Skip to content

Attack Surface Discovery Tool

You can greatly simplify and improve your work on cybersecurity tasks such as reconnaissance, security assessment, and threat hunting by utilizing the Attack Surface Discovery tool to explore and analyze the relationships between internet entities.

Attack surface example Attack surface example

The Attack Surface Discovery tool aids in mapping out exposed to the internet parts of any information system, providing a view of potential points of access, including those in third-party and cloud services. It operates with Netlas’s extensive data collections, including internet scanning results, DNS records, WHOIS records, and more.

Hereinafter the tool will be abbreviated as the Discovery tool.

Discovery Process

Identifying an attack surface involves mapping out opened-to-the-world points through which data can be entered or extracted. Practically, it means to:

  1. Enumerate IP addresses and domains where related data and services can be published.

  2. Enumerate and analyze available endpoints.

This process begins with easily discoverable and commonly known parts of an attack surface, such as a domain name or organization name. Access the Discovery tool by clicking on the Discover menu item. Click the Add node button, select the node type, and enter the value.

How to add node to the surface manually How to add node to the surface manually


Let's proceed with the key assumption that parts of a particular attack surface must be related to each other somehow. Because if they don't, there is no reason to believe that they belong to the same information system. Here are a few examples of such relationships that the Discovery tool helps you find:

  • A bunch of domains leads to a single IP or range;
  • IP addresses belong to a specific range, the description of which includes the brand name;
  • Services published on different hosts provide the same SSL certificate;
  • Org name, email addresses, or phone number matches;
  • A web server responds with a 301/302 redirect to another domain.

Click on any node on the attack surface to see options for relationship search. The available options depend on the node type. For example, you can search for A-records of a domain and vice versa, search for domains bounded to an IP address.

Relationship search options Relationship search options

Once you have selected your search direction, click the ADD button to make a search and add nodes to the surface. Click on the newly added nodes to continue the relationship discovery process.

If the search returns more than 20 results, the ADD button is grayed out. In this case, instead of adding nodes to the surface separately, they can be added as a group by clicking the ADD GROUP button.

Availability depends on your pricing plan
  • The maximum number of nodes per group is limited by your pricing plan.
    A search will be unavailable to you if it returns more results than the group capacity limit.

  • The availability of some search options also depends on data availability restrictions.
    For example, if your pricing plan does not provide you with access to contact details such as phone numbers and email addresses, related WHOIS searches will also be unavailable.

  • Netlas coins and daily request limit are also taken into account.
    Regarding this, the Discovery tool is similar to the Netlas Search tools. Searches count towards your daily request limit, each object added to the surface costs 1 coin.

Compare pricing   Contact sales


The groups are very similar to individual nodes. Clicking on a group requests available searches. The group search works the same way as you search every node in the group and join the results.

You can merge nodes and groups in larger groups. Just select two or more nodes/groups of the same type with the Select nodes tool and use the context menu.

The Ungroup feature is also available in the context menu for groups of 20 nodes or fewer.

Select View list from the context menu to see the content of a group. Here you can interact with individual nodes in the group. Pay attention to the Extract icon. It allows you to move any node outside the group.

Group view Group view


If the search returns a node that you don't need to consider as a part of the attack surface, you can Exclude it. Excluded nodes are not searchable. When you download results as a file, they are also excluded.

You can exclude both individual nodes and entire groups. By excluding a group, you are excluding each of its nodes. You can exclude individual nodes inside the group. In this case, a group search will be performed without taking into account excluded nodes.

You can hide excluded nodes by switching the toggle near the zoom control in the bottom-right corner.


Every node on the attack surface is unique. It means that you can't add two nodes with the same type and value to the same attack surface.

When a search returns a node that is already on the surface, it simply creates a link. If no nodes are added to the surface after the search, then the same nodes already exist on the surface, either as part of a group or as individual ones.

Minor Features

The toolbar offers several typical features. Download and Share become available after you save the surface.

Discovery toolbar Discovery toolbar

Each time you press the Save button, the new version of the current attack surface is saved. By pressing the Open button, you can access to any version saved earlier.

Versions of an attack surface Versions of an attack surface

You can also Rename and Delete versions.

The Download tool will return a text file containing domains, IP ranges in the CIDR format, and IP addresses. A file can be sent as input to most network scanners. For example, nmap accepts this format.

Discovery Strategies

When you build an attack surface, you can move horizontally and vertically. Horizontal search involves finding neighboring entities of the same order. Vertical search involves finding child entities or identifying containing entities.

Horizontal Relationships

To build a complete attack surface, start by searching for horizontal relationships. The goal is to find as many top-level entities as possible. Try to find alternative domains that belong to the same information system. Search for additional subnets and autonomous systems.

Here are some tips on searching horizontal relationships:

  1. MX and NS records are useful in relevant domain searches.
  2. Domain WHOIS data is also a way to go.
  3. Make use of forward and reverse DNS lookups.
  4. IP Whois data gives you additional subnets.
  5. Pay attention to redirects and SSL cert lookups.

Vertical Relationships

Using the Discovery tool, it makes sense to limit vertical relationships search to subdomain enumeration. Searching for published services and endpoints is best done using alternative tools.

When looking for larger parts of an information system, look at the names of autonomous systems and larger networks.

Don't forget to make a forward DNS lookup for a list of subdomains and investigate a group of produced IP addresses. You may decide to return to the horizontal relationships search again starting from these addresses.

Upcoming Features

We plan that the functions of the Discovery tool will be complemented by other tools in the future.

  1. Rebuilding the surface.
    An attack surface stores a history of queries that were made to build it. In future releases, we will add the ability to monitor attack surface changes. The user will receive notifications when modified data is detected for history searches.

  2. Scanning the surface.
    Currently, Netlas does not provide the ability to scan the attack surface. You can only download the list of targets and use third-party scanners. In future releases, we plan to provide users with the ability to use Netlas passive scanners to scan attack surfaces.

Hardware Requirements

Handling a large attack surface of over 10,000 nodes and over 100 visible nodes requires powerful hardware. Minimum requirements:

  • 4-core 2GHz CPU;
  • 8 GB of RAM.