The attack surface page is designed to give our Surface Monitoring customers a complete overview of all of their assets (a domain or IP). Each asset is classified according to a Surface state which describes whether an asset is to be considered as currently exposed on your attack surface.
Inactive: These are assets that we haven’t seen for the last 14 days. For domains, this means that we haven’t been able to find a DNS record corresponding to this particular domain. For IPs, this means that we haven’t been able to reach that particular IP.
Seen (active): These are assets that we’ve been able to see within the last 14 days, either through resolving a DNS record (for domains) or through reaching the IP (for IP assets).
Reachable (active): These are assets that we have been able to reach during our monitoring through pings or port scanning.
Open (active): The IPs that the asset points to have open ports that we have been able to reach.
The attack surface page aims to show you what you are currently exposing on your attack surface. Therefore, it is by default filtered to only show assets that we consider to be “active”, i.e. assets that have the surface state seen, reachable, or open.
The attack surface page will, on each asset that has Surface Monitoring running, show the open ports that we have been able to reach on that asset. What is seen in the table are only the ports that have been reached within the last 3 days. However, if you click the link, you will be able to see all ports that we have ever found to be open on that asset, including historic ports (ports that we haven’t reached in the last 3 days).