Got a security questionnaire about your external attack surface? Here is the answer in 48 hours.
OpenEASD (Open External Attack Surface Discovery) is a free, open-source tool from Cybersecify that maps every internet-facing asset attackers can see across your domain, from subdomains and open ports to DNS, TLS, and email security gaps.
When an enterprise customer or auditor asks what attackers can see, you need a real answer fast. OpenEASD (Open External Attack Surface Discovery) maps every exposed asset, subdomain, cert, header gap, mail-auth weakness, and leaked credential. Drop your domain, we run the scan, a founder reviews the findings, and you get the report by email in 48 business hours.
Engineers running OpenEASD locally, pull the source on GitHub.
Drop Your Domain. We Send the Report.
We run OpenEASD against your domain on our infrastructure and email the founder-reviewed report within 48 business hours. Free, no obligation.
Curious what the report looks like? See a sample report.
Got it. Report on the way.
We run OpenEASD against your domain and email the founder-reviewed report within 48 business hours. Reply to that email if you have questions.
Three reasons we hear most from founders
If one of these is you, drop your domain in the form above. We run the scan, founder-review it, and email the report in 48 hours.
"We just got a security questionnaire asking what our external attack surface looks like and we cannot answer without a scan."
"We just launched, raised, or shipped a new product. Attackers are probing our infrastructure within hours and I am flying blind."
"Engineering moves faster than ops. I have shadow infrastructure, dangling DNS, leftover staging environments. One of those forgotten assets is the breach vector."
From Submission to Founder-Reviewed Report in 48 Hours
Submit Your Domain
Drop your apex domain in the form above. We verify authorisation and queue the scan on our infrastructure.
Scan + Founder Review
Automated discovery across 12 vectors, 18 underlying tools. A founder reviews the findings, prioritises by severity, and adds context before the report ships.
Report in 48 Hours
PDF report in your inbox within 48 business hours. Critical, high, medium, low, informational ranking. Reply if you want to walk through it on a call.
12 Attack Vectors. 18 Tools. One Founder-Reviewed Report.
Findings across infrastructure, DNS, email, TLS, SSH, web layer, subdomain takeover, and known vulnerabilities. Ranked critical to informational. Reviewed by a founder before delivery, so you read context not raw scanner dump.
Subdomain Discovery
Passive and active enumeration (Subfinder + Amass + Alterx permutations) of forgotten staging servers, dev environments, and shadow IT that attackers find first
Subdomain Takeover Detection
Subzy identifies dangling CNAMEs pointing at deprovisioned cloud resources. Takeover lets an attacker host content on your subdomain and phish your users
Open Ports & Exposed Services
TCP scan across resolved IPs, flagging publicly accessible services, admin panels, and databases
DNS Security
DNSSEC, CAA records, wildcard DNS, zone transfer (AXFR) exposure, and lame delegation checks
Email Security
SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI. Detects spoofing risk and TLS downgrade on inbound mail
TLS and SSL Configuration
Certificate expiry, weak or export ciphers, deprecated protocols, and HTTPS downgrade risks
SSH Configuration Audit
Weak key exchange and cipher algorithms, exposed SSH services, and deprecated protocol versions
Known Vulnerability Detection
CVE scanning via Nmap NSE vulners and 319 Nuclei network templates for protocol vulnerabilities
Domain Registration Health
Expiry tracking plus transfer, delete, and update lock status at your registrar via RDAP
Web Probing & URL Discovery
httpx live web probing across discovered hosts. Captures status codes, technologies, redirects, and reachable URLs
Web Vulnerability Scanning
Nuclei community templates run against discovered web URLs to identify known web application CVEs and misconfigurations
HTTP Security Headers, Cookies & CORS
CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, cookie flags (Secure, HttpOnly, SameSite), CORS misconfiguration, and server version disclosure
Plus scheduled scans (one-time, recurring, daily), Slack and Microsoft Teams alerts, real-time scan progress, and stop/cancel mid-scan. Follow the repo for release notes.
Built and Maintained by Cybersecify
OpenEASD is an open-source external attack surface discovery tool that Cybersecify created and maintains, with or without community help. Self-host the Docker image, run scans on your own infrastructure, or use the free hosted snapshot above. No paid tier, no upsell on the tool itself.
OpenEASD has been submitted to OWASP as a Code Project (Defender category, MIT-licensed). Decision pending; this page will be updated when OWASP responds.
Want ongoing monthly external attack surface monitoring as part of a security retainer? See our pricing page.
Common Questions About OpenEASD
What is external attack surface discovery?
External attack surface discovery is the process of mapping every internet-facing asset an organisation exposes, such as domains, subdomains, open ports, services, certificates, DNS records, and email security settings, so you can see what an attacker sees before they do. It covers assets you may have forgotten, like staging servers, dangling DNS entries, and leftover cloud resources.
Is OpenEASD free?
Yes. OpenEASD is a free, open-source tool that Cybersecify created and maintains. The source is on GitHub under an MIT licence, so you can self-host the Docker image and run unlimited scans on your own infrastructure at no cost. You can also use our free hosted snapshot: drop your domain, a founder reviews the findings, and we email you the report. There is no paid tier or upsell on the tool itself.
Can I self-host OpenEASD or use the hosted version?
Both options are available. Engineers can pull the source from GitHub and run the Docker image on their own infrastructure, with full control over scheduling and data. If you would rather not run it yourself, use the free hosted snapshot: submit your apex domain, we run the scan on our infrastructure, a founder reviews the results, and you get the report by email within 48 business hours.
What does an OpenEASD scan find?
A scan runs across 12 vectors using 18 underlying tools. It surfaces subdomains and shadow infrastructure, subdomain takeover risks, open ports and exposed services, DNS security gaps, email authentication weaknesses across SPF, DKIM, and DMARC, TLS and SSL misconfigurations, SSH configuration issues, known CVEs, domain registration health, live web endpoints, web vulnerabilities, and HTTP security header, cookie, and CORS problems. Findings are ranked from critical to informational.
Need Deeper Coverage Than the Free Report?
Your OpenEASD report covers external attack surface. Business logic flaws, internal app authorisation, and audit-evidence quality need a founder-led pentest. Book a 30-min discovery call to scope it.