External Asset Discovery: How to Find Every Internet-Facing Asset You Own
External asset discovery is the process of finding every domain, subdomain, IP address, and internet-facing service that belongs to your organization — including the ones nobody remembers setting up. It is the first step of any serious security program, because an asset you don't know about is an asset you can't patch, monitor, or defend. Attackers scan the entire internet continuously; discovery is how you see your own attack surface before they do.
This guide explains what counts as an internet-facing asset, how external discovery actually works under the hood, and how to move from a one-off inventory to continuous, automated discovery.
Key takeaways
- External asset discovery (also called attack surface discovery) finds every internet-facing domain, subdomain, IP, port, and service you own — including forgotten "shadow IT".
- It combines DNS and subdomain enumeration, Certificate Transparency logs, port and service scanning, and IP/netblock/ASN mapping (network asset discovery).
- A one-off scan goes stale within weeks, so any real program needs continuous, automated discovery with alerting on new assets.
- You can start for free with Secably's Subdomain Finder, Port Scanner, and DNS Lookup, then add monitored targets for continuous coverage.
What is external asset discovery?
External (or internet-facing) asset discovery — sometimes called attack surface discovery — is the practice of enumerating everything your organization exposes to the public internet, starting from little more than a domain name or company name. Unlike an internal asset inventory — which catalogues laptops, servers, and software licenses inside your network — external discovery answers a different question: what can an outsider reach without any credentials?
The hard part is not the assets you know about. It's the unknown unknowns — the assets nobody is tracking, often called shadow IT: a staging server a contractor spun up two years ago, a marketing subdomain pointing at an abandoned SaaS account, a forgotten API gateway, an S3-style bucket on a subdomain, or a legacy mail host still answering on port 25. This shadow IT rarely gets patched, and it is where a large share of real-world breaches begin. Effective asset discovery exists to drag those forgotten assets back into a single, current inventory.
What counts as an internet-facing asset?
An "asset" is anything an attacker can find and interact with from outside your network. A complete external inventory typically includes:
- Domains and subdomains — including
dev.,staging.,vpn.,api., and one-off marketing hostnames. - IP addresses and netblocks — the ranges your infrastructure and cloud instances live on.
- Open ports and services — web servers, databases, SSH, RDP, mail, and anything else listening publicly.
- Web applications and APIs — login portals, admin panels, REST/GraphQL endpoints.
- TLS/SSL certificates — which reveal hostnames and expiry risk.
- DNS records — MX, SPF, DMARC, NS, and dangling records that enable subdomain takeover.
- Cloud and third-party footprint — assets hosted outside your own IP space but still branded as yours.
Why asset discovery is the foundation of security
Every security control you buy — vulnerability scanning, monitoring, patching, WAF rules — operates on a list of assets. If that list is incomplete, so is your coverage. You cannot scan a subdomain you've never enumerated, and you cannot patch a service you don't know is exposed.
You can't secure what you can't see. Asset discovery is what turns "our attack surface" from an abstraction into a concrete, testable list.
This is also why discovery pairs naturally with attack surface management: discovery finds the assets, and attack surface management keeps watching them for new exposures over time.
How external asset discovery works
Good discovery combines several passive and active techniques, because no single method finds everything. Here are the core ones.
1. DNS and subdomain enumeration
Starting from a root domain, discovery expands outward to find subdomains through DNS queries, wordlist-based brute forcing of common hostnames, and public DNS datasets. A free subdomain finder is usually where practitioners begin — it turns example.com into a list of live hostnames in seconds.
2. Certificate Transparency logs
Every time a TLS certificate is issued, it is logged to public Certificate Transparency logs. Because almost every internet-facing service now uses HTTPS, these logs are one of the richest sources of subdomains — including internal-sounding hosts that were never meant to be public. Discovery tools query CT logs to surface hostnames that DNS brute forcing alone would miss.
3. Port and service scanning
Once you have hostnames and IPs, the next step is to see what is actually listening. A port scanner identifies open ports and the services behind them, so you learn not just that a host exists but that it is exposing, say, an unauthenticated database or an outdated web server.
4. IP ranges and ASN mapping
Organizations often own or lease blocks of IP addresses. Mapping those netblocks (and the Autonomous System Numbers they belong to) reveals hosts that share no obvious DNS relationship with your main domain but still belong to you.
5. DNS records and takeover checks
Inspecting DNS records uncovers mail infrastructure, missing email-authentication records, and dangling records that point to deprovisioned cloud resources — the classic setup for a subdomain takeover.
Network asset discovery: IPs, netblocks, and ASNs
Hostnames are only half the picture. Network asset discovery works from the IP side: it maps the address ranges (netblocks) and Autonomous System Numbers (ASNs) your organization owns or leases, then checks what is live on each address. This matters because plenty of exposed hosts have no DNS name pointing at them at all — a server reachable only by its IP, a load balancer, or a device someone put straight on the internet.
Combining hostname-based and IP-based discovery closes the gaps each one leaves. A subdomain with no open ports is low risk; an unnamed IP running an outdated database is a critical find that pure DNS enumeration would never surface. Running a port scan across discovered IPs is what turns a list of addresses into a real understanding of your exposed services.
