Configure and run an external attack surface scan to detect unexpected exposures and vulnerabilities in internet-facing assets.
![]() |
ImportantThis is a "Pre-release" feature and is not considered an official release. Please
review the
Pre-release disclaimer
before using the feature.
|
Scans created from the external attack surface scan template help you understand your
organization's security posture from an external attacker's view. External attack
surface scans focus on public IPs, domains, and subdomains to identify misconfigurations,
outdated software, and leaked services.
To configure an external attack surface scan, you need:
-
A Service Gateway deployed to your AWS account or Azure subscription with the latest version of the Network Vulnerability Scanner service installed
-
Public IP addresses, domains, and subdomains to scan
![]() |
ImportantThe following limitations and requirements apply to external attack surface scans:
|
Procedure
- Install the Network Vulnerability Scanner service on your deployed Service Gateway.
- In , click the name of the desired Service Gateway to view details.
- Click Manage services to view the list of available services.
- Find and install the latest version of the Network Vulnerability Scanner service.
Note
The Network Vulnerability Scanner service requires at least 2 CPUs and 4 GB of virtual memory.
The Network Vulnerability Scanner service appears in the list of installed services for the Service Gateway. - Create a new external attack surface scan.
- In , click Create scan from either Network scans or under external attack surface scan in Scan templates.
- Specify a name and description for the scan.
- Select the Service Gateway to use for the scan. Only Service Gateways with the Network Vulnerability Scanner service installed are available.
- Click Select assets to choose up to 100 public IP addresses, domains, and subdomains to include in the scan. Only assets that appear on the Internet-facing assets list Attack Surface Discovery are available for scanning. To scan an asset not on the list, you must add the asset first.
- Choose whether to trigger the scan at a specified scheduled interval or to only allow manual scanning.
- Click Save only to save the scan and wait for the scan to run according to your configured schedule or Save and run scan to save and trigger the scan immediately.
The newly configured scan appears on the list in Network scans. - After the scan completes, you can download a report containing the scan results from
Scan reports.
Important
-
Scan duration varies based on the number of assets you have specified for the scan and the complexity of the external attack surface.
-
Only the most recent scan report for each scan is available. To keep a record of an earlier scan, download the report before the next scheduled scan.
-
- View asset information and manage risk.
- Go to Attack Surface Discovery to view any additional asset profile information discovered during the scan.
- Click View latest system configuration risk events in Scan reports to manage any risk events detected during the scan in Threat and Exposure Management.
What to do next
![]() |
TipYou can also manually scan for exposures in internet-facing assets from Attack Surface
Discovery. For more information, see Internet-facing asset exposure scans.
|