Pricing

$400.00 / 1,000 analysis runs

Cyber Attack Surface Report

Attack surface mapping across 11 sources: DNS, SSL, CVEs, CISA KEV, tech stack, code exposure. Produces 0-100 exposure score with cyber rating.

Pricing

$400.00 / 1,000 analysis runs

Rating

0.0

(0)

Developer

ryan clinton

Actor stats

Bookmarked

Total users

Monthly active users

3 days ago

Last modified

Features

Maps full DNS record inventory, SSL certificate transparency logs, and subdomain discovery
Identifies open ports and dangerous service exposures (FTP, Telnet, RDP, Redis, MongoDB, Elasticsearch) via Censys
Cross-references detected technology stack against NVD CVE database and CISA Known Exploited Vulnerabilities catalog
Detects missing email security controls (SPF, DMARC) that enable spoofing attacks
Scans GitHub for public repositories with potentially sensitive names (credentials, secrets, API keys, config files)
Tracks historical website changes via Wayback Machine and content monitoring for drift analysis

Use Cases

Security Teams: Generate a baseline external attack surface inventory before a penetration test. Identify forgotten subdomains, exposed ports, expired SSL certificates, and missing email security controls.
CISO / Risk Management: Get a quantified Cyber Rating (A-F) and Exposure Score comparable to SecurityScorecard or BitSight for board-level reporting and vendor risk assessment.
Third-Party Risk Management: Screen vendor and supplier domains for security posture before onboarding. Use the sprawl score and vulnerability data to inform vendor risk tiers.
DevSecOps Engineers: Find public GitHub repositories with sensitive names, stale unmaintained repos, and technology stack components with known critical CVEs.
Incident Response Teams: Quickly map the external footprint of a compromised domain, including all IP addresses, subdomains, open services, and certificate history.

How to Use

Click Try for free on this page
Enter the target domain to analyze (e.g., "example.com")
Optionally enable or disable subdomain discovery
Click Start and wait for the run to finish
Download results from the Dataset tab in JSON, CSV, or Excel

Input Parameters

Parameter	Type	Required	Description
domain	string	Yes	Target domain to analyze (e.g., "example.com")
includeSubdomains	boolean	No	Whether to include subdomain discovery via SSL certificate transparency logs (default: true)

Output Example

{
  "domain": "example.com",
  "generatedAt": "2026-03-13T14:30:00.000Z",
  "executiveSummary": {
    "exposureScore": 47,
    "exposureGrade": "MODERATE EXPOSURE",
    "cyberRating": "C",
    "cyberRatingScore": 68,
    "sprawlScore": 42,
    "sprawlLevel": "MODERATE"
  },
  "assetSummary": {
    "subdomainsDiscovered": 18,
    "uniqueIPs": 7,
    "openPorts": 12,
    "technologiesDetected": 15,
    "cvesFound": 8,
    "cisaKevsFound": 1
  },
  "emailSecurity": { "hasSPF": true, "hasDMARC": false, "risk": "MEDIUM" },
  "vulnerabilities": {
    "detectedTechnologies": ["nginx", "wordpress", "php", "jquery"],
    "cisaKevAlert": "URGENT: 1 actively exploited vulnerability found in detected tech stack."
  },
  "codeExposure": {
    "flaggedRepos": 2,
    "alert": "HIGH RISK: Public repos with credential-related names detected."
  }
}

Scoring Model

The report produces two complementary scores:

Exposure Score (0-100) measures overall attack surface size and risk across four dimensions:

Infrastructure Exposure (0-30 points): DNS sprawl across many IPs adds up to 6 points. Missing SPF/DMARC adds 5. Large subdomain counts add 5. Expired SSL certificates add 4. Dangerous exposed ports (FTP, Telnet, RDP, Redis, MongoDB) add 5. Excessive open ports add 6.
Vulnerability Exposure (0-30 points): High-CVE-history technologies (Apache, WordPress, Log4j, etc.) add up to 8 points. Critical CVEs add up to 12. High-severity CVEs add up to 6. CISA Known Exploited Vulnerabilities add up to 15.
Code and Data Exposure (0-20 points): Public repos with sensitive names (secrets, credentials, tokens) add 8. Large public repo counts add 5. Stale unmaintained repos add 4.
Historical Drift (0-20 points): Extensive Wayback Machine archives add up to 4. Recent website changes add 3. Large content changes (over 50% diff) add 5.

Cyber Rating (A-F) is a composite letter grade calculated from email security (20%), SSL hygiene (25%), network exposure (35%), and tech complexity (20%).

Exposure Grades: MINIMAL EXPOSURE (0-15), LOW EXPOSURE (16-35), MODERATE EXPOSURE (36-55), HIGH EXPOSURE (56-75), CRITICAL EXPOSURE (76-100).

How Much Does It Cost?

Each run uses approximately $0.10-$0.20 in platform credits depending on the size of the domain's infrastructure. On the Apify free tier you can run approximately 25-40 attack surface reports per month.

