Step 1 of 5
Surface discovery
We recon the public attack surface: subdomains, exposed endpoints, third-party integrations, exposed credentials in commit history, leaked secrets in CDN-cached responses. The first pass establishes the perimeter we’re actually working against.
What we look for
every reachable surface an attacker could enumerate.
What we find
the unexpected stuff. Forgotten subdomains. Stale credentials. Surfaces the team forgot existed.
What we conclude
the engagement scope grows or contracts to match the real attack surface.