antifragile/antifragile-consulting/playbooks/perimeter-scanning-capability.md

Perimeter Scanning Capability: Build, Partner, or Hybrid?

"You cannot prioritize what you cannot see. And your internal vulnerability scanner will never tell you what the internet sees."

This document provides a strategic framework for building external attack surface visibility—the "outside-in" perspective that reveals what adversaries (and AI-powered scanners like Mythos) see when they look at your organization from the public internet.

It addresses the build-vs-partner decision for perimeter scanning and maps external findings into the AI-assisted TVM prioritization engine.

---

Why External Scanning Is Non-Negotiable

The Asymmetry Problem

An adversary attacking your organization starts from the outside. They see:

• Your public IP ranges
• Your exposed services and ports
• Your forgotten cloud storage buckets
• Your expired certificates
• Your development sites still publicly accessible
• Your subsidiary domains you forgot you owned

Your internal vulnerability scanner sees none of this. It scans from the inside, authenticated, with full knowledge of the network. The adversary scans from the outside, unauthenticated, with zero prior knowledge.

The board framing:

"Your internal scanner says your web servers are patched. But from the internet, we can see three development instances running outdated Apache versions on ports you did not know were exposed. The internal scanner is blind to what the adversary sees first. External scanning closes that blindness."

The Mythos-Specific Risk

AI-powered scanning agents do not sleep, do not get bored, and do not miss open ports because they were in a hurry. They:

• Scan entire IPv4 space continuously
• Correlate services with CVE databases in real time
• Chain findings: open port + service version + known exploit = instant target
• Discover forgotten assets faster than human reconnaissance teams

If you are not scanning your perimeter at least as aggressively as your adversaries, you are relying on luck.

---

The Three Models

Model	Description	Investment	Timeline	Best For
Build (Open-Source)	Self-hosted Nuclei, OpenVAS, Amass on cheap VPS infrastructure	Low (€200-500/month infrastructure)	1-2 weeks to operational	Tech-savvy teams; consultants who want independence; proof-of-concept
Partner (Commercial)	Shodan Enterprise, Censys, Tenable.asm, Cortex Xpanse, Mandiant ASM	Medium to high (€10K-€100K/year)	Immediate (SaaS)	Organizations needing continuous monitoring, compliance evidence, or limited internal expertise
Hybrid	Open-source stack for active scanning + commercial platform for passive discovery and trends	Medium (€15K-€30K/year)	2-4 weeks	Most organizations; balances cost, capability, and coverage

---

Model 1: Build (Open-Source Stack)

The Consultant's Scanning Infrastructure

For a consulting practice, owning your own scanning capability provides independence, speed, and a differentiator.

Infrastructure: 2-3 cheap VPS instances (Hetzner, DigitalOcean, Vultr)

• €5-10/month per instance
• Distributed across geographies (EU, US, Asia) to simulate global adversary perspective
• Containerized scanning workloads

Core Stack:

Tool	Purpose	Why It Matters
Amass	DNS enumeration, subdomain discovery, asset mapping	Finds forgotten domains, dev sites, acquisitions
Naabu	Fast port scanning	Identifies exposed services beyond standard ports
httpx	Web service fingerprinting	Identifies technologies, versions, and potential vulnerabilities
Nuclei	Vulnerability detection (10,000+ templates)	Specific CVE detection, misconfiguration checks, exposed panels
Subfinder	Passive subdomain discovery	Leverages certificate transparency, search engines, archives
Katana	Web crawler	Discovers hidden endpoints, API paths, exposed files
Gau (GetAllUrls)	URL enumeration from archives	Finds old URLs that might still resolve to live services
OpenVAS / Greenbone	Full vulnerability scanning	Deep inspection of discovered services
Nmap + NSE scripts	Service detection and vulnerability checks	Reliable, comprehensive, scriptable

Deployment Architecture

┌─────────────────────────────────────────────────────────────┐
│                     SCANNING CONTROLLER                      │
│  (Scheduling, results aggregation, report generation)        │
│  - Cron jobs or Jenkins/GitHub Actions                       │
│  - SQLite/PostgreSQL for results storage                     │
│  - Python/PowerShell for report generation                   │
└────────────────────┬────────────────────────────────────────┘
                     │
     ┌───────────────┼───────────────┐
     ▼               ▼               ▼
┌─────────┐   ┌─────────┐   ┌─────────┐
│ EU VPS  │   │ US VPS  │   │ ASIA VPS│
│ Amass   │   │ Amass   │   │ Amass   │
│ Nuclei  │   │ Nuclei  │   │ Nuclei  │
│ Naabu   │   │ Naabu   │   │ Naabu   │
└─────────┘   └─────────┘   └─────────┘

The First External Scan Protocol

# 1. PASSIVE RECONNAISSANCE (no packets sent to target)
amass enum -d client-domain.com -o amass-results.txt
subfinder -d client-domain.com -o subfinder-results.txt
# Merge and deduplicate
cat amass-results.txt subfinder-results.txt | sort -u > all-domains.txt

