How SurfaceMapper Works
External-only scanning designed to be safe and non-disruptive.
Scope and Safety
- external-only scanning
- no credentials required for baseline scan
- safe and non-disruptive by default
- default credential testing available with explicit written authorisation
Turnaround
Typical turnaround is 24–48 hours from confirmed scope.
Delivery includes an executive summary and technical remediation detail.
What Happens During a Scan
1. Subdomain Discovery
Passive and active DNS enumeration identifies every subdomain in scope. Third-party delegated services (Microsoft 365, Google Workspace) are automatically filtered out — no false positives from infrastructure you don't control.
2. Port & Service Scanning
All resolved IP addresses are scanned for open ports and running services. Risky exposures — databases, RDP, management APIs — are flagged by severity. Service version data is retained for CVE correlation.
3. Web Probing
Every discovered endpoint is probed for admin interfaces, exposed login panels, TLS weaknesses, expiring certificates, and sensitive files. Screenshots are captured for high-risk interfaces.
4. Email Security
SPF, DMARC, and DKIM records are evaluated for the root domain. Absent or permissive configurations that allow email spoofing and BEC attacks are surfaced as findings.
5. Vulnerability & Reputation Checks
Service fingerprints are correlated against the NVD CVE database. Discovered IPs are checked against Spamhaus RBL and AbuseIPDB for evidence of compromise, botnet activity, or sustained abuse.
6. Default Credential Testing
With explicit client authorisation, discovered services are tested against known default credentials. Successful logins are captured with screenshot evidence — Grafana, Tomcat, phpMyAdmin, FTP, SSH and more. A confirmed login is the clearest possible demonstration of risk.
7. Web Vulnerability Scan
Hundreds of checks are run against every live web endpoint — known CVEs, exposed configuration panels, dangerous misconfigurations, and insecure defaults. Findings are severity-scored and mapped to affected URLs with remediation guidance.
8. TLS Deep Analysis
Each TLS endpoint is subjected to a comprehensive protocol and cipher audit — deprecated versions (SSLv2/3, TLS 1.0/1.1), known exploitable vulnerabilities (BEAST, POODLE, Heartbleed, ROBOT, SWEET32), weak ciphers, and export-grade suites.
9. JavaScript & Public Code Secrets
JavaScript files loaded by discovered web endpoints are scanned for hardcoded credentials, API keys, and tokens. Public source code repositories are searched for leaked secrets related to the target domain — verified active credentials are reported as Critical findings.
10. Reporting
All data is compiled into a risk-scored PDF report with an executive summary, full asset inventory, prioritised findings with evidence, remediation guidance, and optional drift tracking against a prior scan.