Attack Surface Management

Attack Surfacev4.0.0

14-step EASM pipeline: discovery, enrichment, vulnerability assessment with CVE/Nuclei scanning, subdomain takeover, and risk scoring

14
steps
4
phases
7
integrations
Attack Surface Management — how it works infographic
How Attack Surface Management works

01Overview

EASM Scanner is a comprehensive External Attack Surface Management platform written in pure Python, inspired by commercial solutions like CyCognito, Censys and Mandiant ASM. From a single command it runs a fully automated 14-step pipeline that ingests seeds (domains, IPs, CIDRs, ASNs), discovers and maps internet-facing assets, enriches them, assesses them for vulnerabilities, and produces risk-scored findings — turning an unknown, sprawling internet footprint into a prioritized, actionable inventory.

Its defining design choice is zero hard dependencies on external tooling. The scanner wraps high-performance Go tools from ProjectDiscovery (subfinder, httpx, dnsx, naabu, nuclei, tlsx, asnmap, gowitness) as optional accelerators, but ships a pure-Python fallback for every capability — so it works out of the box with only `requests` and `dnspython`. Every module is self-contained with its own dataclasses, making the codebase easy to read, test and extend.

What sets it apart from a plain scanner is the blue-team and intelligence tooling built on top. It performs unknown-asset discovery (siblings, subsidiaries, shadow IT) via five passive pivots with confidence scoring; cross-references your own surface against six free threat-intel feeds; and pairs every exposure with its defensive counterpart — MITRE ATT&CK technique tags plus ready-to-deploy Sigma rules. Findings flow into a multi-factor risk score with auto-escalation, and out through a FastAPI dashboard, multi-channel alerts, SIEM/STIX exports and Jira ticketing.

It is built for security engineers, red/purple teams and SOC leaders who need to continuously see what an attacker sees — with diff-based scheduling and risk-trend-over-time so they can answer the question every CISO asks: 'is our footprint actually shrinking?'

02Key Capabilities

14-Step Automated Pipeline

One command carries seeds from ingestion through discovery, enrichment, vulnerability assessment and risk-scored findings across four phases.

Zero-Dependency by Design

Runs with just requests + dnspython; every Go/ProjectDiscovery tool wrapper has a pure-Python fallback so it works without any external tooling.

Unknown-Asset Discovery (Attack Surface Intelligence)

Finds org-owned assets you didn't know about via five passive pivots — certificate-SAN, reverse-WHOIS, passive DNS, favicon-hash and ASN-to-org — with method-aware confidence scoring.

Threat-Intelligence Enrichment

Matches your own IPs/domains against six free feeds (Feodo, ThreatFox, URLhaus, FireHOL, Spamhaus DROP, Tor) to flag assets that are already known-bad, no API keys required.

Detection Pairing (Blue-Team Artifacts)

Emits the defensive counterpart of each exposure — MITRE ATT&CK technique tags plus generated, deploy-ready Sigma rules written one YAML per finding.

CVE & Nuclei Vulnerability Assessment

Version-fingerprints against 25+ CVE entries enriched with EPSS and CISA KEV, and runs Nuclei via Go binary with built-in Python templates as fallback.

Subdomain Takeover Detection

Detects dangling DNS/CNAME records vulnerable to takeover across 25 cloud providers including AWS, Azure, GitHub Pages, Heroku, Netlify, Vercel and Shopify.

Web Misconfiguration & Cloud Storage Enumeration

Checks 39 sensitive paths (.env, .git, backups, admin, Swagger), CORS, open redirect and directory listing, plus S3/Azure Blob/GCS public-access testing.

DNS Security & Default Credential Testing

Validates SPF/DKIM/DMARC, tests AXFR zone transfer and CAA, and safely probes default credentials across 8 service types with 36 credential pairs.

Multi-Factor Risk Scoring

A four-component 0-100 score (severity, asset criticality, exploitability, temporal) with five auto-escalation rules for KEV, default creds, takeover and public buckets.

REST API, Dashboard & Multi-Channel Reporting

Ships a 13-endpoint FastAPI server, a dark-themed SPA dashboard, and export to Slack/Teams/Email, Splunk/Elasticsearch/Syslog, STIX 2.1 and Jira.

Diff-Based Scheduling & Risk Trends

SQLite-backed scan history computes new/resolved/unchanged findings across runs and reports attack-surface exposure-reduction % with ASCII sparklines.

