🛡️ GuardFoxCopilot Documentation

Attack Surface Management

Passive external asset discovery, exposure scoring, and continuous monitoring via crt.sh, Shodan, DNS, and RDAP.

Route: /attack-surface

How it works

Overview

How Attack Surface Management Works

GuardFoxCopilot uses passive, non-intrusive techniques to discover and monitor your external attack surface. No active scanning or exploitation — only data that is already public.

Discovery sources:

SourceWhat it finds
crt.shAll certificates issued for your domain (reveals subdomains)
ShodanOpen ports, banners, vulnerabilities on your IPs
DNS enumerationA, AAAA, MX, TXT, SPF, DMARC records
RDAP / WHOISDomain registration, ASN ownership
HTTP headersSecurity headers, server version disclosure
TLS checkCert expiry, cipher suites, TLS version

Continuous monitoring

Once an asset is discovered, GuardFoxCopilot rescans it every 24 hours and alerts you when:

  • A new exposure appears
  • A certificate is about to expire (<30 days)
  • A new subdomain appears on your domain
  • An open port changes

Running a discovery scan

How to use

Running a Discovery Scan

  1. Go to Threat Analysis → Attack Surface → 🔍 Discovery Scan
  2. Enter your domain (e.g., company.com) or IP range (e.g., 192.168.1.0/24)
  3. Click Start Scan
  4. Progress updates in real-time — results appear in Asset Inventory when complete

What to scan first

Start with your primary domain. A typical scan for a mid-size company finds:

  • 15–50 subdomains via certificate transparency
  • 5–15 with open ports or web services
  • 2–5 with active exposures (missing headers, weak TLS, etc.)

Shodan API key (optional)

A free Shodan account includes limited lookups. For continuous monitoring:

  1. Create account at shodan.io
  2. Go to Account → API Key
  3. Add in Settings → Integrations → Shodan API Key