Vornin
Start free
Attack surface monitoring

Find the assets you didn't know about.

Subdomain enumeration across 45+ passive sources plus certificate transparency, and takeover detection on a continuous schedule across all paid tiers. Every discovered asset lands in the same workflow as your scan results, so shadow IT shows up before an attacker finds it.

Read-only access · Working scan data deleted after each scan · EU-hosted

The problem

You cannot scan what you cannot see.

Attackers enumerate your subdomains whether or not you do. The only question is who finds the forgotten staging box first.

What discovery builds

One live inventory of everything exposed.

The daily monitor runs across every target without a manual trigger and keeps each of these current. No order here, just breadth: this is the full picture of what faces the internet.

Subdomains

Shadow subdomains surfaced from passive sources and certificate transparency.

Open services and ports

Exposed services, versions, and admin interfaces facing the internet.

Certificates and bindings

Expiring, mismatched, and weak certificates and where they are bound.

DNS posture

SPF, DKIM, DMARC, DNSSEC, and zone-transfer gaps that enable spoofing.

Detected technologies

The stack running on each host, so a new CVE maps straight to what is affected.

Takeover risk

Dangling CNAMEs pointing at de-provisioned cloud services, ready to be claimed.

Prioritisation

A risk score that points, not decides.

Every discovered asset carries a 0 to 100 risk score so you can sort the inventory by where to look first. The score is a signal, not a ruling, and discovery never acts on its own.

  • A signal, not a verdict. The score blends severity, reachability, and EPSS exploit likelihood into a sort order. It tells you where to look first; it does not close the case for you.
  • You choose what gets scanned. Discovery never auto-scans a neighbouring asset. Promoting a discovered host to a scanned target is an explicit step you take, with the scan kind you pick.
  • Inventory that does not forget. Asset status moves New to Tracked to Ignored and never silently regresses, so a tracked host cannot vanish from the inventory on the next discovery run.

Discovered assets feed the same dedup, SLA, and compliance pipeline as the rest of your findings. See how that lifecycle works on the vulnerability management page.

Scan. Resolve. Prove.

Start monitoring your attack surface today.

Add a domain and the daily monitor maps what it can reach.

Read-only access · Working scan data deleted after each scan · EU-hosted