How do I detect what changed in my attack surface?

Why change detection matters

Your attack surface is everything you expose to the internet: domains, subdomains, open ports, and the services they reveal. Every deployment or DNS change can add risk. Attack surface monitoring that focuses on change means knowing when something new or different appears — a new subdomain, a port opened after a deploy, or an issue that was fixed and reintroduced — so you can act before it becomes an incident.

What actually changes?

In practice, change usually means three things:

• New subdomains. A CNAME is added for a new service or a forgotten subdomain is pointed at your infra again. Regular discovery and comparison answers: what hosts do I have now that I didn’t have before?
• Ports opened after a deploy. A new service listens on 8080 or a debug port is left open. Port and service visibility shows when new listeners appear so you can confirm they’re intended.
• Reintroduced issues. A misconfiguration is fixed in one place and reappears elsewhere, or a dependency brings back a known weakness. Ongoing scanning and comparison catches when a previously fixed issue shows up again.

How to detect what changed

You need three capabilities: discovery (find domains, subdomains, hostnames), scanning (ports, technologies, vulnerabilities), and comparison over time. One-off scans show state at a point in time, not what changed. Scheduled attack surface monitoring establishes a baseline and highlights new assets, new open ports, and new or returning issues so you can validate and fix them early.

What ExposureIntel does

ExposureIntel runs asset discovery (subdomains, hostnames), port and service detection, and vulnerability and misconfiguration scanning. We track new 0-days and CVEs and add checks to scans so you can catch emerging issues. You get one view of your external exposure; over time you see what’s new or different. Add your domain, run discovery and scans on a schedule or on demand, and the dashboard shows your assets and findings — including new subdomains, new open ports, and reintroduced issues. That’s attack surface monitoring: knowing what you have and what changed so you can close gaps before they’re exploited.

Summary

To detect what changed in your attack surface: run discovery and scanning regularly and compare results over time. Watch for new subdomains, ports opened after a deploy, and issues that come back after you fixed them. Attack surface monitoring that focuses on change gives you that visibility so you see what changed before attackers do.