# 2. DISCOVER LIVE SERVICES
cat all-domains.txt | httpx -o live-web-services.txt -tech-detect -status-code
cat all-domains.txt | naabu -p - -o live-ports.txt

# 3. VULNERABILITY DETECTION
nuclei -list live-web-services.txt -severity critical,high -o nuclei-findings.txt

# 4. DEEP INSPECTION (for high-value targets)
nmap -sV -sC -O --script vuln -iL live-ports-targets.txt -oA deep-scan

# 5. REPORT GENERATION
# Aggregate, deduplicate, prioritize

What this produces in 4 hours:

• Complete subdomain map
• All live web services with technology fingerprinting
• Critical and high-severity vulnerability findings
• Exposed development sites, admin panels, default credentials
• Certificate expiration warnings
• Geographic distribution of exposed services

Limitations of the Build Model

Limitation	Impact	Mitigation
IP blocking by CDNs / WAFs	Incomplete scan results	Rotate source IPs; use multiple VPS locations; respect rate limits
Legal exposure	Scanning without explicit authorization is illegal in many jurisdictions	Always have written authorization; define scope strictly; exclude third-party infrastructure
Maintenance burden	Tools require updates; templates require refresh	Automated CI/CD pipeline for tool updates; weekly template sync for Nuclei
No historical trending	Point-in-time snapshots only	Store results in database; generate trend reports quarterly
Limited cloud asset discovery	Cannot see inside AWS/Azure/GCP without API access	Supplement with cloud-native discovery (see zero-budget discovery)

---

Model 2: Partner (Commercial Platforms)

Shodan / Censys (Passive Discovery)

What they do: Continuously scan the entire internet and index services, certificates, devices, and vulnerabilities. You query their database instead of scanning yourself.

Best for:

• Discovering forgotten assets ("We did not know we had a server in that IP range")
• Historical tracking ("When did this service first appear on the internet?")
• IoT/OT device discovery (Shodan specializes in industrial control systems)
• Certificate transparency monitoring (detects unauthorized certificates)

Pricing:

• Shodan API: ~$60/month for developer; Enterprise starts at ~$10K/year
• Censys: Similar pricing tiers

The consultant use case: Even without enterprise licensing, API credits allow you to query client IP ranges during assessments. The output is professional-grade and defensible.

Tenable Attack Surface Management (Tenable.asm)

What it does: Continuous attack surface monitoring combining external scanning, cloud API integration, and business context.

Best for:

• Clients who need compliance-ready external scanning
• Continuous monitoring (not point-in-time)
• Integration with Tenable.io / Tenable.sc for unified internal + external view

Pricing: ~$15K-€50K/year depending on asset count

Cortex Xpanse (Palo Alto Networks)

What it does: Enterprise-grade attack surface management with threat intelligence integration.

Best for:

• Large enterprises with complex M&A history
• Organizations needing integration with Palo Alto firewalls and Prisma Cloud
• High-frequency M&A environments where attack surface changes constantly

Mandiant Attack Surface Management (Google Cloud)

What it does: Combines attack surface monitoring with Mandiant threat intelligence.

Best for:

• Organizations facing advanced persistent threats
• Clients who want attack surface data correlated with APT TTPs

---

Model 3: Hybrid (Recommended for Most Clients)

The hybrid model combines the strengths of both approaches:

The Consultant's Hybrid Stack

Function	Tool	Model
Continuous passive discovery	Shodan API + Censys API	Partner (€500-€1K/month)
Active vulnerability scanning	Nuclei + OpenVAS on consultant VPS	Build (€200/month)
Deep penetration testing	Nmap + custom scripts + manual validation	Build (labor)
Cloud asset correlation	AWS/Azure/GCP APIs + native security tools	Build (free APIs)
Historical trending and reporting	Self-hosted database + Grafana + AI synthesis	Build (€50/month)
Compliance validation	Tenable.asm or Qualys WAS (optional)	Partner (if required)

Why Hybrid Wins

1. Cost efficiency: Passive discovery via APIs is cheap. Active scanning is cheaper self-hosted than commercial.
2. Coverage: APIs find things your scanners miss (historical data, third-party mentions). Active scanning validates exploitability.
3. Independence: You are not locked into a single vendor. If Shodan raises prices, you can shift to Censys or increase active scanning.
4. Credibility: Having your own infrastructure demonstrates technical competence. Clients trust consultants who own their tools.

