Scan any domain for vulnerabilities — see exactly what attackers see. Open ports, subdomains, SSL/TLS health, DNS misconfigurations, WHOIS data, and known CVEs from 11 intelligence providers in a single scan.
This tool queries 10 intelligence sources in parallel -- including certificate transparency logs, Shodan, Censys, SSL Labs, Criminal IP, SecurityTrails, and others -- to produce a unified exposure report:
All data is gathered passively -- no traffic is sent to the target.
Audit your organization's external attack surface. Find forgotten subdomains, exposed services, and weak TLS configurations.
Kickstart reconnaissance with a comprehensive passive scan. Gather subdomains, open ports, and CVEs in one sweep.
Verify your infrastructure is configured correctly. Check DNS records, certificate expiry, and exposed services.
Expand your scope with subdomain enumeration and service discovery. Identify targets for deeper investigation.
Type any domain name (e.g., example.com) or IP address. The scanner auto-detects the target type.
We query multiple threat intelligence providers simultaneously -- certificate transparency logs, DNS resolvers, WHOIS databases, and vulnerability feeds.
Review your exposure across 7 categories. Each finding includes context about what it means and why it matters for security.
The exposure scanner aggregates 11 intelligence providers including Shodan, SecurityTrails, SSL Labs, and Criminal IP into a unified attack surface report.
Discovers internet-exposed services including databases, admin panels, and legacy protocols that should not be public.
Checks certificate validity, expiration, cipher strength, protocol versions, and HSTS enforcement.
Evaluates A, MX, NS, CNAME, and TXT records for misconfigurations and dangling CNAME records.
Verifies email authentication records to identify domains vulnerable to spoofing and phishing.
Discovers subdomains via Certificate Transparency logs, passive DNS, and public intelligence sources.
Matches detected service banners and software versions against the NVD CVE database for known vulnerabilities.
Cross-references IPs against Shodan, Criminal IP, OTX, and other threat intelligence feeds.
Retrieves registrar data, expiration timelines, and registrant details to flag domains at risk.
Maps your domain to its Autonomous System and associated IP ranges to reveal hosting infrastructure.
Checks HTTP response headers (CSP, X-Frame-Options, HSTS, Permissions-Policy) for missing protections.
Identifies hosting provider, country, and flags VPN, proxy, or Tor exit node associations.
Aggregates all findings across 11 providers into a single trackable attack surface risk score.
A domain vulnerability scan maps your external attack surface — everything about your domain that is visible and reachable from the public internet. This includes subdomains, open ports, SSL/TLS configuration, DNS records, email security posture, and known vulnerabilities (CVEs) associated with your services. It replicates what a threat actor sees during the reconnaissance phase of an attack, giving defenders the same view an attacker has before exploitation begins.
Your external attack surface is everything accessible from the internet without authentication — subdomains, open ports, public-facing services, and DNS records. Your internal attack surface is what's accessible after gaining initial access — internal APIs, databases, and network segments. This scanner focuses on the external surface, which is what attackers probe first and what you can assess without deploying agents.
Most organizations are surprised by what a passive scan reveals. These are the most common findings:
MySQL (3306), PostgreSQL (5432), Redis (6379), and MongoDB (27017) exposed to the internet are among the most critical findings. These services should never be publicly accessible. Learn more about open ports →
Expired certificates, self-signed certs in production, weak cipher suites, and missing HSTS headers expose users to man-in-the-middle attacks and erode trust. Learn more about SSL/TLS →
Without SPF, DKIM, and DMARC properly configured, attackers can send emails that appear to come from your domain — enabling phishing and business email compromise. Learn more about DMARC →
Dangling DNS records pointing to decommissioned services can be taken over by attackers to serve malicious content under your domain. Shadow IT and forgotten staging environments are common culprits. Learn more about DNS security →
The risk score aggregates findings from all scan modules into a single number. Higher scores indicate greater exposure:
0 - 20
Minimal
21 - 40
Low
41 - 60
Medium
61 - 100
High / Critical
Critical CVEs on open ports contribute the most to the score, followed by risky open ports (RDP, databases), failing SSL grades, and missing email authentication. Track the score over time to measure remediation progress.
Enter your domain in the scanner above and click Scan. The tool queries 11 intelligence providers — including Shodan, SecurityTrails, and SSL Labs — and returns results in seconds. No account or signup is required.
The scan checks open TCP/UDP ports, SSL/TLS certificate validity and cipher strength, DNS records (SPF, DKIM, DMARC, DNSSEC), subdomains and takeover risks, WHOIS registration data, IP reputation against threat intelligence feeds, and known CVEs matched to detected software versions.
Yes. The free scan runs immediately with no account required and returns a full attack surface report including open ports, SSL grade, DNS misconfigurations, and a 0–100 risk score. You get 5 free scans per hour. A paid API tier is available for teams needing automated or scheduled scanning.
An external attack surface scanner maps everything about a domain that is visible from the public internet — subdomains, open ports, SSL/TLS configuration, DNS records, and email security posture. It replicates what a threat actor sees during reconnaissance, before any exploitation occurs.
A web application scanner (DAST) tests a running app for injection flaws, XSS, and OWASP Top 10 vulnerabilities. An attack surface scanner focuses on the network perimeter: open ports, SSL configuration, DNS health, subdomain exposure, and infrastructure misconfigurations. Both test different threat layers.
Most scans complete within 30 to 60 seconds. Results for domains scanned within the past 24 hours are cached and return instantly.
The scanner performs only passive reconnaissance and read-only queries — the same techniques available to any researcher using public intelligence sources. No traffic is sent to the target. You should only act on findings for domains you own or have authorization to assess.
The risk score aggregates findings across all scan modules — open high-risk ports, failing SSL grades, missing DMARC enforcement, and active CVEs — into a single number from 0 (no significant exposure) to 100 (critical exposure). Track it over time to measure remediation progress.
Paste email headers to check for phishing, spoofing, and authentication failures. 15+ analysis modules.
WHOIS, DNS records, reputation scoring, and certificate transparency for any domain.
Upload suspicious files for hash analysis, multi-engine reputation checks, and threat classification.
The DFIR Platform provides scheduled scanning, API access, alerts on new exposure, and a full investigation workflow for security teams. Free tier available.