Tutorial — Map an org's external attack surface

External-attack-surface mapping is the cornerstone of authorised reconnaissance work. You start with one apex domain. You finish with a sourced inventory of every public-facing subdomain, every service running on each, every certificate covering them, and every infrastructure relationship between them.

This walkthrough is the standard pattern for a pentest's reconnaissance phase, an internal red-team's "what does the world see" exercise, or a vendor due-diligence check.

What you need

• The toolkit installed and licensed.
• A target you have written authorisation to test. (For practice, use your own employer's apex domain — most security teams welcome internal recon practice on their own infrastructure, but check first.)
• 45 minutes.

Step 1 — Open a profile (1 minute)

Create a profile named after the target (acme-corp-attack-surface-2026-Q2).

Notes:

External-attack-surface inventory of <apex>. Audience: internal security team / pentest engagement.

Step 2 — WHOIS for context (3 minutes)

Ctrl+K, WHOIS Lookup, paste apex. Capture:

• Registrar.
• Registration / expiry dates.
• Nameserver hostnames.

Pin. Pivot from each nameserver to DNS Lookup to capture the IPs the nameservers themselves run on.

Step 3 — DNS records on the apex (3 minutes)

DNS Lookup on the apex with all-records mode. Capture:

• A / AAAA → primary IPs.
• MX → mail infrastructure (often a third-party provider — Google Workspace, Microsoft 365, Mailgun, etc.).
• TXT → SPF, DMARC, DKIM, ownership-verification tokens (which often reveal third-party services in use).
• CAA → which CAs are authorised to issue certs.

Pin every record.

Step 4 — Certificate-transparency subdomain discovery (5 minutes)

Subdomain Discovery in CT mode against the apex. Result is every name that has ever appeared on a public certificate covering the apex or its subdomains.

Capture:

• The full deduplicated subdomain list.
• "First seen" dates — names with recent first-seen dates are new infrastructure worth attention.
• Group-by-issuer view — does the org use one CA or many?

For a typical mid-sized org, CT discovery returns dozens to hundreds of subdomains. Pin the list to the profile (one finding per discovered subdomain, or a single aggregate finding — your choice).

Step 5 — Wordlist subdomain enumeration (5 minutes)

To catch subdomains that do not have certificates (internal-only, dev / staging that uses self-signed), run Subdomain Discovery in wordlist mode. Use the toolkit's bundled common wordlist as a baseline, plus the subdomain wordlist generator for target-specific candidates.

Wildcard-DNS detection runs first — the tool warns you if the apex resolves everything (in which case wordlist enumeration is uninformative).

Pin the resolved subdomains. Merge with the CT list to get the unified subdomain inventory.

Step 6 — Live-probe pass on the merged inventory (10 minutes)

Bulk-paste the merged subdomain list into the DNS Lookup with the live-probe option. For each:

• Status code (200 / 301 / 302 / 401 / 403 / 404 / 500).
• Page title (when 200).
• Tech-stack hint per page.

Sort by status. The 200s are the live web properties. The 401 / 403s are authentication-protected (often admin panels). The 404s are dead.

Pin the alive cohort.

Step 7 — Per-host site analysis (10 minutes)

For each interesting alive subdomain (the 200s and the 401s), open Site Analysis. Captures:

• Tech stack with confidence.
• Security headers (or lack of).
• Cookies.
• External hosts referenced.
• Auto-composed favicon hash.

For a mid-sized org with 30-50 alive subdomains, this is a 10-minute pass. The result is a per-host fingerprint that tells you which subdomains are running which software.

Pin everything.

Step 8 — TLS posture (5 minutes)

For each HTTPS subdomain, TLS Inspector. Captures:

• TLS version + cipher.
• Cert chain (subject, issuer, validity, SANs).
• Security grade (A+ to F).
• Sibling-hostnames from CT for the leaf cert.

The sibling-hostname feature occasionally surfaces additional subdomains the previous discovery steps missed (covered by the same cert as known subdomains).

Step 9 — Exposed-services per host (3 minutes)

For each subdomain's IP, Exposed Services. Surfaces what public scan databases have observed:

• Open non-web ports.
• Service versions.
• Known CVEs.

The subdomains that expose admin services (SSH, RDP, database ports) are the highest-priority finds for a pentest engagement.

Step 10 — Synthesise (3 minutes)

Open the profile's notes. Write:

• Surface size summary. "X subdomains discovered, of which Y resolve, of which Z respond on HTTP."
• High-value findings. Subdomains exposing admin services, subdomains with security grade F, subdomains with known CVEs in their tech stack.
• Architecture observations. Single CA vs. multiple, tech-stack patterns (multiple CMSes? mostly one? old + new mix?), MX provider, hosting providers detected.
• Next-step recommendations. Active scanning targets (with Nmap builder), web-app testing targets (with Gobuster builder).

Tag the high-value findings high or critical.

Step 11 — Export (1 minute)

PDF export with the full subdomain inventory in the appendix and the synthesis on the cover.

Done.

What you learned

External-attack-surface mapping is one apex, two discovery passes (CT + wordlist), one live-probe pass, two per-host enrichment passes (site + TLS), one exposed-services pass, one synthesis. The output for a mid-sized org is a deliverable that costs about 45 minutes of investigator time.

Variations

For different engagement types:

• Pentest reconnaissance — add Gobuster directory brute-force builder outputs against the high-value subdomains. Add Nmap builder outputs for active port scanning.
• Vendor due-diligence — emphasise security headers, TLS grades, CVE counts. The PDF deliverable is the "third-party risk" report.
• Continuous monitoring — save the profile's tool runs as saved searches. Re-run weekly. Diff the new findings against the prior export.
• Internal red-team external view — same pattern, internal target.

The pattern is the same; the emphasis shifts.