Attack Surface Scanner

Enter any IP address or CIDR range (up to /24) to map the entire attack surface. Scans every host via Shodan InternetDB, enriches each open port with ISC SANS attack intelligence, cross-references all CVEs against CISA KEV (actively exploited), classifies port risk levels, and generates visual port×host heatmaps.

Last updated:

Supports single IPs and CIDR ranges up to /24 (254 hosts) · Uses Shodan InternetDB (no auth)

What is attack surface mapping?

Attack surface mapping identifies every network service exposed to the internet across an IP range. By combining port scanning data from Shodan with real-time attack intelligence from ISC SANS and vulnerability cross-referencing against CISA's Known Exploited Vulnerabilities catalog, this tool provides a comprehensive view of network exposure and prioritizes remediation based on actual exploitation activity.

Key Terminology

Shodan InternetDB
A free, fast API that returns known open ports, CVEs, CPEs, and hostnames for any IP address. Unlike full Shodan scans, InternetDB queries cached data from Shodan's continuous scanning, making it ideal for rapid reconnaissance of large IP ranges.
ISC SANS Port Intelligence
The Internet Storm Center tracks global attack patterns including how many sources are targeting each port, how many attack reports are filed daily, and the ratio of TCP to UDP traffic. High attack volumes on a port you have exposed means you're in active crosshairs.
CIDR Range
Classless Inter-Domain Routing notation for IP address ranges. A /24 covers 256 addresses (e.g., 10.0.0.0/24 = 10.0.0.0 through 10.0.0.255). This tool supports ranges up to /24 to keep scan times reasonable.
Exposure Risk Scoring
The composite risk score weights port criticality (Telnet, RDP, and database ports score highest), CVE counts, and CISA KEV matches. A score above 70 indicates critical exposure requiring immediate attention.

⚡ Attack Surface Scanner — Frequently Asked Questions

What is an attack surface?

An attack surface is the total set of points where an unauthorized user can try to enter or extract data from a system. For network assets, this primarily means open ports exposing services to the internet, each of which may have known vulnerabilities (CVEs) that attackers can exploit.

What makes a port 'critical risk'?

Critical risk ports expose services that are frequently targeted and have high impact when compromised: Telnet (23, unencrypted remote access), SMB (445, ransomware vector), RDP (3389, remote desktop), VNC (5900, screen sharing), Redis (6379, in-memory database), Memcached (11211, DDoS amplification), and MongoDB (27017, database exposure). These should never be exposed to the public internet.

What is CISA KEV?

CISA KEV (Known Exploited Vulnerabilities) is a catalog maintained by the US Cybersecurity and Infrastructure Security Agency listing CVEs that are confirmed to be actively exploited in the wild. If a vulnerability on your systems appears in KEV, it requires immediate remediation — attackers are actively using it.

CVE Intelligence

Vulnerability lookup with EPSS prediction.

Threat Feed Aggregator

Check against 10+ live threat feeds.

IP Triage

IP intelligence from 10+ sources.

Exposed Scanner

Instant domain security audit.