Quick Answer: VeilScan discovers all publicly visible assets associated with your domain before scanning them for vulnerabilities. Using DNS brute-forcing, certificate transparency logs, Wayback Machine data, and BGP recon, VeilScan typically finds 3–5 times more subdomains than a manual inventory — surfacing forgotten development environments, staging servers, and abandoned services that attackers actively target.
Why can't you rely on your own asset inventory?
Most companies maintain a mental or spreadsheet-based inventory of their domains and services. In practice, this inventory is always incomplete. Development teams spin up staging subdomains during sprints and forget to decommission them. Third-party integrations create new DNS records. Old deployments on Heroku, Vercel, or AWS accumulate. Cloud services proliferate.
Attackers do not rely on your inventory. They perform their own reconnaissance. Any asset your team has forgotten about is still visible to an attacker — and is often less secure precisely because no one is actively maintaining it.
What techniques does VeilScan use for asset discovery?
- DNS brute-forcing — attempting resolution of thousands of potential subdomain names from curated wordlists built from real-world subdomain patterns. Finds assets even if they are not referenced in any public source.
- Certificate transparency logs — every TLS certificate issued by public Certificate Authorities is logged in public CT logs. VeilScan queries these logs to find subdomains that have had TLS certificates issued, including historical subdomains no longer in active use.
- Wayback Machine and historical data — Internet Archive data contains historical DNS records, links, and references that reveal subdomains that existed in the past and may still be live.
- BGP route data — Border Gateway Protocol routing data can reveal IP ranges associated with an organisation, allowing identification of assets that do not appear in DNS searches.
- Passive DNS sources — aggregated passive DNS data from multiple sources provides additional subdomain signals without requiring active queries against target DNS servers.
What happens after assets are discovered?
Once the asset discovery phase completes, VeilScan probes each live host through the full scanning pipeline:
- Port scanning to identify open services
- TLS/SSL configuration assessment
- Service fingerprinting to identify software versions
- Vulnerability detection across all discovered attack surface
- Proof verification for Critical and High findings
The asset inventory is included in your dashboard and PDF report — giving you a complete, current picture of your external attack surface as part of every scan.
See: What is Asset Discovery? · What is an External Attack Surface? · TLS and Email Security Checks
What are the most common questions?
Will VeilScan find assets I have deliberately kept private?
VeilScan discovers only publicly visible assets — those resolvable via public DNS, referenced in public certificate logs, or linked in public data sources. Assets on private networks, behind VPNs, or with no public DNS records are not visible to VeilScan and will not appear in scan results.
How often is the asset inventory updated?
The asset inventory is rebuilt from scratch with every scan. Scheduled scans on paid plans run the full discovery pipeline on each rescan. Delta reports highlight newly discovered assets and assets that have disappeared since the last scan — letting you track infrastructure changes over time.
Can I exclude specific subdomains from scanning?
Contact support@veilscan.net if you need to exclude specific subdomains. All scanning operates within the scope defined in your signed Rules of Engagement document, which specifies the root domain and its subdomains.