Programmatic Access

Python

from apify_client import ApifyClient
client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("ryanclinton/cyber-attack-surface-report").call(run_input={
    "domain": "example.com",
    "includeSubdomains": True
})
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript

import { ApifyClient } from "apify-client";
const client = new ApifyClient({ token: "YOUR_API_TOKEN" });
const run = await client.actor("ryanclinton/cyber-attack-surface-report").call({
    domain: "example.com",
    includeSubdomains: true
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

FAQ

What is the difference between the Exposure Score and the Cyber Rating? The Exposure Score (0-100) measures the raw size and risk of the attack surface. The Cyber Rating (A-F) is a composite grade similar to SecurityScorecard that weights email security, SSL hygiene, network exposure, and technology complexity into a single letter grade.

What are CISA KEVs and why do they matter? CISA Known Exploited Vulnerabilities are CVEs that CISA has confirmed are being actively exploited in the wild. Finding a KEV match in your technology stack means you have a vulnerability that attackers are currently using, making remediation urgent.

What dangerous ports does the scan look for? The report flags FTP (21), Telnet (23), SMB (445), RDP (3389), VNC (5900), Redis (6379), MongoDB (27017), and Elasticsearch (9200). These services are commonly targeted by automated attacks.

How does subdomain discovery work? The actor queries SSL Certificate Transparency logs to find all certificates ever issued for the target domain and its subdomains. This reveals subdomains that DNS enumeration alone would miss.

Can I use this for continuous monitoring? Yes. Schedule the actor to run daily or weekly via Apify's scheduling feature and integrate with Zapier or Make to receive alerts when the exposure score or cyber rating changes.

Integrations

Use this actor with:

Zapier for automated workflows
Make for complex automations
Google Sheets for spreadsheet export
The Apify API for programmatic access

Entity Attack Surface MCP Server

ryanclinton/entity-attack-surface-mcp

Corporate cyber exposure MCP wrapping 11 actors. DNS, SSL, WHOIS, Censys, tech stack to CVE/CISA KEV mapping, infrastructure sprawl analysis. Exposure Score 0-100. Pay-per-event.

ryan clinton

Threat Profiler

peachstudio/threat-profiler

Generate AI-powered cyber threat intelligence reports in minutes. Get threat actor profiles with MITRE ATT&CK mappings, attack surface analysis, and security recommendations. Perfect for security assessments, M&A due diligence, and vendor risk management, but also to know your target in cyber sales.

Peach Studio

Client Profiler - Sales Intel for Cyber

peachstudio/client-profiler

AI Sales Intelligence for Cybersecurity teams. Combines threat profiling, financial analysis, and LinkedIn contacts in one comprehensive report.

Peach Studio

Bug Bounty Recon Scanner

iamuendo/Bug-Bounty-Recon-Scanner

Find exposed admin panels, missing/weak security headers, sensitive file leaks, and HTTPS misconfigurations across target domains. Export prioritised risk scores and JSON reports. Run via API, schedule scans, or integrate with bug bounty tools.

Isaac Muendo

Subdomain Finder & Recon Tool

andok/subdomain-finder

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Andok

Digital Infrastructure Exposure MCP Server

ryanclinton/digital-infrastructure-exposure-mcp

Passive recon MCP wrapping 8 actors. DNS security audit (SPF/DKIM/DMARC), subdomain discovery, SSL health, tech-to-CVE-to-KEV mapping, infrastructure sprawl. Exposure Score 0-100. Pay-per-event.

ryan clinton

Ransomware & Dark Web Data Breach Monitor

lofomachines/ransomware-dark-web-data-breach-monitor

Monitor ransomware attacks and data breaches from the dark web. Track ransomware groups like LockBit, BlackCat, Play, and more. Get real-time alerts on victim organizations, leaked data, and cyber threats. Essential for threat intelligence, cybersecurity research, and brand protection.

Lofomachines

5.0

(2)

LinkedIn Search Jobs Scraper

api-empire/linkedin-search-jobs-scraper

LinkedIn Search Jobs Scraper extracts job listings from any LinkedIn search query. Capture titles, companies, locations, descriptions, salaries, and posting dates. Ideal for market research, hiring, lead generation, and workflows needing structured LinkedIn job search data.

API Empire

Linkedin Search Jobs Scraper

scraper-engine/linkedin-search-jobs-scraper

The LinkedIn Search Jobs Scraper actor collects job listings from LinkedIn based on keywords, locations, and filters. It extracts titles, companies, locations, posting dates, and job URLs. Ideal for recruiters, analysts, and job platforms needing automated LinkedIn job market data collection.

Scraper Engine

7-Zip Recursive Archive Extractor: Enterprise-Grade Automation

roach-sama/universal-archive-extractor

High-performance 7-Zip extractor supporting 30+ formats (ZIP, RAR, 7Z, TAR, ISO, GZIP, BZIP2, XZ, CAB & more). Features recursive nested archive extraction, CRC-based incremental updates to skip unchanged files, security filtering, and dual KV Store + Dataset output. Saves up to 90% compute costs.