Build an Attack Surface Map
Definition
An Attack Surface Map is a structured inventory of all the systems, applications, services, APIs, cloud resources, and other assets that are exposed to potential attackers within the authorized scope of an ethical hacking or penetration testing engagement.
The objective of building an attack surface map is to understand what assets exist, how they are connected, what technologies they use, and where potential entry points are located. A complete attack surface map enables security professionals to plan efficient testing, prioritize high-value assets, and reduce the risk of overlooking important systems.
Why Build an Attack Surface Map?
Modern organizations operate complex infrastructures that include websites, APIs, cloud services, mobile applications, third-party integrations, and remote access systems. Not every asset presents the same level of risk.
Building an attack surface map helps to:
- Identify all internet-facing assets.
- Discover forgotten or undocumented systems.
- Understand relationships between services.
- Prioritize critical assets for testing.
- Reduce blind spots during the assessment.
- Improve overall testing efficiency.
Components of an Attack Surface Map
1. Domains and Subdomains
Identify all domains that belong to the organization.
Example
example.com
www.example.com
api.example.com
admin.example.com
login.example.com
support.example.com
2. IP Addresses
Document the public IP addresses associated with the organization.
Example
203.0.113.15
198.51.100.20
3. Live Hosts
Determine which systems are currently active.
Example
www.example.com
api.example.com
mail.example.com
vpn.example.com
4. Web Applications
Identify all web-based applications.
Example
Customer Portal
Admin Dashboard
Support Portal
Developer Portal
5. APIs
Document exposed API endpoints.
Example
https://api.example.com/v1/
https://api.example.com/graphql
6. Authentication Systems
Locate authentication services.
Examples:
- Login Portal
- OAuth Server
- Single Sign-On (SSO)
- Multi-Factor Authentication (MFA)
7. Cloud Infrastructure
Identify cloud-hosted resources.
Example
AWS EC2
Amazon S3
CloudFront
Load Balancer
8. Third-Party Services
Identify integrated external services.
Examples:
- CDN
- Payment Gateway
- Email Provider
- Identity Provider
- Monitoring Platform
9. Network Services
Identify exposed services.
Examples:
HTTP
HTTPS
SSH
SMTP
DNS
VPN
10. Technology Stack
Document technologies used.
Example
React
Node.js
Nginx
PostgreSQL
Docker
Kubernetes
Example Attack Surface Map
example.com
│
┌─────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
www.example.com api.example.com login.example.com
│ │ │
▼ ▼ ▼
Customer Portal REST API OAuth Server
│ │ │
└──────────┬──────┴──────────┐
▼ ▼
PostgreSQL Amazon S3
│
▼
AWS Cloud Infrastructure
Information Sources
An attack surface map is built using information collected during reconnaissance, including:
- DNS records
- Certificate Transparency (CT) logs
- Public Git repositories
- Public documents
- Technology fingerprinting
- Employee information
- Third-party service identification
- Asset discovery and enumeration
Benefits
A well-developed attack surface map enables ethical hackers to:
- Understand the complete target environment.
- Visualize relationships between systems.
- Identify high-value assets.
- Prioritize security testing.
- Improve coverage during the assessment.
- Ensure all in-scope assets are evaluated.
Best Practices
- Keep the map updated as new assets are discovered.
- Clearly distinguish in-scope and out-of-scope assets.
- Include cloud resources, APIs, and third-party integrations.
- Document technologies and service relationships.
- Validate discovered assets during later phases of the assessment.
Example Scenario
An organization owns the domain example.com. During reconnaissance, the following assets are identified:
| Asset Type | Discovered Assets |
|---|---|
| Domains | example.com |
| Subdomains | www.example.com, api.example.com, login.example.com, mail.example.com |
| Web Applications | Customer Portal, Admin Dashboard |
| APIs | REST API, GraphQL API |
| Cloud Services | AWS EC2, Amazon S3, CloudFront |
| Authentication | OAuth 2.0, MFA |
| CDN | Cloudflare |
| Database | PostgreSQL |
| Third-Party Services | Stripe, SendGrid |
These findings are combined into a single attack surface map, providing a clear view of the organization's exposed infrastructure and helping guide subsequent phases such as enumeration, vulnerability assessment, and manual security testing.
Summary
An Attack Surface Map is a comprehensive representation of all accessible assets within the authorized scope of an ethical hacking engagement. It includes domains, subdomains, IP addresses, web applications, APIs, cloud resources, authentication systems, network services, technologies, and third-party integrations. Building this map during reconnaissance gives security professionals a complete understanding of the target environment, enabling focused, efficient, and thorough security testing while minimizing the risk of overlooked assets.