Cyber Attack Surface Report

Cyber attack surface report for any domain — enter a target and get a full external risk assessment in minutes. This actor runs 11 intelligence sources in parallel to map your DNS footprint, SSL certificates, open ports, technology stack, CVEs, and CISA Known Exploited Vulnerabilities, then delivers a scored Exposure Assessment (0-100) and a letter-grade Cyber Rating (A-F) modeled after SecurityScorecard and BitSight.

Built for security teams, CISOs, and third-party risk managers who need quantified attack surface data without standing up a commercial EASM platform. One domain input produces a board-ready report with infrastructure inventory, vulnerability cross-references, code exposure flags, and historical drift analysis — all from publicly available data sources.

What data can you extract?

Why use Cyber Attack Surface Report?

Manual external attack surface assessment takes a security engineer 2-3 days: DNS enumeration, certificate transparency queries, port scans, CVE lookups, GitHub searches, and report writing. Commercial platforms like SecurityScorecard, BitSight, and CrowdStrike Falcon Surface charge $20,000-$80,000 per year for continuous monitoring.

This actor automates the entire discovery and scoring pipeline in a single run. Enter a domain, get a comprehensive risk report with a comparable letter-grade rating — at a fraction of the cost.

• Scheduling — run weekly or monthly to track how your attack surface changes over time and catch new exposure before attackers do
• API access — trigger runs from your SIEM, GRC platform, or Python/JavaScript security tooling via the Apify API
• Proxy rotation — queries external intelligence sources through Apify's built-in proxy infrastructure to avoid rate limiting
• Monitoring — configure Slack or email alerts when runs finish so your team gets reports automatically
• Integrations — push results to Zapier, Make, Google Sheets, or webhooks for downstream workflows

Features

• 11-source parallel intelligence pipeline — DNS records, SSL certificate transparency, WHOIS, Censys host scanning, IP geolocation, NVD CVE database, CISA KEV catalog, website tech stack, Wayback Machine, GitHub repo scan, and website change monitoring all run concurrently
• Four-dimension Exposure Score (0-100) — Infrastructure Exposure (0-30 pts), Vulnerability Exposure (0-30 pts), Code and Data Exposure (0-20 pts), and Historical Drift (0-20 pts) combine into a single quantified risk score
• Letter-grade Cyber Rating (A-F) — composite model weights email security (20%), SSL hygiene (25%), network exposure (35%), and tech complexity (20%), matching the methodology of commercial EASM platforms
• CISA Known Exploited Vulnerability matching — cross-references detected technology stack against the CISA KEV catalog of vulnerabilities confirmed to be actively exploited in the wild
• Dangerous port detection — flags FTP (21), Telnet (23), SMB (445), RDP (3389), VNC (5900), Redis (6379), MongoDB (27017), and Elasticsearch (9200) if exposed to the internet
• Email spoofing risk assessment — checks SPF and DMARC DNS records, scoring missing controls against known email-based attack vectors
• SSL certificate transparency subdomain discovery — queries crt.sh to surface subdomains that DNS enumeration alone would miss, including expired and abandoned certificates
• GitHub code exposure scanning — searches public repositories matching the organization name and flags repos with names or descriptions containing 11 sensitive pattern keywords (secret, credential, password, token, api-key, private, internal, config, .env, deploy, infra)
• Infrastructure sprawl scoring — computes a sprawl index from subdomain count, unique IP count, open port count, and geographic distribution to quantify overall surface area
• Historical drift analysis — combines Wayback Machine snapshot history with live change monitoring to identify long-lived attack surface and recent content modifications
• Stale repo detection — identifies public repositories with no commits in over 12 months, flagging potential unpatched dependency exposure
• 20 high-CVE-history technology signatures — matches detected stack against Apache, nginx, OpenSSL, Log4j, Struts, Tomcat, WordPress, Drupal, Joomla, PHP, jQuery, Angular, Spring, Exchange, IIS, Elasticsearch, Jenkins, GitLab, Confluence, and Jira

Use cases for cyber attack surface report

Third-party vendor risk management

Procurement and vendor risk teams need to assess the security posture of suppliers, SaaS vendors, and technology partners before onboarding or at contract renewal. Running a cyber attack surface report against each vendor's primary domain gives you a quantified Cyber Rating, CISA KEV matches, and infrastructure sprawl data to inform tiering decisions — without asking vendors to complete lengthy questionnaires that may be inaccurate.