Attack Surface Management — features diagram

03Architecture

A single orchestrator (easm_scanner.py) drives a 14-step, four-phase pipeline over self-contained modules that each return their own dataclass results. Assets and Findings are the shared data model, persisted through a SQLite-backed asset store; every phase enriches the same in-memory inventory. Go/ProjectDiscovery tools are optional accelerators, each fronted by a pure-Python fallback, and results fan out to a FastAPI/dashboard layer and to alerting, SIEM, STIX and Jira exporters.

1
Orchestrator & CLI (easm_scanner.py)
~2,300-line main entry point that parses CLI flags, runs the 14-step pipeline, applies safety caps, and emits console/HTML/JSON reports.
2
Data Model (models/)
Asset and Finding dataclasses — assets carry domain/ip/port/url/cert/asn/cidr; findings carry rule_id, severity ranking, CWE/CVE, evidence and attributes.
3
Phase 1 — Discovery modules
seed_manager, asn_mapper, subdomain_discovery, dns_resolver, port_scanner, http_prober and ct_monitor enumerate and map the surface into asset_store.
4
Phase 2 — Enrichment modules
whois_enrichment, tls_analyzer, geoip_enrichment, tech_fingerprint, attribution_engine and asset_graph attribute and relate assets with confidence scoring.
5
Phase 3 — Vulnerability Assessment modules
vuln_detector, nuclei_scanner, subdomain_takeover, misconfig_detector, default_creds, dns_security and cloud_enum produce findings; risk_scorer prioritizes them.
6
Intelligence & Detection modules
intel_discovery (unknown-asset pivots), threat_intel (IOC feed matching) and detection_pairing (ATT&CK + Sigma) add offensive discovery and defensive artifacts.
7
Phase 4 — Reporting & Integration
api/server + api/dashboard + templates/dashboard.html surface results; alerting, siem_export, stix_export, jira_integration, scheduler and trends push them out.
Attack Surface Management — architecture diagram

04Project Structure

easm_scanner.pyMain orchestrator: CLI, the 14-step pipeline, safety caps, and console/HTML/JSON reporting (~2,279 lines).
models/Shared data model — asset.py (Asset dataclass) and finding.py (Finding dataclass with severity ranking).
modules/32 self-contained pipeline modules across discovery, enrichment, vuln assessment, intelligence and reporting/integration.
api/server.py (13-endpoint FastAPI REST API) and dashboard.py (dashboard data renderer with offline injection).
templates/dashboard.htmlInteractive dark-themed single-page dashboard with severity/category charts, asset inventory and scan launcher.
config/settings.yamlDefault configuration for threads, resolvers, ports and timeouts.
wordlists/subdomains-top1000.txtCommon subdomain prefixes used for DNS brute-force discovery.
tests/Pytest suite (93 tests) covering models, seed manager, asset store, risk scorer, intel, trends, dashboard, STIX, detection pairing and threat intel, plus an import smoke test.
.github/workflows/tests.ymlGitHub Actions CI: byte-compile + pytest matrix on Python 3.10-3.13 with a --help smoke test.
requirements.txtDependencies — required requests/dnspython, optional fastapi/uvicorn and commented credential-testing libs.
CLAUDE.mdDeveloper guide documenting architecture, rule IDs, safety caps, risk scoring and conventions.
run_demo.pyStandalone demo runner for exercising the pipeline.

