SurfaceScan: Attack Surface Detection Tool
Design and development of proprietary tool for automated attack surface detection and vulnerability exposure in organization's internet-facing assets.
Category
Product Development
Year
2024
Team size
3 people
Timeline
8 months (initial development)
Challenge
Organizations frequently don't know all their internet-exposed assets, creating blind spots that attackers exploit. Existing tools were expensive, complex or provided incomplete results. A solution was needed to automate continuous attack surface discovery and assessment.
Solution
Development of SurfaceScan platform combining passive and active reconnaissance techniques to discover subdomains, ports, services, technologies and vulnerabilities. Integration with threat intelligence sources and prioritized risk scoring to facilitate effective remediation.
Product Genesis
The Problem
In my experience protecting organizations, I observed a recurring pattern: the gap between assets companies believe are exposed and what’s actually visible from the internet is significant.
Observed Statistics:
- 43% of breaches involve unknown assets
- Asset inventories outdated in 78% of cases
- Average time to discover newly exposed asset: 45 days
- Shadow IT represents 30-40% of real attack surface
The Opportunity
There was room for a tool that:
- Automated complete discovery
- Was accessible to medium-sized organizations
- Provided actionable results, not just data
- Operated continuously, not point-in-time
- Integrated multiple information sources
Technical Architecture
Technology Stack
┌─────────────────────────────────────────────────────────────┐
│ Frontend (Dashboard) │
│ React │ TypeScript │ TailwindCSS │
├─────────────────────────────────────────────────────────────┤
│ API Gateway │
│ Kong │ Rate Limiting │ Auth │
├─────────────────────────────────────────────────────────────┤
│ Backend Services │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │Discovery │ │ Scanner │ │Analytics │ │ Reporter │ │
│ │ Engine │ │ Engine │ │ Engine │ │ Engine │ │
│ │ (Go) │ │ (Python) │ │ (Python) │ │ (Python) │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
├─────────────────────────────────────────────────────────────┤
│ Message Queue (Redis) │
├─────────────────────────────────────────────────────────────┤
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ PostgreSQL │ │Elasticsearch │ │ Redis │ │
│ │ (Assets) │ │ (Logs) │ │ (Cache) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘Main Modules
1. Discovery Engine
Responsible for asset discovery:
Discovery Sources:
- Certificate Transparency logs
- Intelligent DNS bruteforce
- Historical Passive DNS
- Wayback Machine
- Search engine dorking
- GitHub/GitLab exposure
- Cloud storage enumeration
- ASN/IP range analysis
2. Scanner Engine
Vulnerability assessment covering:
| Category | Examples |
|---|---|
| Ports/Services | SSH, RDP, exposed databases |
| Technologies | CMS, frameworks, versions |
| Vulnerabilities | Known CVEs, public exploits |
| Configurations | Weak SSL, missing headers |
| Exposures | Admin panels, unauthenticated APIs |
| Leaks | Credentials, source code |
3. Analytics Engine
Risk prioritization factors:
- CVSS base score
- Exploit availability
- Internet exposure
- Asset criticality
- Potentially affected data
- Exposure duration
Production Results
Effectiveness Metrics
Discovery:
- Assets discovered vs inventory: +340%
- Undocumented subdomains: 67% average
- Discovery time: 15 min complete
- False positives: < 3%
Vulnerabilities:
- CVEs detected in pilots: 12,000+
- Critical vulnerabilities: 234
- Average detection time: < 24 hours
- Prioritization accuracy: 89%
Real Use Cases
Case 1: Retail Company
- Expected assets: 45
- Discovered assets: 178
- Critical vulnerabilities: 12
- Key finding: Exposed admin panel with default credentials
Case 2: Financial Institution
- Expected assets: 234
- Discovered assets: 456
- Critical vulnerabilities: 34
- Key finding: Development database publicly accessible
Case 3: Healthcare Sector
- Expected assets: 67
- Discovered assets: 189
- Critical vulnerabilities: 8
- Key finding: Patient API without authentication
Development Lessons
Key Learnings
- Product > Technology: Solve the real problem, don’t showcase technical capabilities
- Early Feedback: Pilots with real customers from the start
- Simplicity: Actionable results, not overwhelming data
- Automation: Reduce friction for end user
SurfaceScan represents the convergence of offensive and defensive security experience, transforming field knowledge into a tool that helps organizations see what attackers see before it’s too late.
Results
- Automated discovery of 340% more assets than manual inventories
- 67% reduction in time to detect newly exposed assets
- 12,000+ vulnerabilities identified in pilot customers
- Average complete scan time: 15 minutes per organization
- Operational platform serving multiple clients
Technologies
Project Information
Related projects
SOC Automation for GlobalSOC
Transformation of traditional Security Operations Center into automated SOC with intelligent response capabilities and proactive threat hunting.
ENS Assessment for Spanish Municipalities
National assessment program of the National Security Scheme (ENS) for 47 Spanish municipalities with over 50,000 inhabitants.
Automated Security Scanning Platform
Distributed vulnerability scanning system using n8n, Nuclei and cloud architecture. 87% reduction in asset evaluation time.