Security team pre-engagement assessment

Penetration testers and red team operators use external attack surface mapping as the first phase of any engagement. This actor automates passive reconnaissance: subdomain enumeration via SSL transparency logs, open port inventory via Censys, technology stack fingerprinting, and GitHub exposure — in one run before active testing begins, saving hours of manual OSINT work.

CISO board reporting and risk quantification

CISOs need a comparable, explainable number to bring to board meetings and audit committees. The actor's Exposure Score (0-100) and letter-grade Cyber Rating (A-F) provide exactly that: a defensible, methodology-backed risk score derived from the same data sources that commercial platforms use, at a cost that fits any security budget.

DevSecOps and continuous security monitoring

Engineering teams running CI/CD pipelines benefit from scheduled attack surface snapshots. Schedule the actor weekly and configure a webhook to post results to Slack when the Exposure Score increases, a new CISA KEV is matched, or a new dangerous port appears. Catch misconfigurations before an external researcher does.

Incident response external footprint mapping

When a domain is involved in an incident, responders need to quickly understand the entire external footprint: all IP addresses, all subdomains, all open services, all certificates, and the technology stack. This actor produces that inventory in minutes from public sources, without requiring access to internal systems.

Competitive and acquisition due diligence

M&A teams and investors running technical due diligence on acquisition targets need a fast read on the target's security hygiene. A low Cyber Rating, CISA KEV matches, or dangerously exposed ports are material risk factors. This actor provides a consistent, repeatable assessment for every target in a pipeline.

How to run a cyber attack surface report

1. Enter the target domain — type the domain you want to assess (e.g., acmecorp.com). Do not include https:// or trailing slashes. One domain per run.
2. Configure subdomain discovery — leave "Include Subdomains" enabled (the default) to surface the full SSL certificate transparency scope. Disable it only if you need a faster, narrower scan.
3. Click Start and wait — the actor runs 11 data sources in parallel. Most domains complete in 3-8 minutes. Large organizations with extensive infrastructure may take up to 12 minutes.
4. Download your report — open the Dataset tab to view the full JSON report. Export to CSV or Excel for spreadsheet analysis, or copy the raw JSON into your GRC platform, ticketing system, or board presentation.

Input parameters

Input examples

Standard assessment — single domain:

{
    "domain": "acmecorp.com",
    "includeSubdomains": true
}

Fast scan — skip subdomain discovery:

{
    "domain": "betaindustries.com",
    "includeSubdomains": false
}

Vendor risk screening — minimal configuration:

{
    "domain": "supplierpartner.com"
}

Input tips

• Use the apex domain — enter acmecorp.com, not www.acmecorp.com. The actor handles subdomain discovery automatically via SSL transparency logs.
• Leave subdomain discovery on — disabling it only marginally reduces runtime but significantly reduces subdomain coverage. Keep it enabled for accurate sprawl scoring.
• One domain per run — the actor is designed for thorough single-domain analysis. For batch vendor assessments, trigger multiple runs via the API with different domain inputs.
• Schedule for continuous monitoring — use Apify's built-in scheduler to run this actor weekly on your own domains and receive automatic exposure score trending.

