π« Plan Availability: This feature is available on Cloud, Pro, Enterprise, and Vanguard plans. If you're on a Cloud or Pro plan, you'll see a limited data view based on your plan's port limit, but you can upgrade for more visibility.
The Attack Surface tab makes it easy to see exactly what's going on with your perimeter. It includes active and unresponsive targets, changes since the last scan, expiring certificates, and those ports, services, and protocols you expect (but more importantly, don't expect) to be exposed to the internet.
What does it look like?
You can see a list of your targets with a filtering pane on the left to allow you to get the information you need.
For each target, you can also see a screenshot of what can be seen when a user navigates to that service on this target. This helps when trying to identify what is running on a specific port, e.g., by examining the login screen.
β
You can also make this screenshot bigger by clicking on the thumbnail image (highlighted above). You can then scroll through the screenshots using the arrow in the bottom right:
On the far right, you can also see the date when the service on each target was first observed, and also when it was last observed. Below each target, you can also see when the next Network scan will run.
β
How do I use it?
This page has a search bar and filters, allowing you to be as high-level or as granular as you like.
For targets behind a Web Application Firewall, you have the option to further filter the list by types of firewall and detection results:
You can also organise the results, using this dropdown:
β
Which ports are included in my Attack Surface?
The ports included in your Attack Surface depend on your Intruder plan:
Cloud - Top 10
Pro - Top 50
Enterprise - All
Port | Service | Cloud | Pro | Enterprise |
80 | HTTP | β | β | β |
443 | HTTPS | β | β | β |
21 | FTP | β | β | β |
22 | SSH | β | β | β |
25 | SMTP | β | β | β |
143 | IMAP | β | β | β |
465 | SMTPS | β | β | β |
587 | SMTP submission | β | β | β |
993 | IMAPS | β | β | β |
8080 | HTTP alt | β | β | β |
26 | SMTP alt | β | β | β |
53 | DNS | β | β | β |
110 | POP3 | β | β | β |
111 | RPC | β | β | β |
123 | NTP | β | β | β |
161 | SNMP | β | β | β |
445 | SMB | β | β | β |
500 | IKE / IPsec | β | β | β |
995 | POP3S | β | β | β |
1221 | Custom / TCP | β | β | β |
2000 | Cisco SCCP | β | β | β |
2052 | Cloudflare proxied | β | β | β |
2053 | Cloudflare proxied | β | β | β |
2077 | Cloudflare proxied | β | β | β |
2078 | Cloudflare proxied | β | β | β |
2079 | Cloudflare proxied | β | β | β |
2080 | Cloudflare proxied | β | β | β |
2082 | Cloudflare proxied | β | β | β |
2083 | Cloudflare proxied | β | β | β |
2086 | Cloudflare proxied | β | β | β |
2087 | Cloudflare proxied | β | β | β |
2095 | Cloudflare proxied | β | β | β |
2096 | Cloudflare proxied | β | β | β |
2222 | SSH alt | β | β | β |
3000 | Dev / Node | β | β | β |
3306 | MySQL | β | β | β |
3389 | RDP | β | β | β |
4022 | SQL Server debug | β | β | β |
4024 | SQL Server debug | β | β | β |
4500 | IPsec NAT-T | β | β | β |
5060 | SIP | β | β | β |
5432 | PostgreSQL | β | β | β |
7080 | HTTP alt | β | β | β |
8000 | HTTP alt | β | β | β |
8008 | HTTP alt | β | β | β |
8081 | HTTP alt | β | β | β |
8172 | IIS management | β | β | β |
8443 | HTTPS alt | β | β | β |
8880 | HTTP alt | β | β | β |
9100 | Printer / JetDirect | β | β | β |
All 65,535 ports |
| β | β | β |
Can I view details on my TLS/SSL Certificate Expiry on this page?
You certainly can! You can find details on the TLS/SSL Certificate expiry date for the relevant ports on each of your targets seen underneath the relevant ports, as seen in the screenshot below:
You are also able to filter the list to view targets with either expired or shortly expiring certificates by using the options in the filter pane:
You will also be notified of this within the network scan emails, if configured. You can read more about network scanning here, and also, further information on configuring email notifications can be found here.
Can I export the results on this page?
Absolutely, click the Export all button:
Can I set up custom alerts for my attack surface?
βΉοΈ Note: Attack Surface alerts are available on Enterprise plans. If you're on a Cloud or Pro plan, you'll see this feature presented as an upgrade option.
You sure can! Once an alert is set up, we'll send you an email each time the alert is triggered. To set it up: click the yellow Alerts button in the top right > complete the form, and select Save alert:
β
π‘ Tip: You can also configure an alert to notify you whenever any of your targets come online (for example, when any ports become open). This helps you catch unexpected exposure as soon as it appears.
How do I delete my alerts?
Click Alerts > Manage alerts:
β
Click the bin icon:
How do I edit my alert?
Click Alerts > Manage alerts:
β
Click the one you want to edit:
Make the changes and click Update alert:
β
How do I manage the email alerts?
Head to Settings > Email notifications > scroll down to Attack surface alert notifications and toggle on or off:
β
An example of the email you will receive can be seen below. This email includes a summary of any changes to your targets, details on the total number of hosts and exposed services, as well as information on your SSL/TLS Certificate expiry periods.
Why is some data missing from the Attack Surface view?
If the target listed sits behind a CDN (such as Cloudflare or Cloudfront), we deliberately omit the network data because it actually references the CDN's infrastructure and not your own. If you'd like to know more, please have a read of this article.
Curious to see more?
If you're interested in what this all looks like in action, feel free to reach out to us via the chatbot, and we'll connect you with the relevant team.