External Asset Discovery: How to Find Every Internet-Facing Asset You Own

Secably Research
Jul 10, 2026
11 min read
Security Tools
Asset Discovery Attack Surface Management External Attack Surface
External asset discovery: mapping internet-facing domains, subdomains, IPs and services

External asset discovery is the process of finding every domain, subdomain, IP address, and internet-facing service that belongs to your organization — including the ones nobody remembers setting up. It is the first step of any serious security program, because an asset you don't know about is an asset you can't patch, monitor, or defend. Attackers scan the entire internet continuously; discovery is how you see your own attack surface before they do.

This guide explains what counts as an internet-facing asset, how external discovery actually works under the hood, and how to move from a one-off inventory to continuous, automated discovery.

Key takeaways

  • External asset discovery (also called attack surface discovery) finds every internet-facing domain, subdomain, IP, port, and service you own — including forgotten "shadow IT".
  • It combines DNS and subdomain enumeration, Certificate Transparency logs, port and service scanning, and IP/netblock/ASN mapping (network asset discovery).
  • A one-off scan goes stale within weeks, so any real program needs continuous, automated discovery with alerting on new assets.
  • You can start for free with Secably's Subdomain Finder, Port Scanner, and DNS Lookup, then add monitored targets for continuous coverage.

What is external asset discovery?

External (or internet-facing) asset discovery — sometimes called attack surface discovery — is the practice of enumerating everything your organization exposes to the public internet, starting from little more than a domain name or company name. Unlike an internal asset inventory — which catalogues laptops, servers, and software licenses inside your network — external discovery answers a different question: what can an outsider reach without any credentials?

The hard part is not the assets you know about. It's the unknown unknowns — the assets nobody is tracking, often called shadow IT: a staging server a contractor spun up two years ago, a marketing subdomain pointing at an abandoned SaaS account, a forgotten API gateway, an S3-style bucket on a subdomain, or a legacy mail host still answering on port 25. This shadow IT rarely gets patched, and it is where a large share of real-world breaches begin. Effective asset discovery exists to drag those forgotten assets back into a single, current inventory.

What counts as an internet-facing asset?

An "asset" is anything an attacker can find and interact with from outside your network. A complete external inventory typically includes:

  • Domains and subdomains — including dev., staging., vpn., api., and one-off marketing hostnames.
  • IP addresses and netblocks — the ranges your infrastructure and cloud instances live on.
  • Open ports and services — web servers, databases, SSH, RDP, mail, and anything else listening publicly.
  • Web applications and APIs — login portals, admin panels, REST/GraphQL endpoints.
  • TLS/SSL certificates — which reveal hostnames and expiry risk.
  • DNS records — MX, SPF, DMARC, NS, and dangling records that enable subdomain takeover.
  • Cloud and third-party footprint — assets hosted outside your own IP space but still branded as yours.

Why asset discovery is the foundation of security

Every security control you buy — vulnerability scanning, monitoring, patching, WAF rules — operates on a list of assets. If that list is incomplete, so is your coverage. You cannot scan a subdomain you've never enumerated, and you cannot patch a service you don't know is exposed.

You can't secure what you can't see. Asset discovery is what turns "our attack surface" from an abstraction into a concrete, testable list.

This is also why discovery pairs naturally with attack surface management: discovery finds the assets, and attack surface management keeps watching them for new exposures over time.

How external asset discovery works

Good discovery combines several passive and active techniques, because no single method finds everything. Here are the core ones.

1. DNS and subdomain enumeration

Starting from a root domain, discovery expands outward to find subdomains through DNS queries, wordlist-based brute forcing of common hostnames, and public DNS datasets. A free subdomain finder is usually where practitioners begin — it turns example.com into a list of live hostnames in seconds.

2. Certificate Transparency logs

Every time a TLS certificate is issued, it is logged to public Certificate Transparency logs. Because almost every internet-facing service now uses HTTPS, these logs are one of the richest sources of subdomains — including internal-sounding hosts that were never meant to be public. Discovery tools query CT logs to surface hostnames that DNS brute forcing alone would miss.

3. Port and service scanning

Once you have hostnames and IPs, the next step is to see what is actually listening. A port scanner identifies open ports and the services behind them, so you learn not just that a host exists but that it is exposing, say, an unauthenticated database or an outdated web server.

4. IP ranges and ASN mapping

Organizations often own or lease blocks of IP addresses. Mapping those netblocks (and the Autonomous System Numbers they belong to) reveals hosts that share no obvious DNS relationship with your main domain but still belong to you.

5. DNS records and takeover checks

Inspecting DNS records uncovers mail infrastructure, missing email-authentication records, and dangling records that point to deprovisioned cloud resources — the classic setup for a subdomain takeover.

Network asset discovery: IPs, netblocks, and ASNs

Hostnames are only half the picture. Network asset discovery works from the IP side: it maps the address ranges (netblocks) and Autonomous System Numbers (ASNs) your organization owns or leases, then checks what is live on each address. This matters because plenty of exposed hosts have no DNS name pointing at them at all — a server reachable only by its IP, a load balancer, or a device someone put straight on the internet.

Combining hostname-based and IP-based discovery closes the gaps each one leaves. A subdomain with no open ports is low risk; an unnamed IP running an outdated database is a critical find that pure DNS enumeration would never surface. Running a port scan across discovered IPs is what turns a list of addresses into a real understanding of your exposed services.

