Introduction
Accurate external asset discovery remains a moving target for security teams at scale. What’s actually exposed is hard to pin down, regardless of how many inventories or spreadsheets an organization maintains. Release cycles move faster, new domains and endpoints are added constantly, and the attack surface continues to shift, leaving static processes and visibility tools struggling to keep up.
Traditional discovery tools are effective at identifying well-known or easily indexed assets, but they often miss subtler forms of exposure. Ephemeral subdomains, dangling DNS records, and endpoints surfaced only through advanced permutation or certificate analysis frequently go unnoticed, creating blind spots with real security impact.
In this blog, we walk through the enhancements in ProjectDiscovery’s platform and how they surface assets and exposures that traditional approaches often miss in real-world environments.
Deep, adaptive subdomain discovery
We have enhanced our subdomain discovery engine to operate as a continuous and resilient system, combining broader passive intelligence with smarter exploration of the DNS namespace.
This brings together several key improvements:
- Expanded passive subdomain intelligence, incorporating additional high-signal sources and a significantly larger set of real-world observed subdomains
- Expanded ChaosDB DNS coverage, adding 1.5 billion new observed DNS records in this release to improve discovery depth and coverage.
- Context-aware DNS permutation using Alterx and Regulator, generating subdomain candidates based on observed naming patterns rather than static wordlists.
- More resilient DNS enumeration, with explicit handling of wildcard behavior and automatic retries to reduce gaps caused by transient DNS failures.
In enterprise environments, subdomains are created indirectly through CI pipelines, SaaS platforms, vendor tooling, migrations, and infrastructure changes. These names rarely follow consistent conventions, are often created outside central ownership, and persist because nothing explicitly breaks when their original context changes.
Without continuous and resilient subdomain discovery, these assets fall outside routine monitoring and review. This increases the likelihood of forgotten exposure, misconfiguration, or untracked services remaining reachable from the internet.
TLS based asset discovery
We have integrated TLS certificate data into ProjectDiscovery’s discovery engine, using newly issued SSL/TLS certificates as an active discovery signal correlated to hosts and IPs.
In production environments, certificates are issued automatically for short-lived services, test deployments, and one-off infrastructure that are never formally inventoried. By incorporating certificate data directly into discovery, ProjectDiscovery surfaces transient assets that DNS and scan-based approaches commonly miss.
Associated domain discovery
ProjectDiscovery’s platform now expands discovery beyond explicitly onboarded assets by identifying domains externally associated with an organization. Using signals such as SSL/TLS certificates and domain registration data, discovery now surfaces domains that are linked to the organization even when they were never manually added or tracked.
Across organizations, domains are often registered through subsidiaries, acquisitions, regional teams, marketing initiatives, or legacy projects, and many never make it into a central inventory. By bringing these associated domains into discovery automatically, ProjectDiscovery helps teams build a more complete view of their external footprint and reduces the risk of overlooked or inherited exposure.
What this means for security teams
With these enhancements, external asset discovery becomes more predictable and easier to operate at scale. Instead of relying on static inventories or periodic checks, security teams gain a continuously updated view of what is actually exposed as infrastructure and ownership change.
In practice, this means fewer unknown assets, clearer boundaries around what should be monitored, and earlier visibility into risk introduced through automation or drift. Discovery results remain actionable as environments evolve, rather than growing noisier or harder to manage over time.
Teams adopting these capabilities typically see:
- Fewer unknown assets surfacing during audits or incidents
- Faster remediation cycles due to earlier and more reliable visibility
- Reduced alert fatigue by focusing on assets that matter, not just discovery volume
External asset discovery will never be static, but it doesn’t have to be reactive. As environments continue to change, discovery needs to keep pace without adding operational overhead.
If you haven’t reviewed your external exposure recently, these updates offer a practical way to see what’s changed and what may have gone unnoticed.
Want to learn more about ProjectDiscovery’s asset discovery capabilities?