Asset Discovery

Asset discovery is the process of finding and cataloging all of the systems, services, and digital properties an organization exposes — domains, subdomains, IP addresses, hostnames, open ports, web applications, cloud storage, and the supporting DNS, certificate, and email records. In an external attack surface management (EASM) context, it specifically means enumerating everything an attacker could reach from the public internet, without relying on an internal inventory that is often incomplete or out of date.

Why it matters

You cannot defend what you do not know exists. Most breaches start on assets the security team had forgotten about, never knew about, or assumed were decommissioned — a staging subdomain, a one-off marketing microsite, a cloud bucket spun up by a contractor, a forgotten DNS record. Asset discovery is the foundation of every other security control: vulnerability scanning, monitoring, and remediation all depend on having an accurate, current picture of what is exposed. It is the first phase of external attack surface management and the input that determines whether the rest of your program is comprehensive or full of blind spots.

How it works

Discovery typically combines several techniques:

• DNS and certificate transparency — enumerating subdomains from public CT logs, DNS records, and zone data to map hostnames.
• Passive sources — search engines, public scan datasets, and indexes like Shodan that already catalog reachable services.
• Active probing — resolving hosts, fingerprinting open ports and services, and identifying running technologies.
• Cloud and SaaS correlation — finding storage buckets, CDNs, and third-party services tied to the organization.

Because infrastructure changes constantly, discovery is most useful when it runs continuously rather than as a one-time audit — see continuous scanning vs. annual pentests.

A concrete example

A company knows about www.example.com and its production API. Asset discovery surfaces three things they did not have on file: old-portal.example.com still pointing at a deprovisioned SaaS host (a candidate for subdomain takeover), a public S3 bucket named example-backups, and a host with port 6379 open. Each is invisible to internal inventories but trivially reachable by an attacker.

How FortWatch helps

FortWatch begins every engagement with asset discovery, then runs its scanners against what it finds. Discovered hostnames and IPs feed port monitoring, vulnerability scanning (Nuclei-based CVE checks), SSL/TLS posture, DNS hygiene, HTTP headers, exposed sensitive files, subdomain takeover checks, and cloud bucket exposure. Each finding gets a severity rating and AI-generated remediation guidance. You can also explore discovery manually with the subdomain finder and DNS lookup tools. The goal is simple: an accurate, continuously updated map of your external footprint so nothing exposed goes unmonitored.