linger long after anyone thought they were gone. This project is a custom security tool built to map and monitor that external attack surface on an ongoing basis.
The goal is not to replace every commercial scanner on the market. It is to give one team a focused lens on their perimeter — tuned to their naming patterns, their providers, and the risks they care about most.
What “Attack Surface” Means Here
In practical terms, the attack surface is anything an outsider can reach or infer without being on the corporate network: public hostnames, IP ranges, certificates, common misconfigurations, and accidental exposure of internal interfaces. The tool continuously collects and reconciles that picture so drift is visible early.
What We Built
Discovery tailored to the client
Instead of a one-size-fits-all crawl, the pipeline combines open data sources, DNS and certificate intelligence, and light active checks where policy allows. Rules and scope are configurable so new brands, regions, or cloud estates can be folded in without a rewrite.
Prioritization and noise control
Raw inventory grows fast. The system scores and groups findings so high-impact issues (for example, unexpected admin endpoints, weak TLS, or sensitive service banners) rise to the top while low-risk duplicates stay out of the way.
Reporting and handoff
Results are exported in forms the team already uses — summaries for leadership, technical detail for engineers, and repeatable snapshots for compliance or third-party reviews. The intent is to shorten the path from “we learned something new” to “someone fixed it.”
Who It Is For
Security teams that need repeatable visibility outside the firewall, without running a separate research project every quarter. It also helps engineering leads who want a second opinion on what accidentally shipped to the public internet.
Current Status
Active development and regular use. Scope and signal quality improve as we add more client-specific sources and tune detection rules.
- Purpose-built discovery. Designed around the client’s real footprint — domains, cloud accounts, acquisitions, and third parties — instead of generic scans that miss context or drown the team in noise.
- Evidence the team can use. Each finding ties back to something observable (DNS, TLS, headers, exposed ports, misconfigurations) so security and engineering can agree on what to fix first.
- Fits existing workflows. Outputs and hooks align with how the team already tracks risk — tickets, dashboards, or periodic reports — so the tool supports the process instead of fighting it.