Output example

{
    "domain": "pinnacletech.com",
    "generatedAt": "2026-03-20T09:14:33.412Z",
    "actorsUsed": 11,
    "executiveSummary": {
        "exposureScore": 54,
        "exposureGrade": "MODERATE EXPOSURE",
        "cyberRating": "C",
        "cyberRatingScore": 67,
        "sprawlScore": 58,
        "sprawlLevel": "MODERATE",
        "recommendation": "Significant exposure. Prioritize vulnerability remediation and reduce infrastructure sprawl."
    },
    "exposureScoring": {
        "total": 54,
        "grade": "MODERATE EXPOSURE",
        "dimensions": {
            "infrastructure": {
                "score": 19,
                "max": 30,
                "findings": [
                    "7 unique IP addresses",
                    "No DMARC record — no email authentication policy",
                    "24 SSL certificates/subdomains",
                    "Dangerous ports exposed: 3389, 6379 (RDP/Redis)"
                ]
            },
            "vulnerability": {
                "score": 22,
                "max": 30,
                "findings": [
                    "4 high-CVE-history technologies detected: nginx, wordpress, php, jquery",
                    "3 CRITICAL CVE(s) found in detected technology stack",
                    "5 HIGH severity CVE(s)",
                    "1 CISA Known Exploited Vulnerability(ies) — ACTIVELY EXPLOITED IN THE WILD"
                ]
            },
            "codeData": {
                "score": 8,
                "max": 20,
                "findings": [
                    "2 public repo(s) with potentially sensitive names/descriptions: pinnacletech-config-secrets, internal-api-credentials"
                ]
            },
            "historicalDrift": {
                "score": 5,
                "max": 20,
                "findings": [
                    "Web presence dates back 14 years (since ~2012) — long history of potential cached data",
                    "3 recent website change(s) detected — active modification of attack surface"
                ]
            }
        }
    },
    "assetSummary": {
        "dnsRecords": 31,
        "sslCertificates": 24,
        "subdomainsDiscovered": 18,
        "uniqueIPs": 7,
        "censysHosts": 6,
        "openPorts": 14,
        "technologiesDetected": 22,
        "cvesFound": 12,
        "cisaKevsFound": 1,
        "waybackSnapshots": 18,
        "githubRepos": 14,
        "countriesSpanned": 3
    },
    "infrastructure": {
        "subdomains": [
            "api.pinnacletech.com",
            "cdn.pinnacletech.com",
            "mail.pinnacletech.com",
            "staging.pinnacletech.com",
            "dev.pinnacletech.com"
        ],
        "ipAddresses": ["203.0.113.45", "198.51.100.12", "192.0.2.88"],
        "countries": ["US", "DE", "SG"],
        "openPorts": { "80": 3, "443": 5, "3389": 1, "6379": 1 },
        "dangerousPortsExposed": [3389, 6379]
    },
    "emailSecurity": {
        "score": 60,
        "hasSPF": true,
        "hasDMARC": false,
        "risk": "MEDIUM"
    },
    "sslHygiene": {
        "score": 70,
        "totalCerts": 24,
        "expiredCerts": 1
    },
    "vulnerabilities": {
        "detectedTechnologies": ["nginx", "wordpress", "php", "jquery", "apache", "mysql"],
        "cves": [
            {
                "cveId": "CVE-2023-44487",
                "severity": "HIGH",
                "cvssScore": 7.5,
                "description": "HTTP/2 Rapid Reset Attack affecting nginx"
            }
        ],
        "cisaKevAlert": "URGENT: 1 actively exploited vulnerability found in detected tech stack.",
        "cisaKevMatches": [
            {
                "cveID": "CVE-2023-44487",
                "vendorProject": "IETF",
                "product": "HTTP/2",
                "dateAdded": "2023-10-10",
                "dueDate": "2023-10-31"
            }
        ]
    },
    "codeExposure": {
        "totalRepos": 14,
        "flaggedRepos": 2,
        "flagged": [
            {
                "repo": "pinnacletech-config-secrets",
                "url": "https://github.com/pinnacletech/pinnacletech-config-secrets",
                "matches": [
                    { "keyword": "config", "risk": "MEDIUM" },
                    { "keyword": "secret", "risk": "HIGH" }
                ],
                "maxRisk": "HIGH"
            }
        ],
        "alert": "HIGH RISK: Public repos with credential-related names detected."
    },
    "historicalDrift": {
        "wayback": {
            "snapshotCount": 18,
            "firstSeen": "20120314153200",
            "lastSeen": "20260318091500"
        },
        "recentChanges": {
            "count": 3,
            "changes": []
        }
    },
    "cyberRating": {
        "grade": "C",
        "compositeScore": 67,
        "components": {
            "emailSecurity": { "score": 60, "hasSPF": true, "hasDMARC": false },
            "sslHygiene": { "score": 70, "totalCerts": 24, "expiredCerts": 1 },
            "networkExposure": { "score": 55, "openPorts": 14, "dangerousPortsExposed": [3389, 6379] },
            "techComplexity": { "score": 67, "technologies": 22 }
        }
    }
}

Output fields

How much does it cost to run a cyber attack surface report?

