External Attack Surface Scanner API: Map Your Domain's Exposure in One Call

Most organizations cannot answer a simple question: what does your infrastructure look like from the internet? Not what your asset inventory says, not what your firewall rules permit—what an attacker actually sees when they enumerate your domain. An exposure scanner API closes that gap by aggregating passive and active intelligence sources into a single, structured result. This article covers how attack surface management works, what a capable scanner should check, and how DFIR Lab's scanner pulls data from 11 providers to return a unified risk score in one API call.

What Is Attack Surface Management?

Attack surface management (ASM) is the continuous process of discovering, inventorying, and assessing every internet-facing asset that belongs to—or is attributed to—an organization. That includes web servers, APIs, cloud storage buckets, forgotten subdomains, expired SSL certificates, misconfigured DNS records, and shadow IT that security teams may not know exists.

Continuous Discovery, Not Point-in-Time Snapshots

Traditional vulnerability assessments are scheduled. A pentester runs a scan in January; the report lands in February; findings are remediated by March. But between those moments, a developer spins up a staging server, a SaaS integration exposes a new subdomain, or an SSL certificate lapses and an attacker parks on it. By the time the next assessment runs, months of exposure have passed undetected.

Continuous external attack surface scanning replaces the annual or quarterly snapshot with always-on monitoring. New subdomains are flagged when they appear. Certificate changes trigger alerts. Open ports that weren't there last week get escalated. The security posture reflects the current state of infrastructure, not a frozen moment in time.

What Attackers See vs. What You Think Is Exposed

Attackers do not wait for you to run a scan. They enumerate Certificate Transparency logs, query passive DNS databases, and probe IP ranges associated with your ASN before you know they are looking. The intelligence sources they use—Shodan, SecurityTrails, crt.sh—are largely public or low-cost. The asymmetry is real: a threat actor can map your entire external footprint in under an hour for free. Your security team, without dedicated tooling, may take days and still miss assets.

An external attack surface scanner levels that playing field by running the same reconnaissance an attacker would run—before they do.

What an Exposure Scanner Should Check

A minimal external exposure scan should cover the following categories. Anything less leaves blind spots that attackers routinely exploit.

Subdomain Enumeration

Subdomains are where forgotten assets live. An acquisition from three years ago, a deprecated API endpoint, a developer's test environment—these persist in DNS long after the teams that created them have moved on. Thorough enumeration combines three techniques:

• Certificate Transparency logs: Every publicly trusted SSL certificate is logged to CT logs. Querying crt.sh surfaces subdomains that have ever had a certificate issued, including ones that no longer resolve but may be candidates for subdomain takeover.
• Passive DNS: Historical DNS resolution data reveals subdomains that existed in the past, even if they have since been removed from authoritative zone files.
• Brute-force / dictionary enumeration: Active probing against common subdomain patterns catches assets that were never logged in CT or passive DNS databases.

Open Port Detection

Open ports are entry points. A port scan across an organization's IP ranges identifies services running on non-standard ports, administrative interfaces exposed to the internet, and legacy protocols (Telnet, FTP, SMB) that should have been disabled years ago. Port data cross-referenced with service banners and CVE databases surfaces exploitable conditions without requiring an authenticated scan.

SSL/TLS Certificate Analysis

Certificate hygiene is a surprisingly reliable indicator of security maturity. SSL/TLS certificates that are expired, self-signed, or configured with weak cipher suites signal that security controls are not being actively maintained. Certificate analysis also surfaces wildcard certificates that expand attack surface more broadly than intended, and mismatched SANs that indicate infrastructure sprawl.

DNS Record Analysis

DNS security misconfigurations enable phishing, email spoofing, and subdomain takeover. A thorough DNS record analysis checks SPF, DKIM, and DMARC configurations for email security gaps; CNAME chains for dangling records pointing to unclaimed cloud resources; and zone transfer exposure (AXFR) that leaks the entire DNS zone to unauthenticated requesters.

WHOIS Registration Data

WHOIS lookup data reveals registration details, registrar information, and expiration dates. Domains expiring soon are acquisition targets for typosquatters and threat actors. WHOIS data also surfaces domains registered by related entities that should be part of the monitored scope.

Known Vulnerabilities (CVE Matching)

Banner information, service fingerprints, and version data collected during port scanning can be cross-referenced against the CVE database. This is not the same as an authenticated vulnerability scan, but it flags high-confidence matches—running a version of OpenSSL known to be vulnerable to a critical CVE is actionable without needing credentials.

Risk Scoring

Raw findings are not actionable without context. A unified risk score—0 to 100—aggregates severity, exploitability, and exposure breadth into a single signal that security teams and executives can use to prioritize remediation and track posture over time.

The DFIR Platform Exposure Scanner

DFIR Lab's exposure scanner, documented at platform.dfir-lab.ch/docs/exposure, aggregates 11 external intelligence providers into a single API call. The result is a structured JSON response with subdomains, open ports, SSL grades, DNS records, WHOIS data, ASN mapping, and a 0–100 risk score.

