Blog
Attack surface management

11 best asset discovery tools for 2024

James Harrison
Author
James Harrison
Senior Content Writer

Key Points

Your attack surface is made up of all the digital assets that can be used to gain access to your network or sensitive data. Anything on-premise, in the cloud, in subsidiary networks, and in third-party environments. Anything that a hacker can attack.

Today, keeping track of all these IT assets can be challenging. On top of all your remote devices, you may also need to monitor IoT sensors and SaaS accounts, as well as your web applications, virtual machines, containers, and more - that’s where asset discovery tools come in.

What is asset discovery?

Asset discovery is the first step in managing this attack surface. It shows you what assets you have, and what could be exposed. This is essential for keeping an up-to-date inventory, because if you don’t know what you have, how can you protect it?  

As companies grow, different teams, departments and contractors start spinning up new infrastructure. Even if you have good internal tracking of assets, performing external attack surface discovery can help you find some of this shadow IT that your processes might miss.

Asset discovery is therefore a key element of attack surface management that helps you to manage and monitor all your hardware and software. You can see what assets you have, where they are, who’s logged on, what’s exposed, and what need patching or updating.

Traditionally, asset discovery was a times-consuming and labor-intensive task – modern automation tools can do some of the heavy lifting, such as keeping software licences up-to-date and compliant – unpatched vulnerabilities are responsible for up to 60% of all data breaches.  

But make no mistake, there’s still a fair amount of manual work involved in asset discovery. These asset discovery tools help you pull in more data sources faster, but you still need to interpret the results and feed the data between the tools.

Best asset discovery tools

BGP Toolkit

Hurricane Electric’s BGP Toolkit allows you to search companies to find their autonomous system numbers (ASNs), and then look up IP ranges associated with those ASNs.

Key benefits

  • Gives insight into internet routing with ease in a user-friendly way.

crt.sh

Certificate transparency means there’s a log of every SSL certificate available to the public, including domain names; crt.sh is a great tool to find this info and new domains.

Key benefits

  • Present certificate transparency information in an easily searchable format
  • API endpoint allows easy integration with scripts and other tools
  • Helps detect maliciously or accidentally mis-issued certificates that may be abused to impersonate them and rogue CAs can be identified more easily and reliably

Intruder

Intruder’s automated vulnerability scanner can help you identify and monitor your internal and external assets for auditing, logging, threat modelling and reporting, so you can assess your security issues and risk at any given time.

Key benefits

  • Shows where and how your company may be vulnerable
  • Filters noise so you can fix issues that matter most
  • Proactive emerging threat scans minimize exposure

CertStream

CertStream is an intelligence feed that gives real-time updates from the Certificate Transparency Log network to use as a building block to make tools that monitor new SSL certificates being issued in real time.  

Key benefits

  • Allows quick oversight and reaction to domains found in newly issued certificates
  • Does the hard work of watching, aggregating, and parsing the transparency logs
  • Gives simple libraries that enable you to target domains with minimal effort

Katana

Katana is designed to crawl websites to gather information and endpoints – including headless browsing. This means it can crawl single-page applications (SPAs) built using JavaScript, Angular, or React. These types of applications are becoming increasingly common but can be difficult to crawl using traditional tools.

Key benefits:

  • Can crawl for multiple domains and subdomains simultaneously
  • Easily customizable in scope, rate limiting, filters, outputs, and modes

Shodan

Internet database scanners are another way to discover new assets. Tools like Shodan are designed to map and gather information about internet-connected devices and systems, help you find out who is using various products, and how they're changing over time.

Key benefits

  • Detects devices that are connected to the internet at any given time, the locations of those devices and their current users
  • Includes networks, surveillance cameras and industrial control systems (ICS)
  • Provides filters to improve search efficiently

Censys

Censys offers external asset discovery and exposure management with a real-time, contextualized view into all of your exposures across the internet and cloud. Like Shodan, it scans the entire IPv4 range of the internet to find exposed services and presents them in a searchable format.  

Key benefits

  • Multiple cloud connectors including Azure and AWS  
  • Manual and automated addition of IP and domains/subdomains
  • Reporting and risk dashboard with ability to modify risk severity

Security Trails

Public datasets like SecurityTrails collect data from multiple sources, some of which may not otherwise be available to you. These can be used to discover more domains and subdomains belonging to an organization without active enumeration.

Key benefits

  • Provides a huge dataset and collects from sources you otherwise wouldn’t be able to  
  • Manages infrastructure sprawl and finds forgotten digital assets
  • Their API allows good integration and is easy to work with

DNSDumpster

Online passive scanning tools like DNSdumpster can be used to obtain information about domains, block addresses, emails, and all information DNS related. Understanding network footprinting and reconnaissance methodology can help inform an organization’s security posture.

