Attack Surface Mapping
Amass
OWASP Amass helps teams discover internet-facing assets, correlate data from many sources, and build a more complete view of an organization's external footprint.
Best For
- Finding related subdomains that internal teams may have missed
- Correlating DNS, ASN, certificate, and passive data
- Supporting recurring external attack surface reviews
What Amass Is For
Amass is built for external asset discovery. It combines passive intelligence, DNS data, certificates, and related infrastructure signals to help defenders understand which domains, subdomains, and internet-exposed systems may belong to their organization.
Compared with simpler lookup tools, Amass is valuable because it is built around correlation. It helps reveal relationships between assets instead of presenting isolated results with no context.
How To Use It Safely
Use passive collection first, then validate findings against approved scope and ownership records. The strongest use of Amass is continuous discovery: run it on a schedule, compare deltas, and investigate newly surfaced assets before they become forgotten exposure.
Treat discovered subdomains as candidates for review, not production truth. Ownership tagging, DNS verification, certificate history, and stakeholder confirmation are what turn Amass output into actionable inventory.
When To Use It
Amass fits well before external assessments, during asset inventory projects, and after infrastructure changes that may have introduced new public endpoints.
It is especially strong for organizations with multiple business units, cloud providers, or inherited domains where asset sprawl tends to grow quietly over time.
Sample Commands and Output
Official Reference
Review the official documentation before using the tool in an authorized environment.
Visit Official DocumentationUse this tool only for systems, applications, and infrastructure you own or are explicitly authorized to assess.