External attack surface
Every public host, port, certificate, subdomain, and exposed service tied to your organization. Cross-referenced against your asset inventory to find what you missed.
attack-surface intel · 07
See your company the way an attacker sees it.
External attack-surface mapping, exposed credential discovery, leaked source-code review, dark-web mention monitoring, executive and brand exposure. We collect what a real adversary would collect, then tell you what to do about it.
01. in scope
What's in scope.
What we map in a recon engagement.
Exposed credentials
Combolists, breach corpora, paste sites, malware logs. Credentials by email, by domain, and by reuse pattern. Severity by whether the password is still active.
Leaked source code and secrets
Public GitHub, GitLab, Bitbucket. Search for code that looks like yours, secrets that match your patterns, internal IP addresses, API keys.
Dark-web mentions
Forums, IRC, Telegram, leak sites, marketplaces. Mentions of your brand, your employees, your customers, your supply chain. Sentiment and seriousness graded.
Executive exposure
Public OSINT footprint on named executives. What pretext is available, what targeting is possible, what doxxing risk exists.
Third-party and supply-chain exposure
Your vendors' breaches that touch your data. Single sign-on providers, payment processors, cloud platforms, JS dependencies served from third parties.
02. how we work
How we work on it.
How a recon engagement runs.
- Scoping call30 minutes. Define the scope: which brand assets, which executives, which third parties. Free.
- CollectionTwo weeks. Multiple data sources, structured and unstructured. We do not buy data that requires committing a crime to obtain.
- Triage and validationRaw data is noisy. We validate, dedupe, and rank by exploitability. You get verified intelligence, not a SIEM feed.
- Report and readoutPrioritized findings, exposure graphs, recommended takedown and hardening actions. Engineer Q&A call included.
- Continuous monitoring (optional)On retainer. We re-collect monthly and alert on new exposure between collections.
03. deliverables
What you walk away with.
Deliverables.
External asset inventory
Every host, port, cert, and service tied to your organization. Reconciled against your CMDB to find shadow IT.
Credential exposure report
Compromised credentials per user, per system, per third party. Ranked by activity and access blast radius.
Source-code and secrets report
Verified leaks of code, keys, internal documents, and config snippets. With links to where they live and recommended takedown paths.
Dark-web mention review
Every reference to your brand, employees, or data. Filtered for relevance. Severity graded.
Executive exposure profile
Per-executive OSINT footprint. What is publicly known, what should be scrubbed, what makes them a target.
Takedown and hardening playbook
Per-finding remediation. Who to contact, what evidence to attach, what controls would have prevented the leak.
04. when
When teams hire us for this.
When recon work is the right move.
You do not have a clean asset inventory
Your CMDB does not match reality. Recon is the fastest way to find the shadow IT before someone exploits it.
You suspect credential reuse
A user got phished, or a third party breached. You need to know how far the reuse risk reaches.
You are about to announce a product or M&A
Adversaries watch for these announcements. Get ahead of the targeting that follows.
Executive protection
You have public-figure executives. Their OSINT footprint translates directly into pretext available to attackers.
05. faq
Questions before the call.
Recon FAQ.
Do you use credentials we should not be using?
No. We work from publicly available breach corpora and verified data. We do not pay for credentials that are still being actively sold.
Will you scan our systems?
Only passive collection by default. Active scanning is opt-in and bundled with a penetration test for legal cleanliness.
How current is the data?
Collection runs within the engagement window. On retainer, monthly refresh is standard, with alerts between collections.
Can you find our brand on the dark web?
We can find what is there. We do not invent threats to justify the report. Many engagements come back with very little dark-web exposure, and we say so.
Do you do takedowns?
We document the path. Most takedowns require your legal team to send the notice; we draft the template.
Want to know what your public exposure looks like?
A 30-minute call scopes the recon engagement. We will tell you which data streams are most useful for your industry and threat model.