Attack Surface Discovery
Surface Security continuously maps the web applications, domains, and endpoints your organization actually uses — without scanners, crawlers, or network appliances. Every browser running the Surface extension contributes lightweight, privacy-preserving telemetry as employees go about their normal work, and the platform assembles that telemetry into a living inventory of your real attack surface: the sites people sign in to, the internal subdomains still exposed, the SaaS tools nobody procured, and the technology stacks behind them.
Two complementary views cover this inventory. The Attack Surface page maps the domains you own and have chosen to track, drilling from domain to subdomain to individual endpoint. The Endpoints inventory shows every discovered endpoint across your organization regardless of ownership — the view where shadow IT surfaces.
[SCREENSHOT PLACEHOLDER: The Attack Surface page showing the tracked-domains summary chips and the domain table with Subdomains, Endpoints, Auth Endpoints, Users, and Visits columns]
How it works
Discovery is entirely passive. The browser extension observes navigations and reports a small set of metadata for each one: the origin (scheme and host), the top-level site the user was on, a coarse path bucket, the navigation type, and whether the visit was referred internally or externally. It does not report page content, form data, keystrokes, or full URLs with query strings. Events are batched and sent from the endpoint on a regular cycle.
The backend aggregates these events into endpoint records and enriches them over time:
- Classification — each endpoint is categorized as General, Authentication, API, CDN, Identity Provider, or Unknown. Authentication endpoints are identified from real sign-in activity (login forms and MFA flows observed by the extension), not from guesswork about URLs.
- Technology fingerprinting — as users visit an endpoint, the platform detects the technologies serving it (framework, server, and similar), each with a confidence score, an optional version guess, and the type of evidence that produced it.
- Usage metrics — total visits, unique users, and first/last seen timestamps, so you can distinguish a one-off visit from an application your whole company depends on.
Static resources (images, stylesheets, and similar assets) are filtered out so the inventory reflects meaningful application endpoints rather than page furniture.
Because discovery rides on real usage, coverage grows with deployment: the more browsers run the extension, the more complete the map. Nothing is discovered by probing your network from the outside.
Using the Attack Surface page
Open Attack Surface in the dashboard sidebar. The page shows discovered endpoints and subdomains for your tracked domains — the domains you have registered in Domain Scopes with attack surface tracking enabled (see Domain Scopes).
At the top, a summary card lists the domains currently being tracked. The main table shows one row per tracked domain with:
| Column | Meaning |
|---|---|
| Domain | The tracked domain |
| Subdomains | Number of distinct subdomains observed |
| Endpoints | Number of discovered endpoints under the domain |
| Auth Endpoints | How many of those endpoints handle authentication |
| Users | Unique users who have visited the domain |
| Visits | Total recorded visits |
| Last Seen | Most recent activity |
Use the Configure Tracked Domains button to jump to Domain Scopes and add or adjust which domains are tracked. If no domains are tracked yet, the page shows a No Tracked Domains prompt with a shortcut to Domain Scopes.
Domain drill-down
Click a domain row to open its detail view, which lists every subdomain observed under it. The root domain itself appears as (root). Each row shows the endpoint count, whether authentication activity was seen (Auth Yes/No), unique users, visits, and first/last seen dates. This view is where forgotten infrastructure tends to show up — a staging subdomain still reachable by employees, or a legacy portal that should have been decommissioned.
[SCREENSHOT PLACEHOLDER: Domain drill-down view listing subdomains with the Auth Yes/No chips and first/last seen dates]
Subdomain drill-down
Click a subdomain to see its individual endpoints (static resources are excluded). Each row shows the path, its classification, up to three detected technologies, users, visits, and last seen. Click any row to expand it:
- Classification — a dropdown lets you reclassify the endpoint (Unknown, General, Authentication, Identity Provider, API, CDN). Changes save immediately. Use this to correct an automatic classification or to mark an endpoint the detector has not seen enough traffic to categorize.
