How Scanning Works

Phase 1: Reconnaissance (Discovery)

The first phase is all about discovery — finding out what assets exist on the internet that belong to your domain. Ryft uses a combination of active and passive techniques:

Active Discovery

• Subdomain enumeration — Ryft queries multiple data sources to discover subdomains of your domain (e.g., mail.example.com, api.example.com, staging.example.com).

• Live host detection — Once subdomains are found, Ryft probes each one to determine which are actually serving web content, along with their HTTP status codes, page titles, and IP addresses.

• Port scanning — Ryft identifies which network ports are open on your assets, revealing exposed services like SSH, databases, or web servers.

• Virtual host discovery — Identifies additional websites hosted on the same IP addresses.

• Directory and file discovery — Ryft brute-forces common directory and file paths on your web servers to uncover hidden or unlinked content.

All reconnaissance results appear on the Results Dashboard for each domain.

Passive Intelligence (No Traffic to Your Targets)

These sources gather intelligence without sending any requests to your infrastructure:

• Internet-wide service indexing — Ryft queries internet-wide scan databases to find IP addresses, open ports, and services associated with your domain that are already publicly indexed.

• Threat intelligence feeds — Open threat intelligence platforms provide associated domains, URLs, and threat data linked to your assets.

• Certificate transparency monitoring — Ryft monitors public SSL certificate logs to discover subdomains that have had certificates issued for them.

• WHOIS correlation — Finds other domains registered with similar registration information, helping identify related assets you may not be aware of.

• Historical URL archives — Ryft collects known URLs from web archives and crawl databases to find historical and potentially forgotten endpoints, API paths, and parameters.

Phase 2: Vulnerability Testing

After reconnaissance maps your attack surface, the second phase tests discovered assets for security weaknesses. Each vulnerability module focuses on a specific class of issue (see the Vulnerability Dashboard for how to run these):

• General Vulnerability Scan — Comprehensive security testing using thousands of detection templates that cover known vulnerabilities, misconfigurations, default credentials, exposed panels, and CVEs.

• Sensitive Files — Checks for accidentally exposed files like .env, .git/config, backup files, and admin panels.

• JavaScript Secrets — Scans JavaScript source code for leaked API keys, tokens, passwords, and credentials.

• XSS (Cross-Site Scripting) — Tests for reflected and DOM-based script injection vulnerabilities.

• SSRF (Server-Side Request Forgery) — Tests whether servers can be tricked into making requests to internal resources.

• Directory Traversal — Checks if attackers can access files outside the intended web directory.

• Open Redirect — Detects redirect endpoints that could be abused for phishing.

• Subdomain Takeover — Identifies dangling DNS records pointing to unclaimed cloud services that an attacker could claim.

• Custom Templates — Runs your own custom vulnerability detection templates for testing specific to your environment. See Custom Templates.

Hygiene Checks assess your security configuration rather than testing for exploitable vulnerabilities:

• DNS Security — Verifies SPF, DKIM, DMARC, DNSSEC, and CAA records are properly configured to prevent email spoofing and DNS attacks.

• TLS/SSL — Checks certificate validity, cipher strength, protocol versions, and OCSP stapling configuration.

• Security Headers — Verifies HTTP security headers like Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and Permissions-Policy.

Cloud Scanning discovers misconfigured cloud resources (see Cloud Modules):

• S3 Buckets — Finds publicly accessible Amazon S3 storage associated with your domain.

• GCP Buckets — Finds publicly accessible Google Cloud Storage associated with your domain.

• Cloud Inventory — Broad cloud infrastructure discovery across providers.