11 Intelligence Providers, One Call

Instead of building API integrations with each provider, normalizing their schemas, and paying 11 separate bills, a single POST request returns a merged dataset with all findings normalized and deduplicated.

The Risk Score

The 0–100 risk score is calculated from the combined findings across all providers. Critical CVEs on exposed ports, failing SSL grades, and DMARC misconfigurations push the score higher. A clean scan with no significant findings scores near zero. The score is designed to be trackable over time: run weekly scans on a domain and graph the score to see whether remediation efforts are improving posture or new exposure is appearing.

Caching

Scans are cached for 24 hours. If your CI/CD pipeline or monitoring script calls the API multiple times for the same domain within a 24-hour window, you consume credits only on the first call. Subsequent calls within the window return the cached result instantly at no additional cost.

Getting Started

Free Tool (No Signup)

Run a basic exposure scan at dfir-lab.ch/exposure-scanner without creating an account. The free scan returns a subset of findings sufficient to assess a domain's surface before deciding whether to pull the full API result.

API

The full API is a single POST request:

1curl -X POST https://api.dfir-lab.ch/v1/exposure/scan \
2  -H "X-API-Key: YOUR_API_KEY" \
3  -H "Content-Type: application/json" \
4  -d '{"domain": "example.com"}'

The response includes subdomains, open_ports, ssl_grade, dns_records, whois, asn, vulnerabilities, and risk_score fields. Full schema documentation is at platform.dfir-lab.ch/docs/exposure.

CLI

If you have dfir-cli installed:

1dfir-cli exposure scan example.com

The CLI formats the JSON response as a readable terminal report, including a color-coded risk score and a breakdown of findings by category.

Real-World Use Cases

Pre-Engagement Reconnaissance for Pentesters

Before an engagement starts, running an exposure scan on the target domain gives pentesters a structured view of the external attack surface without burning billable hours on manual OSINT. The combined output from 11 providers in one call—subdomains, open ports, SSL grades, threat intelligence hits—covers most of what a manual reconnaissance phase would produce, in seconds.

Continuous Monitoring for Security Teams

Schedule weekly or daily scans on owned domains and alert on changes: new subdomains, new open ports, risk score increases above a threshold. This turns the scanner into a lightweight ASM solution for teams that do not have a dedicated attack surface management platform in their stack.

Vendor and Third-Party Risk Assessment for MSSPs

MSSPs managing risk for multiple clients can use the API to run standardized exposure assessments across client domains. The structured JSON output feeds directly into risk registers and reporting workflows. At 10 credits per scan and $0.32 per scan at Professional tier pricing, scanning a portfolio of 50 client domains weekly costs under $65 per month.

NIS2 and DORA Compliance

Both NIS2 (Network and Information Security Directive 2) and DORA (Digital Operational Resilience Act) require organizations to maintain continuous visibility into their digital attack surface and demonstrate active risk management. Scheduled exposure scans, with results stored and trended over time, provide the audit trail that compliance frameworks increasingly require. A point-in-time annual assessment no longer satisfies these regulatory expectations.

Cost Comparison

The 11 providers aggregated by DFIR Lab each offer their own API access. Here is what subscribing individually would cost:

And that covers only three of the eleven providers. Adding Netlas, WhoisXML, SecurityTrails (already counted), and OTX pushes the total further, before accounting for the engineering time to build and maintain integrations, normalize schemas, handle rate limits, and aggregate results.

DFIR Platform Professional plan: $79/month

That gets you 2,500 credits per month. At 10 credits per scan, that is 250 exposure scans per month—approximately $0.32 per scan.

At individual API pricing for the three most directly comparable providers alone, you would pay over $653/month for fewer data sources and the overhead of running your own aggregation pipeline.

Free plan: 100 credits per month (10 scans). Sufficient for small teams monitoring a handful of owned domains or individual researchers running periodic checks.

Use code LAUNCH50 at checkout for 50% off your first month of the Professional plan.

Want to see a full exposure response before you commit? The DFIR API Playground lets you POST a domain to /exposure/scan from your browser and inspect the 11-provider aggregated response — 10 free calls per week, no signup.

Conclusion

External attack surface management is not optional for organizations that operate at any meaningful scale. Attackers enumerate your infrastructure continuously. A static asset inventory or annual penetration test cannot keep pace with the rate at which infrastructure changes—new subdomains, new cloud resources, new integrations, expiring certificates.

An exposure scanner API that aggregates passive DNS, Certificate Transparency logs, threat intelligence, SSL analysis, and WHOIS data into a single call removes the operational friction that keeps most organizations from scanning their surface continuously. DFIR Lab's scanner pulls from 11 providers, returns a normalized 0–100 risk score, and does it in one POST request.

Run your first scan at dfir-lab.ch/exposure-scanner—no account required. When you are ready to integrate it into your pipeline or monitoring stack, the API documentation is at platform.dfir-lab.ch/docs/exposure.

Related: Attack Surface Management · Certificate Transparency · Passive DNS · WHOIS Lookup · Open Ports · SSL/TLS Certificates · Vulnerability Scanning · DNS Security