What is an attack surface?

An attack surface is the total set of points where an attacker could try to enter or extract data from your environment. It includes all publicly accessible domains, subdomains, IP addresses, open ports, exposed APIs, web applications, and any other externally reachable assets. The larger your attack surface, the more opportunities an attacker has.

How does subdomain discovery work?

We query crt.sh, a public certificate transparency log aggregator. Whenever an SSL/TLS certificate is issued for a domain, it's logged publicly. By searching these logs, we can find all subdomains that have had certificates issued — including internal, staging, and development subdomains that may not be intended to be public.

What is certificate transparency?

Certificate transparency (CT) is a public framework that logs all SSL/TLS certificates issued by certificate authorities. It was created to detect misissued or fraudulent certificates. As a side effect, CT logs are a powerful reconnaissance tool because they reveal every subdomain that has ever had a certificate issued for it.

Why does robots.txt matter for security?

robots.txt tells search engines which paths to avoid crawling — but it's publicly readable by anyone. Organizations often list sensitive paths like /admin, /internal, /api/debug, or /backup in robots.txt, unintentionally creating a roadmap for attackers. We check for this to flag any sensitive path disclosures.

How often should I scan my attack surface?

Your attack surface changes every time you deploy new services, add subdomains, or modify infrastructure. Continuous monitoring is ideal, but at minimum you should scan quarterly and after any major infrastructure changes. Shadow IT and forgotten staging environments are often the most dangerous blind spots.

Free Attack Surface Scanner

Map your external attack surface from a single domain

Enter a domain to discover its full external attack surface. This tool queries certificate transparency logs for subdomains, checks HTTP security headers, probes for exposed files like robots.txt and security.txt, and compiles a comprehensive view of your publicly visible infrastructure.

Trusted by teams at

How it works

How Attack Surface Scanner works

Enter your domain

Type any domain name. We strip protocols and paths automatically and use the root domain for a comprehensive surface scan.

Multi-source reconnaissance

We query certificate transparency logs for subdomains, fetch HTTP headers from the main domain, and probe for common exposed files — all in parallel for fast results.

Review your attack surface

Get a consolidated view of all discovered assets, exposed services, security header gaps, and publicly accessible files — with risk ratings and remediation priorities.

Features

What Attack Surface Scanner checks

Discover subdomains via certificate transparency

Queries crt.sh certificate transparency logs to find all SSL certificates issued for your domain, revealing subdomains you may not be tracking — including staging, dev, and internal services.

Analyze HTTP security headers

Checks the main domain for critical security headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and more to identify missing protections.

Detect exposed files and paths

Probes for robots.txt (which may reveal hidden paths), sitemap.xml (full site structure), and .well-known/security.txt (security contact and policy information).

Consolidated risk assessment

Combines all findings into a single prioritized risk view — from exposed development subdomains to missing security headers — so you know exactly what to fix first.

Use cases

Who should use the free Attack Surface Scanner

Security Teams

Get a quick overview of your organization's external exposure. Discover forgotten subdomains, shadow IT assets, and misconfigured services that expand your attack surface.

Penetration Testers

Kickstart an engagement with automated reconnaissance. Gather subdomains, headers, and exposed files in seconds before diving into targeted vulnerability assessment.

DevOps Engineers

Audit your public infrastructure after deployments. Verify that staging environments aren't publicly accessible and that security headers are consistently applied.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free Attack Surface Scanner.

Go beyond Attack Surface Scanner

This free Attack Surface Scanner checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free Attack Surface Scanner

Map your external attack surface from a single domain

How Attack Surface Scanner works

Enter your domain

Multi-source reconnaissance

Review your attack surface

What Attack Surface Scanner checks

Discover subdomains via certificate transparency

Analyze HTTP security headers

Detect exposed files and paths

Consolidated risk assessment

Who should use the free Attack Surface Scanner

Security Teams

Penetration Testers

DevOps Engineers

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free Attack Surface Scanner checks a handful of things. Maced's AI pentest checks thousands.

Free Attack Surface Scannerself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Map your external attack surface from a single domainself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How Attack Surface Scanner worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Enter your domainself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Multi-source reconnaissanceself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Review your attack surfaceself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What Attack Surface Scanner checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Discover subdomains via certificate transparencyself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Analyze HTTP security headersself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Detect exposed files and pathsself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Consolidated risk assessmentself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Who should use the free Attack Surface Scannerself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

Security Teamsself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Penetration Testersself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

DevOps Engineersself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What is an attack surface?

How does subdomain discovery work?

What is certificate transparency?

Why does robots.txt matter for security?

How often should I scan my attack surface?

This free Attack Surface Scanner checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free Attack Surface Scanner

Map your external attack surface from a single domain

How Attack Surface Scanner works

Enter your domain

Multi-source reconnaissance

Review your attack surface

What Attack Surface Scanner checks

Discover subdomains via certificate transparency

Analyze HTTP security headers

Detect exposed files and paths

Consolidated risk assessment

Who should use the free Attack Surface Scanner

Security Teams

Penetration Testers

DevOps Engineers

All free security tools

Frequently asked questions

This free Attack Surface Scanner checks a handful of things. Maced's AI pentest checks thousands.