---

The Perimeter-to-TVM Integration

External scanning findings must feed into the vulnerability prioritization engine. Here is how:

The Outside-In Risk Multiplier

A vulnerability on an internet-facing system is exponentially more dangerous than the same vulnerability on an internal workstation. The AI-assisted TVM engine weights findings accordingly:

Finding Location	Risk Multiplier	Why
Internet-facing, no WAF	10x	Direct adversary access; no defence in depth
Internet-facing, behind WAF	5x	WAF bypass possible; still directly reachable
DMZ, reachable from internet	4x	Compromise enables lateral movement
Internal, privileged access	3x	High impact if compromised; requires initial access first
Internal, standard user	1x	Baseline risk
Air-gapped / OT	2x-5x	Isolation is protection, but compromise is catastrophic

The Integration Pipeline

[External Scan Results]
    ├─ Nuclei findings (CVEs, misconfigs)
    ├─ Shodan/Censys exposed services
    ├─ Certificate issues
    └─ Cloud-exposed storage/assets
              ↓
[Correlation Engine]
    ├─ Map external finding to internal asset (IP → hostname → owner)
    ├─ Cross-reference with internal vulnerability scan
    ├─ Check compensating controls (WAF, CDN, rate limiting)
    └─ Apply outside-in risk multiplier
              ↓
[AI Prioritization]
    ├─ Exploitability prediction
    ├─ Threat intelligence correlation
    ├─ Business impact assessment
    └─ Generate ranked remediation list
              ↓
[Executive Dashboard]
    ├─ "Top 10 internet-facing risks"
    ├─ "Attack surface trend: growing or shrinking?"
    ├─ "Mean time to remediate externally exposed vulnerability"
    └─ Board-ready brief

The Weekly Cadence

Day	Activity	Source
Monday	Review Shodan/Censys alerts for new exposed services	Passive APIs
Tuesday	Run targeted Nuclei scan on new/changed assets	Active scanning
Wednesday	Correlate external findings with internal vulnerability data	Integration engine
Thursday	Generate AI-prioritized action list	AI TVM engine
Friday	Executive brief: "What changed on our perimeter this week?"	Automated synthesis

---

The Board Conversation

When the CTO asks: "Do we need to pay for external scanning? Can't we just use our internal scanner?"

You respond:

"Your internal scanner sees what is inside your walls. Mythos—and every criminal scanner on the internet—sees what is outside your walls. In our first external scan of your perimeter, we found [X] services exposed to the internet that your internal team did not know existed. [Y] of them have known vulnerabilities. [Z] of them are running end-of-life software. The internal scanner will never find these because they are outside its scope. External scanning is not optional. It is the perspective your adversary already has."

When the CFO asks: "How much does this cost?"

You respond:

"A hybrid approach—combining API-based passive monitoring with active open-source scanning—costs approximately €1,000-€2,000 per month. That is less than the cost of one incident response retainer day. And it provides continuous visibility, not a quarterly snapshot. If you need compliance-ready reports, we can add Tenable or Qualys later. But the baseline visibility is achievable now, at low cost."

---

Legal and Ethical Considerations

Authorization Is Mandatory

Never scan a client's infrastructure—or any infrastructure—without explicit, written authorization.

The authorization letter must specify:

• Exact IP ranges, domains, and cloud accounts in scope
• Excluded systems (production payment gateways, safety-critical OT, third-party services)
• Scanning intensity and timing restrictions
• Emergency contact for scan-related incidents
• Data handling: where scan results are stored, who has access, retention period

Rate Limiting and Resilience

• Respect robots.txt on web services (though adversaries do not)
• Limit concurrent connections to avoid service disruption
• Scan during maintenance windows for critical services
• Have an immediate stop mechanism if unexpected impact occurs

Data Sovereignty

• Scan results may contain sensitive data (service versions, internal hostnames, certificate details)
• Store results in the client's jurisdiction
• Encrypt at rest and in transit
• Delete results after the engagement unless contract specifies retention

---

The Consultant's Advantage

Owning perimeter scanning capability provides three competitive advantages:

1. Speed: You can deliver external attack surface findings in 24 hours, not the 2-week procurement cycle of commercial platforms.
2. Differentiation: Most M365 consultants do not offer attack surface management. You do.
3. Entry vector: External scanning often reveals the most compelling findings—exposed admin panels, outdated services, forgotten acquisitions. These findings naturally lead to broader engagement.

The pitch:

"Before we discuss your M365 security or endpoint management, let us scan your perimeter. In 24 hours, we will show you what the internet sees. I suspect we will find something that changes your prioritization. If we do not, the scan was free. If we do, we have the evidence to justify the security investments you have been considering."

---

Integration With Existing Frameworks

Document	Integration
AI-Assisted TVM Blueprint	Perimeter findings feed the AI prioritization engine with outside-in risk weighting
Zero-Budget Vulnerability Discovery	Internal discovery (scripts + osquery) + external scanning = complete visibility
Business Case Template	Perimeter scanning costs (€1K-€2K/month hybrid) vs. incident response costs
Osquery: The Sovereign Discovery Platform	osquery covers internal endpoint visibility; perimeter scanning covers external attack surface; together they provide complete visibility
Modular Engagements	Perimeter scan can be delivered as a standalone 2-3 day module or included in AI TVM

---

For internal vulnerability discovery without commercial tools, see Zero-Budget Vulnerability Discovery. For the sovereign endpoint discovery platform, see Osquery: The Sovereign Discovery Platform. For the AI-assisted prioritization layer, see AI-Assisted TVM Blueprint.