Cyber Attack Surface Report uses pay-per-run pricing — the actor orchestrates 11 sub-actor calls per run. Most runs consume approximately $0.10-$0.20 in platform credits depending on the size of the domain's infrastructure. All compute costs are included.

You can set a maximum spending limit per run to control costs. The actor stops when your budget is reached.

Compare this to SecurityScorecard at $20,000+/year or BitSight at $10,000-$40,000/year for continuous monitoring — with this actor, a full vendor portfolio assessment costs under $60 with no subscription commitment. Apify's free tier includes $5 of monthly credits, covering approximately 30-40 test runs.

Cyber attack surface report using the API

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")

run = client.actor("ryanclinton/cyber-attack-surface-report").call(run_input={
    "domain": "acmecorp.com",
    "includeSubdomains": True
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    summary = item["executiveSummary"]
    print(f"Domain: {item['domain']}")
    print(f"Exposure Score: {summary['exposureScore']}/100 ({summary['exposureGrade']})")
    print(f"Cyber Rating: {summary['cyberRating']} ({summary['cyberRatingScore']}/100)")
    print(f"CISA KEV Alert: {item['vulnerabilities']['cisaKevAlert']}")
    print(f"Recommendation: {summary['recommendation']}")

JavaScript

import { ApifyClient } from "apify-client";

const client = new ApifyClient({ token: "YOUR_API_TOKEN" });

const run = await client.actor("ryanclinton/cyber-attack-surface-report").call({
    domain: "acmecorp.com",
    includeSubdomains: true
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
for (const item of items) {
    const { executiveSummary, vulnerabilities, codeExposure } = item;
    console.log(`Domain: ${item.domain}`);
    console.log(`Exposure: ${executiveSummary.exposureScore}/100 (${executiveSummary.exposureGrade})`);
    console.log(`Cyber Rating: ${executiveSummary.cyberRating}`);
    console.log(`KEV Alert: ${vulnerabilities.cisaKevAlert}`);
    console.log(`Flagged Repos: ${codeExposure.flaggedRepos}`);
}

cURL

# Start the actor run
curl -X POST "https://api.apify.com/v2/acts/ryanclinton~cyber-attack-surface-report/runs?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"domain": "acmecorp.com", "includeSubdomains": true}'

# Fetch results (replace DATASET_ID from the run response above)
curl "https://api.apify.com/v2/datasets/DATASET_ID/items?token=YOUR_API_TOKEN&format=json"

How Cyber Attack Surface Report works

Phase 1: Parallel intelligence collection

The actor fires all 11 sub-actor calls simultaneously using Promise.all. DNS record lookup retrieves up to 100 records (A, AAAA, MX, TXT, CNAME, NS). SSL certificate transparency queries crt.sh for up to 100 certificates when subdomain discovery is enabled, or 50 when disabled. WHOIS retrieves registration data. Censys host search returns up to 30 indexed host records including port and service data. IP geolocation maps DNS IP addresses to country and ASN. The website tech stack detector fingerprints the live site. NVD CVE search queries the National Vulnerability Database. CISA KEV search checks the Known Exploited Vulnerabilities catalog. Wayback Machine search retrieves up to 20 historical snapshots. Website change monitor captures 5 recent change events. GitHub repo search queries org:{company-name} for up to 30 public repositories. All calls run with a 120-second per-actor timeout and fail gracefully — a single source failure does not abort the report.