- Technology Stack — the full list of fingerprinted technologies with confidence percentages, version guesses, and evidence types. If nothing is listed yet, fingerprinting will populate as users visit the endpoint.
- Full Origin — the complete origin for the endpoint.
[SCREENSHOT PLACEHOLDER: Subdomain drill-down with one endpoint row expanded showing the Classification dropdown and the Technology Stack grid with confidence percentages]
Using the Endpoints inventory
The Endpoints page (reachable at /dashboard/endpoints) is the organization-wide
inventory: every discovered endpoint and web application your users access, whether or
not you own the domain. Five summary cards give the headline numbers:
- Total Endpoints — everything discovered so far
- Auth Endpoints — endpoints where authentication activity was observed
- Unknown — endpoints not yet classified
- With MFA — authentication endpoints where multi-factor authentication was detected
- Unique Sites — distinct top-level sites
Below the cards, the endpoint table shows the origin and top-level site, the classification chip, visits, users, and last seen. A classification filter at the top of the table narrows the list to any one category — filtering to Authentication is the fastest way to enumerate every place your employees sign in.
[SCREENSHOT PLACEHOLDER: Endpoints inventory page with the five stat cards and the classification filter set to Authentication]
Finding shadow IT
Shadow IT discovery falls out of this inventory naturally. Endpoints your organization never sanctioned still appear here the moment employees start using them, because discovery follows the users rather than an asset register. A practical sweep:
- Filter the inventory to Authentication — these are services holding corporate credentials.
- Sort by Users to see which unsanctioned services have real adoption, not just a single curious visitor.
- Cross-reference against your approved-application list. Anything with meaningful user counts that is not on the list is shadow IT worth a conversation.
- For authentication endpoints, continue the investigation on the Credentials page, which adds MFA posture and identity provider details per endpoint.
Configuration
- Tracked domains — the Attack Surface domain map only populates for domains added in Domain Scopes with attack surface tracking enabled. The Endpoints inventory needs no configuration; it populates for all discovered activity.
- Classification overrides — reclassify any endpoint from the subdomain drill-down expandable row. Manual classifications persist.
Worked example: the forgotten staging portal
An administrator at a 2,000-seat company tracks example.com in Domain Scopes. A week
after deployment, the Attack Surface page shows 14 subdomains — one of them
staging-portal.example.com, marked Auth: Yes, with 9 unique users and a first-seen
date of two days ago. Drilling in, the subdomain has a login endpoint classified
Authentication, and the technology stack shows an outdated web framework at 85%
confidence.
The team had believed this staging environment was firewalled from general access. Because nine employees reached it (and signed in) from ordinary corporate browsers, the telemetry proves otherwise. The administrator confirms the exposure, has the portal moved behind the VPN, and watches the Last Seen date on the subdomain stop advancing — closing the loop with the same data that found the problem.
Troubleshooting and FAQ
The Attack Surface page is empty. Check three things in order: at least one domain is added in Domain Scopes with attack surface tracking enabled; the extension is deployed to user browsers; users have actually visited the tracked domains since deployment. Discovery is passive, so nothing appears until real visits occur.
An endpoint is classified incorrectly. Open the subdomain drill-down, expand the endpoint, and set the correct classification from the dropdown. Automatic classification improves with more observed traffic, but manual overrides are always respected.
Why don't I see images, scripts, or other static assets? Static resources are deliberately filtered so the inventory stays focused on application endpoints. The subdomain view notes this exclusion.
Does this expose what individual employees browse? The inventory is aggregated by endpoint — visit counts and unique-user counts — and the underlying telemetry carries origins and coarse path buckets, not full URLs or page content. Per-endpoint user detail is available only where it is security-relevant, such as on authentication endpoints (see Credentials).
How does this relate to Extensions monitoring? Attack surface discovery covers the web applications users visit; Extensions covers the third-party browser extensions installed alongside Surface. Together they describe the browser-side attack surface from both directions.