Build an Attack Surface Map

 

Build an Attack Surface Map

Definition

An Attack Surface Map is a structured inventory of all the systems, applications, services, APIs, cloud resources, and other assets that are exposed to potential attackers within the authorized scope of an ethical hacking or penetration testing engagement.

The objective of building an attack surface map is to understand what assets exist, how they are connected, what technologies they use, and where potential entry points are located. A complete attack surface map enables security professionals to plan efficient testing, prioritize high-value assets, and reduce the risk of overlooking important systems.


Why Build an Attack Surface Map?

Modern organizations operate complex infrastructures that include websites, APIs, cloud services, mobile applications, third-party integrations, and remote access systems. Not every asset presents the same level of risk.

Building an attack surface map helps to:

  • Identify all internet-facing assets.
  • Discover forgotten or undocumented systems.
  • Understand relationships between services.
  • Prioritize critical assets for testing.
  • Reduce blind spots during the assessment.
  • Improve overall testing efficiency.

Components of an Attack Surface Map

1. Domains and Subdomains

Identify all domains that belong to the organization.

Example

example.com
www.example.com
api.example.com
admin.example.com
login.example.com
support.example.com

2. IP Addresses

Document the public IP addresses associated with the organization.

Example

203.0.113.15
198.51.100.20

3. Live Hosts

Determine which systems are currently active.

Example

www.example.com
api.example.com
mail.example.com
vpn.example.com

4. Web Applications

Identify all web-based applications.

Example

Customer Portal
Admin Dashboard
Support Portal
Developer Portal

5. APIs

Document exposed API endpoints.

Example

https://api.example.com/v1/

https://api.example.com/graphql

6. Authentication Systems

Locate authentication services.

Examples:

  • Login Portal
  • OAuth Server
  • Single Sign-On (SSO)
  • Multi-Factor Authentication (MFA)

7. Cloud Infrastructure

Identify cloud-hosted resources.

Example

AWS EC2

Amazon S3

CloudFront

Load Balancer

8. Third-Party Services

Identify integrated external services.

Examples:

  • CDN
  • Payment Gateway
  • Email Provider
  • Identity Provider
  • Monitoring Platform

9. Network Services

Identify exposed services.

Examples:

HTTP
HTTPS
SSH
SMTP
DNS
VPN

10. Technology Stack

Document technologies used.

Example

React

Node.js

Nginx

PostgreSQL

Docker

Kubernetes

Example Attack Surface Map

                    example.com

┌─────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
www.example.com api.example.com login.example.com
│ │ │
▼ ▼ ▼
Customer Portal REST API OAuth Server
│ │ │
└──────────┬──────┴──────────┐
▼ ▼
PostgreSQL Amazon S3


AWS Cloud Infrastructure

Information Sources

An attack surface map is built using information collected during reconnaissance, including:

  • DNS records
  • Certificate Transparency (CT) logs
  • Public Git repositories
  • Public documents
  • Technology fingerprinting
  • Employee information
  • Third-party service identification
  • Asset discovery and enumeration

Benefits

A well-developed attack surface map enables ethical hackers to:

  • Understand the complete target environment.
  • Visualize relationships between systems.
  • Identify high-value assets.
  • Prioritize security testing.
  • Improve coverage during the assessment.
  • Ensure all in-scope assets are evaluated.

Best Practices

  • Keep the map updated as new assets are discovered.
  • Clearly distinguish in-scope and out-of-scope assets.
  • Include cloud resources, APIs, and third-party integrations.
  • Document technologies and service relationships.
  • Validate discovered assets during later phases of the assessment.

Example Scenario

An organization owns the domain example.com. During reconnaissance, the following assets are identified:

Asset TypeDiscovered Assets
Domainsexample.com
Subdomainswww.example.com, api.example.com, login.example.com, mail.example.com
Web ApplicationsCustomer Portal, Admin Dashboard
APIsREST API, GraphQL API
Cloud ServicesAWS EC2, Amazon S3, CloudFront
AuthenticationOAuth 2.0, MFA
CDNCloudflare
DatabasePostgreSQL
Third-Party ServicesStripe, SendGrid

These findings are combined into a single attack surface map, providing a clear view of the organization's exposed infrastructure and helping guide subsequent phases such as enumeration, vulnerability assessment, and manual security testing.


Summary

An Attack Surface Map is a comprehensive representation of all accessible assets within the authorized scope of an ethical hacking engagement. It includes domains, subdomains, IP addresses, web applications, APIs, cloud resources, authentication systems, network services, technologies, and third-party integrations. Building this map during reconnaissance gives security professionals a complete understanding of the target environment, enabling focused, efficient, and thorough security testing while minimizing the risk of overlooked assets.

Previous Post Next Post