Skip to main content
Your attack surface is a moving target. Engineering teams spin up new services, expose APIs, deploy staging environments, and provision cloud resources continuously. Shadow IT, forgotten test environments, and acquired infrastructure add to the sprawl. At any given moment, most organizations have exposed assets they don’t know about or have lost track of. Point-in-time assessments capture a snapshot, but the attack surface changes between assessments. A service exposed on Monday might go unnoticed until the next quarterly review. By then, an attacker may have already found it.

How Neo Solves This

Neo continuously monitors your external attack surface, tracking what’s exposed, what’s changed, and what new risk has appeared since the last assessment.
  1. Discovers your full external footprint — Neo enumerates your domains, subdomains, IP ranges, cloud assets, and any externally reachable services. It identifies web applications, APIs, management interfaces, databases, and development or staging environments that may be unintentionally exposed.
  2. Baselines your attack surface — after the initial discovery, Neo establishes a baseline of your known assets, services, and configurations. This baseline becomes the reference point for detecting changes.
  3. Detects changes between assessments — on every subsequent run, Neo compares the current state against the baseline. New services, changed configurations, newly exposed ports, updated software versions, and assets that have gone offline are all flagged.
  4. Assesses new exposure immediately — when Neo discovers a new externally reachable service or a changed configuration, it immediately tests for security implications: known CVEs, default credentials, misconfigurations, and paths to internal resources.
  5. Tracks trends over time — across scheduled runs, Neo builds a history of your attack surface evolution. Your team can see how the external footprint is growing, which areas are most active, and where new risk is accumulating.

What This Looks Like in Practice

You set up a daily attack surface monitoring schedule: 
Monitor our external attack surface daily.

Domains: yourcompany.com, *.yourcompany.com
IP ranges: 203.0.113.0/24

Discover all externally reachable services, track changes 
from previous runs, and test any new exposure for 
vulnerabilities immediately.
On the first run, Neo discovers 23 subdomains, 41 externally reachable services, and catalogs the software versions, configurations, and open ports across your infrastructure. On day four, Neo detects a new subdomain (dev-payments.yourcompany.com) hosting a development instance of your payments service with debug mode enabled and no authentication. Neo flags the exposure, tests for vulnerabilities, and alerts your team in Slack with the full details.

What You Get

  • Complete external asset inventory — every domain, subdomain, service, and exposed port cataloged and tracked
  • Change detection across runs — new services, modified configurations, and removed assets flagged automatically on every assessment
  • Immediate security testing of new exposure — new or changed assets are tested for vulnerabilities as soon as they’re discovered
  • Attack surface trend data — historical view of how your external footprint is evolving over time
  • Signal over inventory — Neo highlights what’s changed and what’s risky, rather than delivering the same full inventory on every run

Setup

To set up attack surface monitoring:
  1. Add your domains and IP ranges in Settings → Environments
  2. Create a scheduled assessment in Settings → Automation → Schedules with a daily or custom cadence
  3. Configure Slack notifications for new exposure alerts in Settings → Integrations → Slack