Key benefits

  • As a web- based service, you only need to navigate to their URL and query your target
  • Provides results in a downloadable format for passing into other tools
  • Presents a relational picture that binds all records

sublist3r

Subdomain brute forcing is the process of saying “does this subdomain exist” over and over again at speed. Many tools do this, such as sublist3r which is designed to enumerate subdomains using brute forcing, as well as OSINT (open-source intelligence) to help penetration testers and bug hunters.

Key benefits

  • Fast subdomain brute forcing can yield results that wouldn’t be found by other sources
  • Enumerates subdomains using search engines such as Google, Yahoo, Bing, Baidu and Ask and subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS  

AssetNote Wordlists

When performing subdomain brute forcing, you need a good wordlist to help discover the best subdomains. AssetNote's "best DNS" wordlist has 10 million lines in it, and in their words, “you'll find that you discover some pretty obscure subdomains using this wordlist”.

Key benefits

  • Find subdomains that are less well-protected than the root domain or the target

Why you should add Intruder to your asset discovery armory

While not a specialist asset discovery tool, Intruder gives a real-time view of your attack surface through continuous network monitoring, automated vulnerability scanning, and emerging threat scans in a single platform.  

With downloadable reports to aid compliance and actionable remediation advice, Intruder helps nearly 3,000 customers around the world to focus on fixing what matters, making vulnerability management easy and effective.  

Intruder automatically connects your cloud accounts, notifying you of any changes to your cloud assets, providing insights and advice to help protect your attack surface. Why not try Intruder for free for 14 days and see how we can help protect your attack surface?

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial
Asset discovery is the first step in managing your attack surface. Find out our top asset discovery tool recommendations.
back to BLOG

11 best asset discovery tools for 2024

James Harrison

Your attack surface is made up of all the digital assets that can be used to gain access to your network or sensitive data. Anything on-premise, in the cloud, in subsidiary networks, and in third-party environments. Anything that a hacker can attack.

Today, keeping track of all these IT assets can be challenging. On top of all your remote devices, you may also need to monitor IoT sensors and SaaS accounts, as well as your web applications, virtual machines, containers, and more - that’s where asset discovery tools come in.

What is asset discovery?

Asset discovery is the first step in managing this attack surface. It shows you what assets you have, and what could be exposed. This is essential for keeping an up-to-date inventory, because if you don’t know what you have, how can you protect it?  

As companies grow, different teams, departments and contractors start spinning up new infrastructure. Even if you have good internal tracking of assets, performing external attack surface discovery can help you find some of this shadow IT that your processes might miss.

Asset discovery is therefore a key element of attack surface management that helps you to manage and monitor all your hardware and software. You can see what assets you have, where they are, who’s logged on, what’s exposed, and what need patching or updating.

Traditionally, asset discovery was a times-consuming and labor-intensive task – modern automation tools can do some of the heavy lifting, such as keeping software licences up-to-date and compliant – unpatched vulnerabilities are responsible for up to 60% of all data breaches.  

But make no mistake, there’s still a fair amount of manual work involved in asset discovery. These asset discovery tools help you pull in more data sources faster, but you still need to interpret the results and feed the data between the tools.

Best asset discovery tools

BGP Toolkit

Hurricane Electric’s BGP Toolkit allows you to search companies to find their autonomous system numbers (ASNs), and then look up IP ranges associated with those ASNs.

Key benefits

  • Gives insight into internet routing with ease in a user-friendly way.

crt.sh

Certificate transparency means there’s a log of every SSL certificate available to the public, including domain names; crt.sh is a great tool to find this info and new domains.

Key benefits

  • Present certificate transparency information in an easily searchable format
  • API endpoint allows easy integration with scripts and other tools
  • Helps detect maliciously or accidentally mis-issued certificates that may be abused to impersonate them and rogue CAs can be identified more easily and reliably

Intruder

Intruder’s automated vulnerability scanner can help you identify and monitor your internal and external assets for auditing, logging, threat modelling and reporting, so you can assess your security issues and risk at any given time.

Key benefits

  • Shows where and how your company may be vulnerable
  • Filters noise so you can fix issues that matter most
  • Proactive emerging threat scans minimize exposure

CertStream

CertStream is an intelligence feed that gives real-time updates from the Certificate Transparency Log network to use as a building block to make tools that monitor new SSL certificates being issued in real time.  

Key benefits

  • Allows quick oversight and reaction to domains found in newly issued certificates
  • Does the hard work of watching, aggregating, and parsing the transparency logs
  • Gives simple libraries that enable you to target domains with minimal effort

Katana

Katana is designed to crawl websites to gather information and endpoints – including headless browsing. This means it can crawl single-page applications (SPAs) built using JavaScript, Angular, or React. These types of applications are becoming increasingly common but can be difficult to crawl using traditional tools.

