Recon Insights
Note: This page was previously called "Attack Surface Intelligence." The functionality is the same — it has been renamed to better reflect its purpose.
Recon Insights
The Recon Insights page automatically analyzes your reconnaissance scan data to identify potential attack vectors, exposed services, and security risks. Rather than just listing raw scan results, it correlates data from multiple scan modules to surface actionable threats.
Accessing Recon Insights
From the Domains page, expand a domain in the sidebar and click Recon Insights. You can also navigate directly via /domains/{id}/attack-surface.
Recon Insights requires a Pro subscription tier or higher.
How It Works
After a scan completes, the Recon Insights engine processes results from three data sources:
Each discovered item is classified into a threat category, assigned a severity based on its actual risk level, and stored as a finding you can triage and track.
What Gets Detected
Exposed Services
Severity: High
Detects database and administrative services exposed to the internet — Redis, MongoDB, PostgreSQL, MySQL, Elasticsearch, RDP, SSH, and similar. These are high severity because publicly accessible infrastructure services are prime targets for attackers.
Administrative Interfaces
Severity: High (accessible) · Info (protected)
Identifies admin panels, management consoles, and debug endpoints. An admin panel returning HTTP 200 (accessible without authentication) is flagged as high risk. One behind authentication (HTTP 401/403) is flagged as informational.
Authentication Surface
Severity: Info
Discovers login pages, signup forms, password reset endpoints, SSO/OAuth interfaces, and account verification flows. These are expected on every web application and are flagged for awareness only — they do not count against your security score.
Sensitive File Exposure
Severity: Critical · High · Medium (depends on file type)
Detects configuration files, backups, environment files, and other sensitive data accessible via the web:
Critical —
.env,.htpasswd,.sql,.db,.backup,.bakfilesHigh —
.config,.conf,.ini,web.config,.htaccess,DockerfilefilesMedium —
package.json,composer.json,requirements.txt,.logfiles
Standard public files like robots.txt, security.txt, and sitemap.xml are never flagged.
Information Disclosure
Severity: Medium
Server error responses (HTTP 500, 502, 503, 504) that may leak stack traces, file paths, technology versions, or internal IP addresses.
Parameter Discovery
Severity: High · Medium (depends on parameter type)
Analyzes archived URLs to identify URL parameters that may be vulnerable:
High — Injection-prone parameters (
id,query,cmd), file access parameters (file,path,include), authentication parameters in URLs (token,password,api_key)Medium — Redirect parameters (
url,redirect,next,callback)
Historical Admin Access
Severity: Medium
Administrative endpoints found in archived URL data. These paths were once accessible and may still work with default or weak credentials.
API Surface Discovery
Severity: Low
API endpoints discovered in historical data, worth auditing for authentication and authorization controls.
Technology Fingerprinting
Severity: Info
Technologies and versions identified through HTTP headers, error pages, and default pages. Does not affect your security score.
Threat Summary
At the top of the page, summary cards show the total count of threats by severity level (Critical, High, Medium, Low, Info), giving you a quick overview of the risk landscape for that domain.
Viewing Threat Details
Click any threat row to expand it and see full details including:
The specific URL or resource affected
Raw evidence from the scan data
The data source that detected it (fuzzing, archived URLs, or passive intelligence)
Severity justification
AI Triage
You can run AI Triage on any Recon Insights finding. Click the AI Triage button on a finding row to get an automated risk assessment. For HTTP-accessible findings, the AI performs a live probe and analyzes the response. For non-HTTP findings, it analyzes existing scan evidence.
Triage outcomes include Validated, Tentative, and False Positive. See AI Features — AI Triage for full details.
Status Management
Recon Insights findings support the same triage workflow as vulnerability findings:
Not Triaged
No action taken yet
Counts against score
Validated
Confirmed as a real risk
Counts against score
Tentative
Needs manual verification
Counts against score
Resolved
Issue has been fixed
Removed from score
False Positive
Not a real risk
Removed from score
To change the status, click the three-dot menu on any finding row, select Change Status, choose the appropriate state, add notes, and click Update State.
How Findings Affect Your Security Score
Recon Insights findings contribute to your organization's overall security score with important distinctions:
Informational findings are excluded — Login pages, technology fingerprinting, and other info-level findings have zero impact
Lighter weight than vulnerabilities — Weighted at 40% of the impact of an equivalent-severity vulnerability finding
Triage states matter — Findings marked as Resolved or False Positive are completely excluded
Severity drives impact — Critical and high findings have the most impact; low findings have minimal impact
Notifications
When Recon Insights threats are detected, you'll receive notifications through your configured channels (in-app, email, Slack) with a summary of findings by severity. Critical and high severity findings are highlighted so you can prioritize your response.
Last updated