Phase 2: Four-dimension exposure scoring

The scoring engine processes all collected data through four independent dimension functions, each capped at its maximum contribution. Infrastructure Exposure (0-30 pts) penalizes DNS IP sprawl (up to 6 pts), missing SPF (3 pts) and DMARC (2 pts), large subdomain counts (up to 5 pts), expired certificates (4 pts), excessive open ports (up to 6 pts), dangerous port exposure from the list [21, 23, 445, 3389, 5900, 6379, 27017, 9200] (5 pts), and multi-country infrastructure (2 pts). Vulnerability Exposure (0-30 pts) scores against a 20-technology HIGH_CVE_TECH signature set (up to 8 pts), critical CVEs at 3 pts each capped at 12, high-severity CVEs at 2 pts each capped at 6, and CISA KEV matches at 5 pts each capped at 15. Code and Data Exposure (0-20 pts) evaluates repos with sensitive name patterns against 9 keywords (8 pts), large public repo counts (up to 5 pts), and stale repos inactive for over 365 days (4 pts). Historical Drift (0-20 pts) adds points for extensive Wayback archives (4 pts), recent website changes (3 pts), and large content modifications over 50% diff (5 pts).

Phase 3: Cyber Rating computation

Separately from the Exposure Score, a SecurityScorecard-style letter grade is computed as a weighted composite: email security score (20%) derived from SPF and DMARC presence, SSL hygiene score (25%) penalized by expired cert count, network exposure score (35%) penalized by open port count and dangerous port exposures at 15 pts each, and tech complexity score (20%) derived from technology count. The composite (0-100) maps to grades A (90+), B (80-89), C (70-79), D (60-69), F (below 60). This grade answers the board-level question "how are we doing?" while the dimensional Exposure Score answers "where exactly is the risk?"

Phase 4: Report assembly

Phase 4 assembles infrastructure sets (unique IPs, subdomains, port maps), applies the 11-pattern GitHub secret scanning logic with risk levels (HIGH/MEDIUM/LOW per keyword), computes the infrastructure sprawl index as min(100, subdomains*2 + IPs*3 + ports*4 + countries*5), and outputs the complete structured report to the Apify dataset in a single Actor.pushData call.

Tips for best results

1. Use the apex domain for maximum coverage. Enter acmecorp.com rather than a subdomain. The SSL transparency query will surface all subdomain certificates automatically. Querying a subdomain restricts the certificate scope.

2. Compare scores over time, not in absolute terms. An Exposure Score of 45 is only meaningful relative to a previous baseline for the same domain. Schedule weekly runs and track the trend — an increasing score signals new exposure that warrants investigation.

3. Treat CISA KEV matches as P1 incidents. Any match in vulnerabilities.cisaKevMatches means a vulnerability in your tech stack is confirmed to be actively exploited in the wild today. This overrides any other prioritization framework.

4. Investigate flagged GitHub repos manually. The code exposure scan identifies repos with sensitive-sounding names. A repo named "internal-api-credentials" might be harmless or it might contain actual credentials. Always verify flagged repos manually before escalating.

5. Cross-reference dangerous ports with your network diagram. An RDP port (3389) visible on Censys may be intentional (a bastion host) or accidental (a misconfigured firewall rule). The actor surfaces the exposure — your team confirms whether it should exist.

6. Combine with Website Tech Stack Detector for deeper CVE context. Run Website Tech Stack Detector separately with detectVersions: true for version-specific CVE matching, which produces more precise vulnerability results than domain-name-based NVD queries.

7. Use the API for batch vendor assessments. For screening 50+ vendors, call the actor programmatically in a loop with per-domain inputs. Each run is independent and isolated. Store outputs in a spreadsheet or your GRC platform using the Google Sheets or HubSpot integrations.

8. Set memory to 512 MB for large enterprise domains. The default 128 MB handles most domains. Domains with hundreds of subdomains and large GitHub organizations may benefit from the 512 MB allocation to avoid memory pressure during parallel data collection.

