Attack Surface Discovery identifies internet-facing domains and IP addresses within your organization and reports potential risks such as misconfigurations, highly-exploitable vulnerabilities, and insecure connection issues.

Internet-facing programs and services constitute a large portion of your organization's attack surface and can be your most vulnerable assets. These assets, which may be accessible from the internet either accidentally or deliberately, are among the first targets that threat actors attempt to compromise.
Attack Surface Discovery gives you visibility into your external attack surface by discovering the domains (including subdomains) and IP addresses used for your internet-facing assets. During discovery, key information about your assets such as geolocation, host provider, and certificate status is also collected.
When getting started, Attack Surface Discovery automatically identifies your organization's root domains and IP addresses based on data from your connected identity and access management (IAM) systems as well as Trend Vision One sign-in information. A secondary verification process ensures the root domains belong to your organization. Sources used in secondary verification include:
Information collected
Registrant information
External DNS services
A and CNAME records
Certificate information
The verification process also discovers related domains, subdomains, and public-facing IP addresses.
It may take up to 10 days to complete verification of all discovered domains and subdomains. Before the verification is complete, the number of domains displayed in Internet-Facing Assets may not match the actual number of discovered domains.
Once internet-facing assets are discovered and verified, Attack Surface Discovery performs a risk assessment on the assets to help you prioritize during remediation. The risk assessment identifies asset security issues based on information about ports and services used, certificate status, and vulnerabilities.
Collected data on discovered and verified assets is updated daily.
If a domain or IP is added, changed, or removed, it may take up to 10 days for the change to be reflected in Internet-Facing Assets.
A multi-faceted scoring system is used to determine the criticality and risk level of an internet-facing asset. An asset's risk score considers the following factors:
Asset type
Risk score contributor
Internet-facing domains
  • Certificates
  • Ports
  • Vulnerabilities
  • Aggregated risk for hosts related to the domain
  • Aggregated risk for IP addresses related to the domain and related hosts
Internet-facing IP addresses
  • Ports
  • Vulnerabilities