Automated Asset Discovery
Find what you didn't know you had. Auto-detect subdomains, services, technologies, and shadow IT across your infrastructure.
Discovered assets
73 new this week · 412 total
- 52.12.44.81New
api.example.com
NginxCloudflareNode.js - 52.12.44.82New
staging-v2.example.com
NginxReactNode.js - 104.18.22.17Shadow IT
forgot.example.com
ApachePHP 7.4MySQL - 20.83.12.4—
legacy-crm.example.com
IISASP.NETMSSQL - 104.18.33.9—
cdn-eu.example.com
CloudflareHTTP/2Brotli - 52.12.44.83Findings: 3
portal.example.com
NginxDjangoPostgres
Subdomain enumeration
Automatically discover all subdomains associated with your root domains. Find forgotten staging servers, legacy apps, and shadow IT before attackers do.
- Automated subdomain discovery from multiple data sources
- DNS resolution and validation of discovered subdomains
- Continuous monitoring for newly created subdomains
Technology detection
Know exactly what's running on every asset. FortWatch identifies frameworks, servers, CMS platforms, and third-party services automatically.
- Web Frameworks:React, Angular, Vue, Django, Rails, Express, and more
- Web Servers:Nginx, Apache, IIS, Caddy — with version detection
- CMS Platforms:WordPress, Drupal, Joomla, and their plugin ecosystems
- Analytics & Marketing:Google Analytics, Tag Manager, HubSpot, and tracking scripts
Service fingerprinting
Detect running services and their versions across all open ports. Know exactly what's exposed to the internet and whether it's up to date.
- Service detection across all discovered open ports
- Version identification for known services (SSH, FTP, SMTP, etc.)
- Banner grabbing and protocol analysis
CDN & WAF detection
Identify which assets are protected by CDNs and web application firewalls, and which are directly exposed to the internet.
- Detect Cloudflare, AWS CloudFront, Akamai, and other CDN providers
- Identify WAF presence and provider (Cloudflare, AWS WAF, ModSecurity)
- Flag unprotected assets that lack CDN or WAF coverage
Complete asset inventory
Build a comprehensive inventory of everything in your infrastructure. Know what you have, what it runs, and how it's exposed.
- Unified view of all domains, subdomains, and IP addresses
- Technology stack summary for every asset
- Automatic updates as new assets are discovered
Frequently asked questions
Answers to the most common questions about asset discovery, subdomain enumeration, and shadow IT.
How does FortWatch discover subdomains?+
FortWatch combines multiple passive and active techniques to enumerate subdomains: certificate transparency logs, public DNS datasets, search-engine indexes, reverse DNS, NSEC/NSEC3 walking where applicable, and brute-force resolution against curated wordlists. Every candidate is then validated with live DNS resolution and HTTP probing so your inventory only contains subdomains that actually exist and respond.
Will FortWatch catch shadow IT that my team set up without telling security?+
That's exactly the problem asset discovery solves. Marketing spins up a landing-page subdomain, an engineer ships a staging environment on a personal cloud account, a contractor provisions a tool on your root domain — FortWatch surfaces these the next time certificate transparency or passive DNS sees them. You get a feed of newly discovered assets with provenance, so you can decide whether to take them over, secure them, or shut them down.
How often does FortWatch re-discover assets?+
Continuously. Discovery runs on a schedule per root domain, and passive sources (certificate transparency, DNS telemetry) are monitored in near real time for new hostnames. When a new subdomain appears, it's added to your inventory, fingerprinted, and queued for vulnerability scanning — usually within minutes of the underlying change.
Can FortWatch discover cloud assets like S3 buckets, Azure blobs, and exposed storage?+
Yes. In addition to DNS-based discovery, FortWatch looks for cloud-hosted assets linked to your domains and brand: S3 buckets, Azure storage endpoints, Google Cloud Storage buckets, and other common cloud surfaces. These are fingerprinted, checked for public exposure, and flagged when they accept anonymous access or list contents.
Does FortWatch scan GitHub and public code for leaked assets or secrets?+
FortWatch watches public code and paste sites for references to your domains, subdomains, and identifiers. When a new repository or gist mentions your infrastructure, it's linked to the relevant asset so you can investigate leaked credentials, exposed internal hostnames, or code referencing shadow systems before attackers find them.
Which data sources does FortWatch use for discovery?+
Certificate transparency (CT) logs, passive DNS datasets, public DNS zone files, search engines, reverse DNS lookups, WHOIS and RDAP records, ASN ranges, cloud provider metadata, and active DNS brute-forcing with curated wordlists. The combination matters — no single source is complete, and attackers use all of them, so FortWatch does too.
How accurate is the discovered inventory? Will I get a lot of false positives?+
Every discovered host is validated before it lands in your inventory: DNS must resolve, and the host must respond on at least one protocol. Wildcard DNS is detected and filtered so a single wildcard record doesn't inflate your inventory with thousands of phantom subdomains. You can also mark assets as out of scope, and FortWatch will suppress them on future discoveries without forgetting they exist.
Can I exclude specific subdomains or IP ranges from discovery?+
Yes. You can mark any discovered asset as out of scope, exclude entire subdomain patterns, or restrict discovery to specific IP ranges and ASNs. Excluded assets are still tracked so you see them on the inventory, but they're skipped for active probing and vulnerability scanning until you bring them back in scope.
Secure your entire stack today
Start scanning in under 5 minutes. No credit card required. 14-day free trial included.