Combine with other Apify actors

Limitations

• No active scanning. The actor uses only passive, publicly available data sources. It does not conduct port scans directly — Censys data reflects what Censys has indexed, which may be days or weeks old for some hosts.
• CVE matching is technology-name based, not version specific. CVE queries search the NVD by technology name (e.g., "nginx") rather than a confirmed version number. False positives are possible. Version-specific analysis requires running Website Tech Stack Detector with version detection and cross-referencing separately.
• GitHub scan is organization-name heuristic only. The GitHub search uses org:{first-segment-of-domain}. A domain like acmecorp.com searches for org:acmecorp. If the organization uses a different GitHub handle, repos will not be found.
• Censys coverage varies by IP range. Censys does not scan all IPv4 space continuously. Some hosts and ports may not appear if Censys has not recently indexed them.
• SSL transparency covers issued certificates, not all subdomains. Subdomains using self-signed certificates or that have never had a certificate issued will not appear in the transparency log results.
• WHOIS privacy services mask registrant data. Many domains use privacy protection services. In these cases, WHOIS fields return registrar proxy data rather than the actual registrant, limiting due diligence depth.
• Historical drift scoring requires Wayback Machine coverage. Very new domains or domains that have blocked the Wayback Machine crawler will have no historical snapshot data, resulting in zero Historical Drift dimension scores regardless of actual surface history.
• The 120-second per-sub-actor timeout may be hit on slow sources. If a data source is slow or rate-limited during a run, that source returns an empty array rather than failing the run. Check assetSummary counts to confirm all sources returned data.
• This actor is for external attack surface assessment only. Internal networks, authenticated applications, and cloud-native infrastructure not exposed to the public internet are outside scope.

Integrations

• Zapier — trigger a vendor risk assessment automatically when a new supplier is added to your procurement system, and push the Cyber Rating and Exposure Score to a Slack channel or Jira ticket
• Make — build scheduled vendor risk workflows that run the actor weekly, compare the current Cyber Rating to the previous run, and create alerts on score degradation
• Google Sheets — append each run's Exposure Score, Cyber Rating, CISA KEV count, and dangerous port list to a vendor risk register spreadsheet for audit trail purposes
• Apify API — integrate directly into your SIEM, GRC platform, or internal security tooling with the actor's REST API for programmatic report generation
• Webhooks — fire a webhook on run completion to post the Exposure Score to your incident management system or trigger downstream enrichment workflows
• LangChain / LlamaIndex — feed structured attack surface report data into LLM pipelines for natural-language risk narrative generation or AI-assisted remediation prioritization

Troubleshooting

Low asset counts across all categories despite a known-large domain — Some data sources may have timed out or been rate-limited during the run. Check the assetSummary fields in the output. If multiple sources show zero counts, re-run the actor. The 120-second per-actor timeout can occasionally be hit during platform load peaks.

CISA KEV matches look incorrect for the detected tech stack — The CVE and KEV searches use the domain name and technology names as query strings against the NVD and CISA APIs. Results are best-effort matches, not confirmed vulnerability assessments. Review vulnerabilities.cisaKevMatches entries and verify the product and vendor fields against your confirmed technology versions.

GitHub repos returning zero results — The GitHub org search uses the first segment of the domain as the organization name (e.g., acmecorp from acmecorp.com). If the company uses a different GitHub handle, or has no public repos, this section will be empty. This does not affect the other 10 data sources or the overall score.

Run taking longer than 10 minutes — Domains with very large subdomain counts (over 200) or organizations with many GitHub repositories may take longer due to dataset pagination in the parallel sub-actor calls. Increase memory allocation to 512 MB to help with large workloads.

Exposure Score seems high for a simple domain — Review the individual dimension findings in exposureScoring.dimensions. Common causes of unexpectedly high scores are: missing DMARC record (adds 2 pts), a large number of SSL certificates from historical subdomain sprawl, or NVD returning CVEs for common technology names like "php" or "jquery" that may not be version-specific matches.

Responsible use

• This actor only accesses publicly available data sources: DNS records, SSL certificate transparency logs, public Censys data, WHOIS, NVD, CISA KEV, public GitHub repositories, and archived web data.
• Only assess domains you own or have explicit written authorization to assess. Unauthorized attack surface enumeration may violate computer access laws in your jurisdiction.
• Respect the terms of service of all underlying data sources, including Censys, GitHub, and the Internet Archive.
• Do not use this tool to enumerate infrastructure for unauthorized access, competitive espionage, or any purpose that could harm the assessed organization.
• For guidance on responsible security research and web data legality, see Apify's guide.