Cloud and SaaS asset discovery

Modern attack surfaces sprawl far beyond a company's own data center. Marketing sites sit on one platform, apps on another cloud, status pages and help desks on third-party SaaS — all branded as yours and all part of your exposure. Because almost every one of these gets a hostname and a TLS certificate, DNS and Certificate Transparency discovery catch them even when they live on infrastructure you don't control. The goal is a single inventory of everything that carries your name, regardless of where it is hosted.

One-off vs continuous asset discovery

Running discovery once gives you a snapshot. The problem is that your attack surface changes constantly: teams ship new subdomains, spin up cloud instances, and let old ones rot. A snapshot is stale within weeks.

AspectOne-off discoveryContinuous discovery
CoveragePoint-in-time snapshotAlways current
New assetsMissed until the next manual runDetected automatically
EffortManual, repeated by handRuns on a schedule
Best forAudits, one-time reviewsOngoing security programs

For anything beyond a single audit, you want automated, continuous discovery that re-runs on a schedule and alerts you when something new appears.

How to choose an asset discovery tool

When you evaluate an asset discovery or asset inventory discovery tool, weigh it against a few practical criteria:

  • Breadth of sources — does it combine DNS, Certificate Transparency, port scanning, and IP/ASN mapping, or just one?
  • Continuous vs one-off — can it monitor on a schedule and flag new assets, or only scan on demand?
  • Agentless — external discovery should require no software installed on your hosts.
  • Actionable output — does it connect discovered assets to the exposures on them (open ports, weak TLS, missing headers), or just list hostnames?
  • Alerting — will it tell you when a new subdomain or service appears?
  • Cost to start — can you validate it for free before committing?

How to run your first external asset discovery (step by step)

You don't need an enterprise platform to build a first inventory. Here is a practical sequence you can run today:

  1. List what you already know. Write down your primary domains, known subdomains, and public IP ranges. This is your baseline.
  2. Enumerate subdomains. Run each root domain through a subdomain finder to pull hostnames from Certificate Transparency and DNS. Add anything you didn't already have.
  3. Map the network side. For each discovered host and known IP range, run a port scan to see which services are actually listening.
  4. Check DNS and email hygiene. Use a DNS lookup to find mail records, missing SPF/DMARC, and dangling entries that invite subdomain takeover.
  5. Assess each live asset. Run a website scan on the hosts that serve web apps to convert "this exists" into "this has these issues".
  6. Make it repeatable. Add your domains as monitored targets so discovery re-runs automatically and flags new assets instead of waiting for the next manual sweep.

Common asset discovery mistakes

  • Treating it as one-and-done. A single inventory is obsolete within weeks. New subdomains and cloud instances appear constantly.
  • Only enumerating hostnames. Skipping IP/ASN (network asset discovery) misses hosts with no DNS name — often the riskiest ones.
  • Stopping at a list. A list of hostnames isn't security. Discovery only pays off when each asset is checked for open ports, weak TLS, and exposed services.
  • Ignoring third-party and cloud assets. Anything branded as yours is your exposure, even when someone else hosts it.
  • No ownership. Discovery that nobody reviews produces alerts nobody acts on. Assign an owner for new-asset findings.

Run external asset discovery with Secably

Secably is built around exactly this workflow. You can start discovering your external footprint right now, for free and without an account:

  • Use the Subdomain Finder to enumerate hostnames from Certificate Transparency and DNS.
  • Run the Port Scanner to see which services each host exposes.
  • Check DNS records for mail-authentication gaps and dangling entries.
  • Run a website scan to turn a discovered host into a list of concrete security issues.

To move from a one-off snapshot to continuous discovery, add your domains as monitored targets. Secably then re-scans them on a schedule, tracks your assets over time, and surfaces new findings as they appear — the discovery half of external attack surface management. See pricing to enable scheduled monitoring.

Frequently asked questions

What is asset discovery in cybersecurity?

Asset discovery is the process of identifying all the systems, services, and endpoints an organization owns. External asset discovery focuses specifically on internet-facing assets — the domains, subdomains, IPs, ports, and services reachable from outside your network — so you know exactly what an attacker can see.

How is external asset discovery performed?

It combines several techniques: DNS and subdomain enumeration, querying public Certificate Transparency logs, port and service scanning, and mapping owned IP ranges and ASNs. Together these surface both the assets you know about and the forgotten ones.

What is the difference between asset discovery and attack surface management?

Asset discovery finds your internet-facing assets. Attack surface management is the ongoing practice of continuously discovering those assets and monitoring them for new exposures over time. Discovery is the first step; attack surface management is the continuous loop around it.

How often should you run asset discovery?

For a one-time audit, a single run is fine. For an active environment, discovery should run continuously — at least weekly — because new subdomains and cloud instances appear all the time and forgotten assets are the ones most likely to be exploited.

Are there free asset discovery tools?

Yes. Secably's Subdomain Finder, Port Scanner, and DNS Lookup are free and require no signup, so you can build a first external asset inventory before deciding on continuous monitoring.

Check your site for vulnerabilities

Run a free security scan — no signup, results in seconds.

Related Posts

Stronger security starts with visibility.

Scan your website for vulnerabilities and get actionable insights.