05Security Controls

Exposed Services (EASM-PORT-001..006)
Flags internet-exposed database ports and SMB (CRITICAL), plus RDP, Telnet and VNC (HIGH) and FTP (MEDIUM) via TCP scan with banner grabbing.
Subdomain Takeover (EASM-TAKEOVER-001)
Detects dangling DNS/CNAME records pointing to unclaimed resources across 25 cloud providers (AWS, Azure, GitHub Pages, Heroku, Netlify, Vercel, Shopify, Fastly, ...).
CVE Detection (EASM-CVE-001)
Version-fingerprints services against 26 CVE entries for ~10 products, enriched with EPSS exploitability scores and CISA KEV cross-referencing.
Web Misconfiguration (EASM-MISCONFIG-001..010)
Checks 39 sensitive paths (.env, .git, backups, config, debug, admin, Swagger) plus CORS misconfiguration, open redirect and directory listing.
Default Credentials (EASM-CRED-001)
Tests default logins across 8 service types (SSH, FTP, HTTP, SNMP, MySQL, PostgreSQL, Redis, MongoDB) using 36 credential pairs, capped at 50 targets.
DNS Security (EASM-DNS-001..006)
Validates SPF (missing/permissive), DMARC (missing/weak), DKIM presence and AXFR zone transfer, plus CAA and dangling-MX checks.
TLS/SSL (EASM-TLS-001..005)
Detects services without TLS, self-signed, expired and soon-to-expire certificates, and weak RSA keys (< 2048 bits) via cert-chain analysis.
Security Headers (EASM-HTTP-001..005)
Reports missing HSTS, CSP, X-Content-Type-Options and X-Frame-Options headers plus server-version disclosure.
Cloud Storage & Threat Intel (EASM-CLOUD-001, EASM-TI-001..006)
Enumerates public S3/Azure Blob/GCS buckets, and matches owned assets against botnet C2, malware IOC, malware-URL, malicious-netblock and Tor-exit feeds.
Risk Scoring & Auto-Escalation
4-component 0-100 score (severity 40% / criticality 35% / exploitability 15% / temporal 10%) with 5 auto-escalation rules for KEV, default creds, takeover, public buckets and critical-CVE+exploit.
Attack Surface Management — controls diagram

06Technology Stack

Language
Python 3.10+ (pure Python, ASCII-safe for cross-platform)
Required deps
requests >= 2.31.0, dnspython >= 2.4.0
API/Dashboard
FastAPI >= 0.104.0 + Uvicorn >= 0.24.0 (optional, --serve mode)
Optional Go tools
ProjectDiscovery subfinder, httpx, dnsx, naabu, asnmap, tlsx, nuclei, gowitness
Optional cred-test libs
paramiko, mysql-connector-python, psycopg2-binary, pymongo
Storage
SQLite (asset store, scan history, trend metrics)
Testing
pytest — 93 deterministic, network-free tests
CI
GitHub Actions matrix on Python 3.10-3.13 (byte-compile + pytest + --help smoke test)

07Quick Start

$ pip install -r requirements.txt
$ python easm_scanner.py -d example.com --org "ACME Corp" -v
$ python easm_scanner.py -d example.com --html report.html --json scan.json
$ python easm_scanner.py -d example.com --threat-intel --sigma-out ./sigma
$ python easm_scanner.py -d example.com --org "ACME Corp" --discover-related --intel-expand
$ python easm_scanner.py -d example.com --serve --port 8888

08Compliance & Frameworks

MITRE ATT&CK
Every finding is mapped to attacker technique(s) (T1190, T1133, T1021.x, T1078/T1110, T1530, T1590.002, T1584.001, T1071/T1090); scan summary reports technique/tactic coverage.
Sigma
Generates deploy-ready Sigma detection rules (one YAML per exploitable finding) via a built-in emitter with deterministic IDs.
STIX 2.1
Exports assets/findings/IOCs/CVEs/ATT&CK as a STIX bundle with relationships for TIP/SIEM/SOAR (MISP, OpenCTI, Sentinel).
CISA KEV
Cross-references detected CVEs against the CISA Known Exploited Vulnerabilities catalog to drive risk auto-escalation.
EPSS
Enriches CVE findings with EPSS exploit-probability scores as an exploitability input to risk scoring.
CWE
Findings carry CWE identifiers for weakness classification in reports and exports.

09Integrations & Outputs

REST API — 13 FastAPI endpoints + Swagger/OpenAPI docsAlerting — Email (SMTP/TLS), Slack (Block Kit), Microsoft Teams (MessageCard), generic webhook, consoleSIEM export — Splunk HEC (batched), Elasticsearch (bulk API), Syslog CEF (UDP/TCP), CSV, JSON LinesSTIX 2.1 bundle export for TIP/SIEM/SOAR (MISP, OpenCTI, Sentinel)Jira Cloud/Server ticketing with JQL deduplication and severity-to-priority mappingThreat-intel feeds — abuse.ch Feodo/ThreatFox/URLhaus, FireHOL level1, Spamhaus DROP, Tor exit nodesDiscovery sources — crt.sh CT logs, BGPView/RIPE ASN data, ip-api.com GeoIP, ViewDNS/Shodan/Mnemonic intel pivotsSQLite-backed scan scheduler with new/resolved/unchanged diff detection and trend history

Explore Attack Surface Management

Full source, documentation, and deployment guides live on GitHub.