Security Solutions

4 mins

Managing your offensive security scope

The first and arguably most important step in the continuous threat exposure management lifecycle is getting the scope right. With only a partial scope only a subset of an organization’s digital assets will be assessed. To accurately assess security you have to test everything, this means you have to find everything.

Hadrian’s approach to offensive security starts by creating a complete, accurate, and detailed picture of an organization’s external attack surface. The newly released Scope Management enables organizations to identify previously unknown assets and build the most comprehensive picture of their attack surface ever.

Domain proliferation

One might assume that all of their organizations’ assets are neatly tiered under their apex domain (such as but this is rarely the case. There are many reasons that an organization could own multiple domains, here are some of the most common:

  1. Multiple Top-Level Domains (TLDs)

    A prevalent strategy among businesses expanding their online presence is acquiring their business’s URL across various top-level domains (TLDs). TLDs are the segments located after the final dot in a website address, such as “.com” in

    By securing the organization’s name across multiple TLDs, they preemptively block competitors from establishing similar sites. While the spectrum of TLDs is vast, focusing on acquiring the most sought-after ones is advisable, such as .com .net .org and .info

  2. Multinational presence

    For businesses with an international footprint, it's strategic to secure domain versions specific to the countries you operate in, like '.uk' for the United Kingdom or '.de' for Germany. 

    Additionally, as part of their geographic expansion strategy, organizations acquire businesses in other countries that have a similar nature. The acquiring company might opt to continue utilizing the purchased brand due to its established recognition in the market, retaining domains associated with that name.

  3. Service-Oriented Domains

    For enterprises encompassing a range of services, designating individual domains for each specialty can organize your offerings. For instance, a consumer electronics brand could fraction its services—televisions, computers, appliance repair—each under its distinct domain. This approach is often done to streamline the client experience.

  4. Marketing Campaigns

    As part of a campaign marketing teams to increase awareness of a product or service could establish new domains. By aligning the domain name with the campaign it may be possible to increase site traffic. Additionally, the new domain could host content promoting discounted pricing and other offers that are not usually available.

It is easy to see how the number of apex domains owned by an organization could grow rapidly. Furthermore, it is clear how domains could be forgotten, especially if they are only actively used for a short period. Failing to include these apex domains in your offensive security scope threat present in your attack surface could go undiscovered.


Domain discovery

Hadrian’s new Scope Management feature expands the scope of an organization's automated penetration testing and provides more accurate posture assessments. With just a few clicks, administrators can include domains discovered in Hadrian’s into risk scanning and validation.

Our platform continuously crawls the internet, indexing web pages, documents, and other public resources. The platform collects data on every asset and the AI engine’s similarity algorithm reviews 23 factors to determine if a domain could be yours. Factors include matching IP addresses, matching WHOIS records, but also similarities on webpages such as similar images or words to name a few.

High similarity scores indicate that there strong likelihood that an apex domain belongs to an organization. Hadrian’s platform automatically gathers information about the domain and presents it to administrators to review, shown below. 

Screenshot showing Hadrian’s Scope Overview

Screenshot showing Hadrian’s Scope Overview

The number of discovered domains can vary for each organization, in some cases the number of apex domains could be twice what the organization had anticipated. To help administrators determine whether an apex domain belongs to their organizations they review the evidence collected by Hadrian.

pasted image 0 (1)

Screenshot of the similarities of a discovered domain 

By approving the suggested apex domain it will be instantly added to the Asset Overview, including any subdomains, IP address, and open ports that are associated with it. Detailed contextual information about the new assets then be filtered, searched and reviewed. The assets will also be visible within the Asset Graph, which provides fast analysis of an organization’s attack surface.

pasted image 0 (2)
Screenshot of an organization's attack surface

Additionally, the new assets will be assessed by Hadrian’s platform for potential risks. Risks are validated by the platform’s Orchestrator AI which determines whether a vulnerability is exploitable.


Experience Scope Management

The Scope Management feature is now available for all customers and trial organizations to explore. To find out more about Hadrian’s cybersecurity platform and increase the scope of your offensive security program get in touch with one of our experts.

Book a demo

Get started scanning in 5 minutes

We only need your domain for our system to get started autonomously scanning your attack surface.

Book a demo