FAQ

How does Cyber Attack Surface Report compare to SecurityScorecard or BitSight? Commercial platforms like SecurityScorecard and BitSight provide continuous monitoring, historical trending, and peer benchmarking at $10,000-$80,000/year. This actor performs the same passive external data collection and scoring methodology on demand, at approximately $0.12-$0.20 per domain assessment, with no subscription. It is well-suited for point-in-time vendor assessments, pre-engagement recon, and budget-constrained security teams.

What is the difference between the Exposure Score and the Cyber Rating? The Exposure Score (0-100) is a dimensional risk score that quantifies how large and risky the attack surface is across four categories: infrastructure, vulnerability, code exposure, and historical drift. The Cyber Rating (A-F) is a composite letter grade that weights email security (20%), SSL hygiene (25%), network exposure (35%), and tech complexity (20%) into a single intuitive grade for executive reporting.

What are CISA KEVs and why do they matter? CISA Known Exploited Vulnerabilities are CVEs that CISA has confirmed are being actively exploited by threat actors in real-world attacks. A KEV match in your detected tech stack is not a theoretical risk — it means attackers are currently using that vulnerability. Treat any KEV match as an immediate remediation priority.

How accurate is the CVE matching? CVE matching is based on technology name detection, not confirmed version numbers. A domain running nginx will trigger a query for nginx CVEs even if the installed version is fully patched. The results should be treated as a starting point for investigation, not a confirmed vulnerability list. Version-specific analysis requires Website Tech Stack Detector with version detection enabled.

Can I run cyber attack surface reports on competitor domains? You can collect publicly available data about any domain. However, confirm that your jurisdiction's laws and the target organization's terms of service permit the research activity. This actor only uses passive public data sources and does not conduct active scanning or exploitation. For competitive intelligence purposes, consult your legal team.

How many domains can I assess in one run? The actor is designed for one domain per run. For batch assessments, trigger multiple runs via the Apify API. Each run is independent and runs in parallel on the Apify platform, so a batch of 20 domains can complete in approximately the same time as a single run.

Is it legal to run an attack surface report on a domain? Querying public data sources (DNS, SSL transparency logs, CISA KEV, NVD, GitHub, Wayback Machine) for a domain is legal in most jurisdictions. Only assess domains you own or have written authorization to assess. See Apify's guide and consult legal counsel for your specific use case.

How long does a typical cyber attack surface report run take? Most domains complete in 3-8 minutes. The 11 sub-actors run in parallel, so overall runtime is determined by the slowest individual source. Large enterprise domains with hundreds of subdomains or extensive GitHub organizations may take 10-12 minutes.

Can I schedule this actor for continuous monitoring? Yes. Use Apify's built-in scheduling to run the actor daily, weekly, or monthly. Combine with webhooks to post Exposure Score changes to Slack or create tickets in Jira when the score increases or a new CISA KEV is detected.

What happens if one of the 11 data sources fails or times out? Each sub-actor call has a 120-second timeout and fails gracefully. If a source fails, it returns an empty array and the report continues without that data source. The affected section will show zero counts in assetSummary. The overall score will be lower than if the source had returned data, as missing data reduces finding counts rather than inflating them.

How is the infrastructure sprawl score calculated? The sprawl index is computed as min(100, subdomains*2 + IPs*3 + openPorts*4 + countries*5). It measures the sheer size of the external attack surface independent of specific vulnerabilities. A high sprawl score indicates more targets for attackers to probe, even if current CVE exposure is low.

Does this actor scan for open S3 buckets, exposed cloud storage, or misconfigured APIs? Not directly. The current data sources focus on DNS, SSL, network ports, tech stack, CVEs, and code repositories. S3 bucket enumeration and cloud misconfiguration scanning are outside the current scope.

Help us improve

If you encounter issues, you can help us debug faster by enabling run sharing in your Apify account:

1. Go to Account Settings > Privacy
2. Enable Share runs with public Actor creators

This lets us see your run details when something goes wrong, so we can fix issues faster. Your data is only visible to the actor developer, not publicly.

Support

Found a bug or have a feature request? Open an issue in the Issues tab on this actor's page. For custom solutions or enterprise integrations, reach out through the Apify platform.