Find what attackers find — before they do.
Continuous discovery and monitoring of your internet-exposed assets: forgotten subdomains, shadow IT, misconfigured cloud storage, exposed credentials, and the SaaS connections your team added without a security review. We build and maintain a complete picture of your external footprint so you are not surprised by what an attacker can see.
Most SMBs have 3-5x more internet-exposed assets than they think
When we run an initial baseline discovery for a new client, the number of internet-facing assets is almost always a surprise. Subdomains from products that were deprecated two years ago. An S3 bucket that was set to public during a migration and never locked down. A staging environment running a vulnerable version of an application. A developer's personal cloud account with corporate credentials stored in it. None of these showed up in the last vulnerability scan because the scanner only looks at assets that are in scope, and nobody updated the scope list.
The M&A problem compounds this. If your company has acquired another business, or if your vendors have, you inherit their external footprint without necessarily inheriting their inventory. SaaS sprawl adds another layer: every integration your team adds creates a new OAuth token, a new data path, and a new entry point. Most SMBs do not have a process to track any of this continuously. We build that process and run it for you.
Signs you need this
- You cannot produce a complete list of your internet-facing systems on demand
- Your team has added SaaS tools with no formal security review process
- You have been through a merger or acquisition in the past three years
- You are not monitoring paste sites, breach databases, or dark web sources for leaked credentials
- The last time you inventoried your subdomains was never, or more than a year ago
- A pen test or assessment found assets your team did not know were exposed
What you get
Five deliverables that together give you continuous, actionable visibility into your external footprint. The baseline is built in the first two weeks; monitoring and reporting are ongoing from there. Every finding is triaged before it reaches you so you are not drowning in noise.
Initial baseline discovery
- Full external asset enumeration: IP ranges, domains, subdomains, cloud resources
- Service fingerprinting to identify what is running and what version
- Exposure scoring for each asset based on criticality and vulnerability
- Written baseline report with prioritized remediation list
Continuous monitoring
- Automated re-scanning on a weekly cycle to catch new exposures as they emerge
- Certificate transparency log monitoring for new subdomain issuance
- Alert on material changes: new open ports, new services, new certificates
- Triage before escalation so every alert represents a real issue
Credential leak monitoring
- Monitoring of breach databases, paste sites, and dark web sources for your domains
- Alerts when employee credentials appear in breach data
- Guidance on remediation steps for each confirmed exposure
Third-party and SaaS inventory
- Catalog of active SaaS integrations and OAuth grants connected to your environment
- Risk scoring for each integration based on data access and vendor posture
- Recommendations on which integrations to revoke, review, or monitor
Monthly delta reports
- What changed in your external footprint in the past 30 days
- New exposures found, issues remediated, and open items carried forward
- Trend data so you can see whether your attack surface is growing or shrinking over time
How it works
The engagement starts with a kickoff scan in week one using your domains, IP ranges, and any subsidiary information you can share. We build the initial baseline from that scan, review it with you in week two, and agree on priorities. From week three forward, monitoring runs continuously and you receive a delta report each month with a brief call to review anything material.
You do not need to give us access to your internal systems. All of our discovery work is conducted from the outside, the same way an attacker would approach it. Your cooperation helps us build a more complete scope list, but we can start with just your primary domain if that is all you have.
Engagement structure
- Week 1: kickoff, scope definition, initial baseline scan
- Week 2: baseline review, exposure prioritization, remediation planning
- Week 3+: continuous monitoring active, credential leak monitoring live
- Monthly: delta report delivered, brief review call for material findings
- Quarterly: full surface review and program health check
What we ask of you
- A list of your domains, IP ranges, and any known subsidiaries or acquired companies
- Written authorization to scan (we provide a standard authorization form)
- A technical contact for remediation questions
- Notification if you are planning significant infrastructure changes
Why Red Hound for ASM
We built our own attack surface tooling because the commercial platforms were either too expensive for SMB budgets or too noisy to be actionable. Our practitioners run the same discovery techniques an attacker would use, and they triage findings with the same judgment a senior analyst applies during an incident. You get practitioner-run ASM, not a dashboard subscription with a customer success rep.
What makes us different
- Custom tooling built by practitioners. We developed our own discovery and monitoring tooling (including continuous port and service diffing) because commercial ASM platforms were not delivering the fidelity we wanted for SMB-scale environments.
- Offensive mindset, defensive output. Our team thinks about your attack surface the way an adversary does, then translates those findings into clear remediation steps your engineering team can execute.
- Triage before escalation. Every alert is reviewed by a person before it reaches you. We do not pass raw scanner output; we pass investigated findings with context and recommended next steps.
- Right-priced for SMBs. Enterprise ASM platforms cost more per year than most SMB security budgets. Our service delivers equivalent coverage at a scale that makes sense for companies under 500 employees.
- Integrated with your broader program. ASM findings feed directly into risk register updates, pen test scoping, and Fractional CISO recommendations if you have those services with us.
Frequently asked
Common questions before starting an ASM engagement. Bring anything else to the discovery call.
How is this different from a vendor ASM platform?
Vendor ASM platforms give you a dashboard of findings, which still require someone to triage, prioritize, and act on. We run the tooling and do the triage work for you, so every finding that reaches you has already been reviewed by a practitioner. For SMBs without a dedicated security analyst, that distinction matters significantly.
Do you need our cooperation and written consent to scan?
Yes. We require written authorization before scanning any assets, even publicly exposed ones. We provide a standard authorization form that covers your primary domains and any subsidiaries you want included. Scans are conducted from outside your network using passive and active techniques, similar to what an external attacker would use.
What about assets from an acquired company?
Acquired companies are some of the most common sources of unknown exposure. If you can share the domains and IP ranges for any acquired entities, we include them in scope from the start. If you do not have a complete list, our initial baseline scan often surfaces acquired infrastructure that was not in anyone's asset inventory.
How do alerts work, and who gets notified?
Material findings are delivered via email to your designated technical contact, with a written summary and recommended next steps. We do not send raw alert feeds or auto-generated reports. For critical severity findings (actively exploitable public exposure), we call your contact directly rather than waiting for the next report cycle.
Find out what's exposed about your business — and fix it.
A 30-minute discovery call, no obligation. We walk through your external footprint and give you an honest picture of what we expect to find before you commit to anything.