🌐 Attack Surface Management

Attack Surface
Management
Find What You Forgot Was Exposed

Every client has hosts, subdomains, cloud buckets, and SaaS endpoints they registered years ago and forgot about. SBCMSP continuously discovers every internet-facing asset under a client's domain — via certificate transparency, DNS, RDAP, and cloud-provider fingerprinting — then flags shadow IT, takeover-vulnerable DNS records, exposed dev/staging environments, public cloud storage, and risky open ports — all rolled into your compliance reports and PSA tickets.

→ Start Free Trial See How It Works
Attack Surface Discovery client-domain.com
42
assets
subdomains + exposed services discovered
Subdomains via CT logs 38 FOUND
Shadow IT / SaaS 3 DETECTED
Subdomain Takeover Risk 1 CANDIDATE
Public Cloud Storage NONE EXPOSED
Open Risky Ports 2 (3389, 5985)
Discovered May 26, 2026 · weekly auto-scan active
Why It Matters

Your Client Owns More of the Internet Than They Realize

Every client has a backlog of stuff online they don't remember registering: a forgotten dev subdomain, a marketing landing page from an old campaign, an S3 bucket someone stood up for a one-off project, a CNAME pointing to a SaaS account that was cancelled years ago, a Wi-Fi captive portal exposed to the internet because it was never put behind a firewall.

Attackers don't break into the perimeter your client knows about. They find the perimeter your client forgot — and turn that forgotten asset into a foothold. Subdomain takeover, exposed staging credentials, S3 buckets indexed by Google — every breach narrative starts with "we didn't know that was still live."

SBCMSP's Attack Surface Management runs continuously against each verified client domain: certificate transparency log monitoring, DNS enumeration, RDAP lookups, cloud-provider fingerprinting (35+ patterns), port scanning, and CNAME chain analysis — so the assets that exist enter your dashboard before they enter an attacker's reconnaissance.

01 Discover
Find every subdomain, exposed service, cloud asset, and SaaS endpoint tied to the client's primary domain — including the ones they forgot they own.
02 Classify
Each discovered asset is fingerprinted (tech stack, cloud provider, SaaS vendor) and risk-rated: takeover candidate, shadow IT, dev/staging exposure, expiring domain.
03 Monitor
Weekly re-scans plus immediate alerts on new subdomains appearing in CT logs — so the next time an attacker enumerates the client's surface, you're already there.
What We Discover

Nine Discovery Surfaces, One Continuous Sweep

SBCMSP enumerates the asset classes that turn into incidents — the ones a client's IT team didn't know existed until they were notified by an attacker.

CT
Subdomain Discovery
Certificate transparency logs
PORT
Port Exposure
25 risky-port checks per host
CNAME
Takeover Candidates
35+ SaaS fingerprints
SaaS
Shadow IT Detection
30+ cloud-provider patterns
CLD
Public Cloud Storage
S3, Azure Blob, GCS exposure
3RD
Third-Party Resources
External JS/CDN inventory
RDAP
Domain Expiry
WHOIS / RDAP monitoring
STACK
Tech Fingerprinting
30+ stack signatures
DEV
Dev/Staging Exposure
Non-prod env detection
How It Works

Discovery → Classification → Monitoring

Add the client's primary domain. SBCMSP enumerates every connected asset and watches for new ones — no agents, no client-side install.

🌐
1. Subdomain Enumeration
Queries crt.sh and other certificate transparency log providers for every certificate ever issued under the client's apex domain — surfaces hosts the client may not have inventoried.
🔌
2. Port + Service Scan
Each discovered host gets a focused port scan against the 25 ports most commonly exploited (RDP 3389, WinRM 5985/5986, SMB 445, NFS 2049, Docker 2375/2376, K8s 6443/10250, etc.).
🪪
3. Takeover Candidate Check
CNAMEs are followed and matched against 35+ "dangling-pointer" SaaS fingerprints. A CNAME pointing to an unclaimed service equals a free foothold for an attacker — flagged Critical.
☁️
4. Cloud & SaaS Fingerprinting
Discovered hosts are classified against 30+ patterns for AWS, Azure, GCP, Cloudflare, and 20+ SaaS vendors — exposing shadow IT and unsanctioned cloud usage your client never told you about.
🗃️
5. Public Storage Detection
S3 buckets, Azure Blob containers, and GCS buckets associated with the client are probed for public listing exposure — the cause of most cloud-storage breaches.
🔁
6. Continuous Re-Discovery
CT-log monitoring runs weekly per domain on Pro+, daily on Enterprise. New subdomain certificate issuances trigger immediate alerts so you see assets the moment they appear.
FAQ

Common Questions About Attack Surface Management

How is this different from your external vulnerability scanning?
External Security Scanning (673 checks) tells you what's wrong with the assets you know about. Attack Surface Management tells you which assets exist in the first place. ASM discovers the subdomains, cloud buckets, and shadow-IT SaaS endpoints the client forgot they had — then the external scanner inspects each newly-discovered asset for misconfigurations. The two work together.
Do I need to install anything on the client's network?
No. ASM runs entirely from SBCMSP's infrastructure using public data sources: certificate transparency logs (crt.sh, Google CT), DNS resolution, RDAP queries, and public port scanning. No agent deployment, no firewall changes, no client-side install — and no inbound network access required.
What's a "subdomain takeover" and why does SBCMSP flag it Critical?
A subdomain takeover happens when a CNAME record points to a SaaS resource (Heroku app, GitHub Pages site, Azure cloud service, etc.) that's been deleted or has an unclaimed name. An attacker can re-register that name on the SaaS platform and instantly serve content from the client's subdomain — perfect for credential phishing, malware distribution, or SEO poisoning. SBCMSP matches CNAME chains against 35+ vendor patterns and flags candidates as Critical because exploitation typically takes minutes once spotted.
How often does discovery re-run?
CT-log polling and asset re-discovery run weekly on Pro and Business plans, daily on Enterprise. The portal also exposes an on-demand "Re-discover now" button for any verified domain.
Will ASM findings appear in compliance reports?
Yes. ASM findings are mapped into the relevant compliance framework controls — subdomain takeover candidates and exposed services align to CIS-12 (Network Infrastructure Management), CIS-13 (Network Monitoring), NIST CSF ID.AM (Asset Management), and the asset-inventory clauses of ISO 27001:2022 (A.5.9), HIPAA Security Rule (164.310(d)(1)), and CMMC AM.L1-3.4.1. They show up in white-label PDF reports under your MSP's branding.
Which plan includes Attack Surface Management?
ASM is available on Pro ($249/mo), Business ($599/mo), and Enterprise ($1,499/mo) plans. The Starter plan ($79/mo) includes external vulnerability scanning on declared domains but not autonomous subdomain discovery.

Find the Assets Your Client Forgot They Own

Add your first client domain. SBCMSP enumerates every connected asset and flags the risky ones. No agents, no installs — works the moment DNS verifies.

→ Start Free Trial