Security Is Our Mission

1. Understanding Your Attack Surface

The external attack surface comprises all digital assets, services, and entry points that are accessible from the public internet. According to recent industry analysis, organizations typically lack visibility into 30-40% of their internet-facing assets, creating significant blind spots in their security posture.

These unknown assets, often referred to as "shadow IT", include decommissioned servers still connected to networks, development environments with production data, legacy applications with unpatched vulnerabilities, and third-party integrations with excessive permissions. The attack surface expands organically through cloud migrations, DevOps automation, mergers and acquisitions, and decentralized IT procurement.

Deft addresses this visibility gap through systematic asset discovery and continuous monitoring, enabling organizations to maintain an accurate inventory of their external exposure.

2. Comprehensive Service Discovery

Service discovery forms the foundation of attack surface analysis. Deft employs TCP SYN scanning techniques across the top 1,000 most commonly used ports, as defined by the Nmap service database. This methodology balances thoroughness with operational efficiency, capturing approximately 93% of services typically deployed in enterprise environments.

For each discovered open port, the platform performs service fingerprinting to identify the running application, version information, and protocol characteristics. This includes banner grabbing, protocol-specific probes, and TLS certificate analysis where applicable. The resulting data provides granular visibility into:

• Web servers (Apache, Nginx, IIS) and application frameworks
• Database management systems (MySQL, PostgreSQL, MongoDB, Redis)
• Remote administration services (SSH, RDP, VNC, Telnet)
• Mail transfer agents and associated protocols (SMTP, IMAP, POP3)
• API endpoints and microservice architectures
• Legacy protocols and potentially vulnerable services

3. Subdomain Enumeration

Subdomain enumeration represents a critical component of attack surface mapping. Adversaries frequently target subdomains as they often host development environments, internal tools, or deprecated applications with reduced security controls compared to primary domains.

Deft implements a multi-source enumeration strategy combining:

• Certificate Transparency Logs: Analysis of publicly logged TLS certificates to identify domains and subdomains
• Passive DNS Databases: Historical DNS resolution data aggregated from multiple intelligence sources
• Search Engine Dorking: Automated queries to identify indexed subdomains and associated content
• DNS Zone Analysis: Examination of DNS records including CNAME, MX, TXT, and NS entries

Each discovered subdomain undergoes the same comprehensive port scanning and service identification process applied to the primary domain, ensuring complete coverage of the organization's external footprint.

4. CVE Detection and Vulnerability Analysis

Vulnerability identification correlates discovered services against the NIST National Vulnerability Database (NVD) and supplementary threat intelligence feeds. This process maps detected software versions to known Common Vulnerabilities and Exposures (CVE) identifiers, providing immediate visibility into exploitable weaknesses.

The platform evaluates vulnerabilities using the Common Vulnerability Scoring System (CVSS v3.1), categorizing findings by severity:

• Critical (9.0-10.0): Vulnerabilities enabling remote code execution, authentication bypass, or complete system compromise
• High (7.0-8.9): Significant vulnerabilities that may lead to data disclosure or service disruption
• Medium (4.0-6.9): Vulnerabilities requiring specific conditions or user interaction for exploitation
• Low (0.1-3.9): Minor issues with limited security impact

Beyond CVSS scoring, Deft incorporates exploit availability data, including references to public proof-of-concept code, Metasploit modules, and observed exploitation in the wild, enabling accurate prioritization based on real-world threat context.

5. Risk Assessment and Scoring Methodology

Deft generates a composite security score that aggregates multiple risk indicators into a normalized metric suitable for executive reporting and trend analysis. The scoring algorithm considers:

• Vulnerability Density: Count and severity distribution of identified CVEs
• Service Exposure: Number of open ports and sensitive services accessible externally
• Asset Sprawl: Subdomain count relative to organizational size
• Configuration Hygiene: TLS versions, cipher suites, security headers, and certificate validity
• Email Security Posture: SPF, DKIM, and DMARC implementation status

The resulting score provides a quantitative baseline for measuring security improvements over time and benchmarking against industry standards.

6. Continuous Monitoring Architecture

Static point-in-time assessments fail to capture the dynamic nature of modern infrastructure. Deft implements continuous monitoring through scheduled reconnaissance cycles that detect:

• Newly exposed services and ports
• Emerging subdomains and DNS changes
• Recently disclosed vulnerabilities affecting deployed software
• Certificate expirations and TLS configuration changes
• Modifications to email authentication records

Monitoring frequency is configurable based on organizational requirements, with options for hourly, daily, or weekly scan intervals. Differential analysis highlights changes between assessment cycles, enabling rapid identification of configuration drift and unauthorized modifications.

7. Actionable Intelligence and Reporting

Deft transforms raw reconnaissance data into structured intelligence reports designed for multiple stakeholder audiences:

• Executive Summary: High-level risk posture with trend indicators and peer benchmarking
• Technical Findings: Detailed vulnerability descriptions with affected assets, CVSS scores, and CVE references
• Remediation Guidance: Prioritized action items with specific mitigation steps and configuration recommendations
• Compliance Mapping: Alignment with relevant frameworks (SOC 2, ISO 27001, PCI DSS, HIPAA)

Reports are generated in PDF format for distribution and archival purposes, with structured data exports available for integration with existing security tooling and SIEM platforms.

8. Getting Started

Initial attack surface assessment can be initiated immediately through the Deft platform. The baseline scan requires only a target domain and executes within approximately 3-5 minutes for typical configurations.

For organizations requiring enhanced capabilities, including continuous monitoring, historical trending, API access, and custom reporting, enterprise licensing options are available.