Cloud and SaaS asset discovery
Modern attack surfaces sprawl far beyond a company's own data center. Marketing sites sit on one platform, apps on another cloud, status pages and help desks on third-party SaaS — all branded as yours and all part of your exposure. Because almost every one of these gets a hostname and a TLS certificate, DNS and Certificate Transparency discovery catch them even when they live on infrastructure you don't control. The goal is a single inventory of everything that carries your name, regardless of where it is hosted.
One-off vs continuous asset discovery
Running discovery once gives you a snapshot. The problem is that your attack surface changes constantly: teams ship new subdomains, spin up cloud instances, and let old ones rot. A snapshot is stale within weeks.
| Aspect | One-off discovery | Continuous discovery |
|---|---|---|
| Coverage | Point-in-time snapshot | Always current |
| New assets | Missed until the next manual run | Detected automatically |
| Effort | Manual, repeated by hand | Runs on a schedule |
| Best for | Audits, one-time reviews | Ongoing security programs |
For anything beyond a single audit, you want automated, continuous discovery that re-runs on a schedule and alerts you when something new appears.
How to choose an asset discovery tool
When you evaluate an asset discovery or asset inventory discovery tool, weigh it against a few practical criteria:
- Breadth of sources — does it combine DNS, Certificate Transparency, port scanning, and IP/ASN mapping, or just one?
- Continuous vs one-off — can it monitor on a schedule and flag new assets, or only scan on demand?
- Agentless — external discovery should require no software installed on your hosts.
- Actionable output — does it connect discovered assets to the exposures on them (open ports, weak TLS, missing headers), or just list hostnames?
- Alerting — will it tell you when a new subdomain or service appears?
- Cost to start — can you validate it for free before committing?
How to run your first external asset discovery (step by step)
You don't need an enterprise platform to build a first inventory. Here is a practical sequence you can run today:
- List what you already know. Write down your primary domains, known subdomains, and public IP ranges. This is your baseline.
- Enumerate subdomains. Run each root domain through a subdomain finder to pull hostnames from Certificate Transparency and DNS. Add anything you didn't already have.
- Map the network side. For each discovered host and known IP range, run a port scan to see which services are actually listening.
- Check DNS and email hygiene. Use a DNS lookup to find mail records, missing SPF/DMARC, and dangling entries that invite subdomain takeover.
- Assess each live asset. Run a website scan on the hosts that serve web apps to convert "this exists" into "this has these issues".
- Make it repeatable. Add your domains as monitored targets so discovery re-runs automatically and flags new assets instead of waiting for the next manual sweep.
Common asset discovery mistakes
- Treating it as one-and-done. A single inventory is obsolete within weeks. New subdomains and cloud instances appear constantly.
- Only enumerating hostnames. Skipping IP/ASN (network asset discovery) misses hosts with no DNS name — often the riskiest ones.
- Stopping at a list. A list of hostnames isn't security. Discovery only pays off when each asset is checked for open ports, weak TLS, and exposed services.
- Ignoring third-party and cloud assets. Anything branded as yours is your exposure, even when someone else hosts it.
- No ownership. Discovery that nobody reviews produces alerts nobody acts on. Assign an owner for new-asset findings.
Run external asset discovery with Secably
Secably is built around exactly this workflow. You can start discovering your external footprint right now, for free and without an account:
- Use the Subdomain Finder to enumerate hostnames from Certificate Transparency and DNS.
- Run the Port Scanner to see which services each host exposes.
- Check DNS records for mail-authentication gaps and dangling entries.
- Run a website scan to turn a discovered host into a list of concrete security issues.
To move from a one-off snapshot to continuous discovery, add your domains as monitored targets. Secably then re-scans them on a schedule, tracks your assets over time, and surfaces new findings as they appear — the discovery half of external attack surface management. See pricing to enable scheduled monitoring.
Frequently asked questions
What is asset discovery in cybersecurity?
Asset discovery is the process of identifying all the systems, services, and endpoints an organization owns. External asset discovery focuses specifically on internet-facing assets — the domains, subdomains, IPs, ports, and services reachable from outside your network — so you know exactly what an attacker can see.
How is external asset discovery performed?
It combines several techniques: DNS and subdomain enumeration, querying public Certificate Transparency logs, port and service scanning, and mapping owned IP ranges and ASNs. Together these surface both the assets you know about and the forgotten ones.
What is the difference between asset discovery and attack surface management?
Asset discovery finds your internet-facing assets. Attack surface management is the ongoing practice of continuously discovering those assets and monitoring them for new exposures over time. Discovery is the first step; attack surface management is the continuous loop around it.
How often should you run asset discovery?
For a one-time audit, a single run is fine. For an active environment, discovery should run continuously — at least weekly — because new subdomains and cloud instances appear all the time and forgotten assets are the ones most likely to be exploited.
Are there free asset discovery tools?
Yes. Secably's Subdomain Finder, Port Scanner, and DNS Lookup are free and require no signup, so you can build a first external asset inventory before deciding on continuous monitoring.
Check your site for vulnerabilities
Run a free security scan — no signup, results in seconds.