Skip to content

External attack surface (EASM) FAQ

What is external attack surface management?

Nanitor's EASM feature lets you discover and monitor assets visible from outside your network. It uses Shodan, a public database of internet-connected devices, to look up information about your domains. This is a passive lookup — Nanitor doesn't actively scan your infrastructure.

You can enable it from Organization ManagementAsset PolicyExternal Attack Surface.

For a full overview, see the user guide.

I enabled EASM but don't see any results

A few things to check:

  1. Give it time. Initial results can take up to 24 hours to appear.
  2. Check your domain. Make sure you entered a domain name (e.g. example.com), not just IP addresses. The feature currently performs lookups based on domain names only.
  3. Use lowercase. Domains must be entered in lowercase. Entering Example.com instead of example.com will produce no results.
  4. Shodan coverage. If your domain's services are behind a CDN, WAF, or shared hosting, Shodan may not have data for them. Nanitor also filters out results associated with shared infrastructure IPs to reduce noise. You can verify coverage by searching for your domain on shodan.io directly.
  5. Domain ownership. Make sure you confirmed ownership of the domain(s) in the configuration dialog.

Why aren't all my subdomains showing up?

EASM relies on Shodan's public database, which may not have scan data for all your subdomains. Shodan continuously scans the internet, but it doesn't guarantee coverage of every host. Common reasons a subdomain might be missing:

  • The subdomain is behind a CDN or WAF that blocks Shodan's scanners.
  • The host is on shared infrastructure that Shodan hasn't recently indexed.
  • The subdomain resolves to an IP address that Shodan hasn't scanned yet.

This is a limitation of the underlying data source. Nanitor shows everything Shodan has for your domains.

I entered IP addresses but nothing shows up

The feature currently uses domain-based lookups. IP addresses entered in the configuration aren't used as direct lookup targets at this time. Make sure you're entering domain names (e.g. example.com) rather than IP addresses.

Where do I see vulnerabilities from external assets?

Results appear in two places:

  • InventoryAssets — filter by Source: "External scan" to see discovered external assets. Each asset shows IP address, reverse DNS, location, and open ports.
  • Issues — vulnerabilities detected on external assets show up here just like issues from internal assets. You can filter by asset source to focus on external findings.

Open ports only appear in Asset details after an asset has been persistently detected for more than 3 days. This reduces false positives from transient results.

How often does it update?

  • Daily: Nanitor checks your configured domains against Shodan's database every day.
  • Weekly (approximately): Shodan scans the IPv4 address space roughly once a week, so there can be up to one week of latency before new vulnerabilities or changes are reflected.

What's the difference between External and 360° visibility?

External assets can have two visibility levels:

  • External — the asset is only known from external sources. You see what an outside observer would see: open ports, services, and vulnerabilities based on externally detectable software versions.
  • 360° Visibility — when you install a Nanitor Agent or Collector on an asset that was also discovered externally, it's upgraded to 360° Visibility. The matching is done by IP address — the agent's IP must match the external asset's IP exactly (this won't work through NAT or port forwarding). Once matched, you get both the external view and detailed internal configuration data. The agent's findings take precedence, and external-only vulnerabilities that are contradicted by more accurate internal data are automatically resolved.

If you're seeing external-only vulnerabilities on an asset you already monitor internally, installing an agent on it will give you the full picture and clear any false positives.

I'm seeing too many vulnerabilities / false positives

Shodan identifies vulnerabilities based on the software versions and services it detects. This can sometimes be imprecise — for example, a web server version might be flagged for CVEs that don't apply to your specific configuration.

A few ways to handle this:

  • Install an agent on the asset to get 360° Visibility. The agent's more accurate internal data takes precedence and automatically resolves false positives from external-only detection.
  • Use exception handling to dismiss specific vulnerability issues that you've verified as false positives. This works the same way as for internal issues.

Why do open ports only show after 3 days?

This is a persistence check. Shodan data can sometimes include transient results — ports that were briefly open or scan artifacts. By requiring 3 days of consistent detection, Nanitor filters out noise and only shows ports that are reliably open.

I archived an external asset but it came back / didn't come back

External assets that you manually archive won't be recreated by subsequent scans — this is by design. If you archive an external asset, Nanitor considers it intentionally dismissed.

If you want to re-discover an archived external asset, you'll need to unarchive it manually.

As always, if you have any issues or questions reach out to our support team. The link to the ticketing system is in the footer of this site.