BackHow Our EASM Scanning Works - From Domains to Vulnerabilities
4 minIntroduction
Understanding how External Attack Surface Management (EASM) scanning works is crucial for leveraging its full potential. Our EASM solution automates the process of identifying, mapping, and analyzing externally exposed assets, allowing security teams to proactively secure their infrastructure. This article breaks down the scanning process, from discovering domains to detecting vulnerabilities.
Step 1: Domain and Subdomain Discovery
EASM begins by identifying an organization's known domains and associated subdomains. This process helps uncover publicly accessible infrastructure that might be overlooked.
How We Discover Domains:
- User-provided domains: During onboarding, users supply known corporate domains.
- Third-party integrations: Domains from external sources, such as cloud services, are collected.
- Passive reconnaissance: Public records, WHOIS data, and DNS lookups reveal additional domains.
How We Discover Subdomains:
- DNS brute-force enumeration
- Certificate transparency logs analysis
- Passive DNS records from historical sources
- Web crawling and OSINT techniques
Step 2: IP Mapping and Port Scanning
Once domains and subdomains are identified, the scanner maps associated IP addresses, open ports, and running services to provide a clear picture of the external attack surface.
What We Identify:
- Public IP addresses tied to discovered domains.
- Open ports and services running on exposed assets.
- Cloud-hosted infrastructure (AWS, Azure, GCP, etc.).
Step 3: Application and Service Fingerprinting
After identifying active services, the scanner performs application and service fingerprinting to determine:
- Software versions running on public-facing services.
- Configuration settings that may indicate security weaknesses.
- Third-party applications and frameworks in use.
Step 4: Vulnerability Detection
EASM then analyzes discovered assets for known vulnerabilities and misconfigurations. Using a combination of threat intelligence feeds and passive analysis, the scanner identifies:
- Exposed databases, admin panels, and authentication endpoints.
- Weak encryption protocols (e.g., TLS 1.0, SSL 1.0).
- Unpatched software and outdated frameworks.
- Expired SSL certificates.
Step 5: Risk Assessment and Prioritization
Each vulnerability is assigned a severity level based on impact and exploitability:
- 🟥 Critical – Actively exploitable and high-impact vulnerabilities.
- 🟧 High – Significant risks that should be remediated quickly.
- 🟨 Medium – Moderate risks requiring attention.
- 🟩 Low – Informational findings that should be reviewed.
Step 6: Reporting and Remediation Guidance
Once scanning is complete, organizations receive a detailed report with:
- A summary of detected vulnerabilities categorized by severity.
- Remediation recommendations for each finding.
- Historical tracking of previously detected issues for trend analysis.
Conclusion
Our EASM scanning process ensures comprehensive visibility into external risks, helping organizations proactively secure their attack surface. By automating asset discovery, vulnerability detection, and risk assessment, security teams can take proactive steps to mitigate threats before attackers exploit them.
In the next article, we’ll dive into understanding severity levels and how they impact risk management.
Frequently Asked Questions
Can I ask follow-up questions about vulnerabilities?
Absolutely! The 'Dig Deeper' chat is interactive, allowing you to:
- Request more details about how a vulnerability works.
- Ask for additional remediation methods.
- Clarify attack vectors and potential risks.
This ensures security teams get deeper insights beyond just a vulnerability description.
What is the 'Dig Deeper' chat, and how does it help?
The 'Dig Deeper' AI chat provides instant expert-level insights on detected issues.
- It explains vulnerabilities in a clear, actionable way.
- It helps users understand why an issue is risky and how attackers might exploit it.
- It suggests remediation steps tailored to the asset and issue type.
This allows security teams to quickly grasp risks and respond effectively without deep security expertise.
Does this tool comply with security frameworks like NIST or CIS?
Yes, the EASM tool aligns with frameworks such as NIST, CIS, and ISO 27001 by identifying security gaps in publicly accessible infrastructure. While it does not enforce compliance, it helps security teams detect misconfigurations and vulnerabilities that could impact regulatory requirements.
What sources does the scanner use to find vulnerabilities?
The scanner leverages multiple intelligence sources to detect vulnerabilities, including:
- Public vulnerability databases (CVE, NVD, MITRE, etc.).
- Security research feeds and threat intelligence sources.
- Passive reconnaissance techniques such as OSINT and fingerprinting.
By combining these sources, the scanner provides real-time risk assessments without intrusive scans.
Does the scanner perform active exploitation or just passive mapping?
The scanner performs only passive mapping, meaning it identifies vulnerabilities but does not exploit them.
This approach:
- Avoids system disruptions while gathering security intelligence.
- Provides safe, real-world attacker perspectives without breaching legal boundaries.
- Ensures compliance with ethical scanning practices.
Organizations can use these findings to proactively patch weaknesses before attackers do.
How does the EASM scanner find subdomains?
The scanner discovers subdomains using:
- DNS enumeration (brute-force, dictionary-based, wildcard resolution).
- Certificate transparency logs that expose registered subdomains.
- Passive DNS records and web crawling to identify related assets.
This helps map the full attack surface, including shadow IT and forgotten subdomains.