Key benefits:

  • Can crawl for multiple domains and subdomains simultaneously
  • Easily customizable in scope, rate limiting, filters, outputs, and modes

Shodan

Internet database scanners are another way to discover new assets. Tools like Shodan are designed to map and gather information about internet-connected devices and systems, help you find out who is using various products, and how they're changing over time.

Key benefits

  • Detects devices that are connected to the internet at any given time, the locations of those devices and their current users
  • Includes networks, surveillance cameras and industrial control systems (ICS)
  • Provides filters to improve search efficiently

Censys

Censys offers external asset discovery and exposure management with a real-time, contextualized view into all of your exposures across the internet and cloud. Like Shodan, it scans the entire IPv4 range of the internet to find exposed services and presents them in a searchable format.  

Key benefits

  • Multiple cloud connectors including Azure and AWS  
  • Manual and automated addition of IP and domains/subdomains
  • Reporting and risk dashboard with ability to modify risk severity

Security Trails

Public datasets like SecurityTrails collect data from multiple sources, some of which may not otherwise be available to you. These can be used to discover more domains and subdomains belonging to an organization without active enumeration.

Key benefits

  • Provides a huge dataset and collects from sources you otherwise wouldn’t be able to  
  • Manages infrastructure sprawl and finds forgotten digital assets
  • Their API allows good integration and is easy to work with

DNSDumpster

Online passive scanning tools like DNSdumpster can be used to obtain information about domains, block addresses, emails, and all information DNS related. Understanding network footprinting and reconnaissance methodology can help inform an organization’s security posture.

Key benefits

  • As a web- based service, you only need to navigate to their URL and query your target
  • Provides results in a downloadable format for passing into other tools
  • Presents a relational picture that binds all records

sublist3r

Subdomain brute forcing is the process of saying “does this subdomain exist” over and over again at speed. Many tools do this, such as sublist3r which is designed to enumerate subdomains using brute forcing, as well as OSINT (open-source intelligence) to help penetration testers and bug hunters.

Key benefits

  • Fast subdomain brute forcing can yield results that wouldn’t be found by other sources
  • Enumerates subdomains using search engines such as Google, Yahoo, Bing, Baidu and Ask and subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS  

AssetNote Wordlists

When performing subdomain brute forcing, you need a good wordlist to help discover the best subdomains. AssetNote's "best DNS" wordlist has 10 million lines in it, and in their words, “you'll find that you discover some pretty obscure subdomains using this wordlist”.

Key benefits

  • Find subdomains that are less well-protected than the root domain or the target

Why you should add Intruder to your asset discovery armory

While not a specialist asset discovery tool, Intruder gives a real-time view of your attack surface through continuous network monitoring, automated vulnerability scanning, and emerging threat scans in a single platform.  

With downloadable reports to aid compliance and actionable remediation advice, Intruder helps nearly 3,000 customers around the world to focus on fixing what matters, making vulnerability management easy and effective.  

Intruder automatically connects your cloud accounts, notifying you of any changes to your cloud assets, providing insights and advice to help protect your attack surface. Why not try Intruder for free for 14 days and see how we can help protect your attack surface?

Release Date
Level of Ideal
Comments
Before CVE details are published
🥳
Limited public information is available about the vulnerability.

Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.

Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Day of CVE publish
😊
Vulnerability information is publicly accessible.

Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.

Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
First week since CVE publish
😐
Vulnerability information has been publicly available for up to 1 week.

The likelihood that exploitation in the wild is going to be happening is steadily increasing.

Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
Between 1 week and 1 month since CVE publish
🥺
Vulnerability information has been publicly available for up to 1 month, and some very clever people have had time to craft an exploit.

We’re starting to lose some of the benefit of rapid, automated vulnerability detection.

Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
After 1 month since CVE publish
😨
Information has been publicly available for more than 31 days.

Any detection released a month after the details are publicly available is decreasing in value for me.

Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.

With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:

  • Have CVSSv2 rating of 10
  • Are exploitable over the network
  • Require no user interaction

These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.

We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.

In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.

Figure 10: Absolute numbers of critical CVEs with a remote check release date from the date a CVE is published

While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.

Figure 11: Percentage chance of delay for critical vulnerabilities

So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.

I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.

What can we take away from Figure 12?

  • We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
  • In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
  • But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
  • For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
  • We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
Figure 12: Release delay year-on-year (lower is better)

With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.

The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.

Written by

James Harrison

Recommended articles

Ready to get started with your 14-day trial?
try for free