Introduction

ThingsRecon Discovery provides comprehensive visibility and control over your organisation's external-facing assets, equipping you to find and deal with potential and hidden risks. 

What is ThingsRecon Discovery?

The key features and functions of TR Discovery are:

• Attack surface discovery: TR Discovery provides a comprehensive picture of your organisation’s external attack surface, including managed and unmanaged infrastructure and applications.
• Risk prioritisation: TR Discovery categorises discovered Things based on risk severity, business context, and potential for vulnerability exploitability. This allows customers to focus remediation efforts on the most critical threats to optimise security resources.
• Actionable insights: TR Discovery delivers a passive analysis of potential risks, including open ports, misconfigured services, outdated software, and exposed sensitive data.  
• Risk reduction: Through TR Discovery, you can:
  1. Implement controls to address shadow IT, reduce overexposure, and ensure compliance with regulatory standards.
  2. Generate remediation plans from the portal to help harden assets and mitigate vulnerabilities before attackers exploit them.
• Workflow integration: TR Discovery integrates with existing security tools and workflows for seamless remediation and response.

How does ThingsRecon Discovery work?

ThingsRecon Discovery scans use a multitude of different techniques to discover your organisation’s external attack surface. Most of these techniques are passive. The only active element of a scan is when it connects to an application and renders it to build a map.

ThingsRecon Discovery offers two types of discovery scans:

• Static: From a predefined list of domains entered by the user, discover all related Fully Qualified Domain Names (FQDNs), applications, IPs, etc. and the relations between them
• Dynamic (or deep discovery): From a domain starting point, discover other domains belonging to the organisation. From discovered domains, find all other things that are part of your external attack surface. Deep discovery can tell you the likelihood of a domain belonging to your organisation and what techniques have been used to find it.

You can configure scans further by setting them up with different parameters.

See: Setting up Scans

System Requirements

The ThingsRecon Platform runs on Google Cloud Platform, hosted in the European Union and other customer-specific locations. The only prerequisites for using the solution are:

• A user account on the ThingsRecon platform 
  1. Different users will require different access rights. For example, someone responsible for setting up service accounts will require Admin rights
• Having the required IP addresses on your allow list, if behind a firewall. 

User Profiles

When an organisation first uses the TR platform, the team at ThingsRecon will set up one or more administrators within the organisation. These administrators can then set up and assign user roles to others within the company.

TR Discovery access controls support four main types of users: Administrators, Operators, Contributors, and Readers. Their differing rights within the platform are shown in the following table.

Getting started: Activate your Account, Setup & Login

Activating Your Account

Once your ThingsRecon Discovery account is set up, you'll receive an email invitation. This will contain a link to access the portal. Click the link in the email to begin your setup.

Setting up Two Factor Authentication

For security purposes, you'll need to enable Two Factor Authentication (2FA). You can do this using a mobile authentication app like Google Authenticator to generate a one-time login code.

Follow the on-screen instructions to complete this step.

Logging in

Once Two Factor Authentication is set up, or you are returning to the platform:

• Log in using your email and password.
• Enter the 6-digit authentication code from your mobile app.

Once logged in, you'll land on your Dashboard, the visual intelligence hub of the ThingsRecon Discovery platform.

Understanding the User Interface 

When you first log in to TR Discovery, you will see the default dashboard view. This view will change as you navigate the system, but two elements will always be available: the Universal Banner and the Left-Hand Navigation Pane. 

Universal Banner 

The Universal Banner runs along the top of the screen. The first button in the far left is the ThingsRecon logo. Clicking it will take you to a new page, from which you can navigate between projects (for Admins only). 

You can also navigate between projects using the drop-down menu next to this logo. Your account name and the name of the project you have currently selected will show here. 

The next icon shows how many jobs are currently running; the number in the centre will change to reflect this. Click the icon to see a pop-up with more information about the status of jobs currently running or which have previously run. 

The final icon on the left-hand side of the banner is used to start a scan. For more information, see the Running a Scan guide. 

The first item on the right-hand side of the banner is the user's profile menu. This is where you can change user information and log out of the platform. 

The final item on the banner is a language drop-down menu. Click here to change the default language across the platform. 

Module Navigation Pane 

TR Discovery comprises five modules, which you can access through the navigation pane on the far left of the screen.  

Top to bottom, the icons in this navigation pane represent the modules: 

• Dashboard – Where you can see an aggregation of key insights from discovery scans and timeline-based comparisons 
• Settings – Where you can manage business units, project information, members, and reports 
• Jobs – Where you can see if scans have successfully completed, how long they took and why they might not have achieved the desired outcomes 
• Scan – Where you can add items to a work queue and add, remove, or change other scan parameters 
• Exports – Where you can manage all reports that have been created using the platform's extensive filtering options, as well as utilizing the comparison or delta functionality. 

Click the icons to switch between different modules as you need different functionalities. 

Setting up a Scan

Digital asset discovery across your organisation starts with scanning. 

The Scan module provides visibility across your total external attack surface, comprising all your organisation’s managed and unmanaged infrastructure and applications. It automatically detects domains, IP addresses, certificates, software, and other key assets. 

Our Scan function uses a combination of passive and active crawling techniques to uncover both known and unknown assets (“Things”) that are exposed externally to the Internet. 

Based on your priorities or current specific requirement, you can choose what to scan, when, and how.

Note: Although we use multiple techniques to map out your external attack surface, no vulnerabilities are exploited, no forms are filled, and so on. The Discovery scan behaviour is similar to a visitor browsing the application.

Accessing the Scan Functionality

From the Dashboard (which is where you’ll land after logging in), click the Scan Icon in the left-hand navigation panel.

Choosing What to Scan

With the ThingsRecon Discovery platform you can go as broad and as deep as necessary to discover and assess digital assets or touchpoints. These might range from points of integration and data exchange (in the form of APIs), to the full spectrum of web applications. 

The reach of your scan could be right across your entire organisation, or within the parameters of individual locations, business units, or specific digital assets 

Adding Scan Items

Via the Items view (accessed via the left-hand tab at the top), click Add Item in the upper right corner to enter what, specifically, you want to scan. 

Choose between:

• Manually adding IPs, IP Ranges, Domains, FQDNs, or URLs using the “Add Item” button (located in the top-right corner)
• Importing from File: Upload a list of scan targets in supported file formats (use the template to import).

To add multiple items at once, use the bulk import function.

Note: Once added, items will appear in the Items Tab with default attributes. (E.g. every Work Queue item is assigned a “trust” level from zero to 100. This refers to the level of confidence that the asset belongs to the organisation. Any item which is manually added to the Work Queue is automatically assigned a 100% trust level.

Choosing the Type of Scan

Two main types of Discovery scans are available: 

1. Static – scanning only the specific item you entered, staying within the same domain.
   • From a predefined list of domains entered by the user, discover all related Fully Qualified Domain Names (FQDNs) URLs, applications, IPs, etc and all relations between them. 

2. Deep Discovery – a more dynamic scan exploring everything related to your company, giving you a broader view of your digital footprint. 
   • From a domain starting point, discover other domains belonging to the organisation
   • From discovered domains, find all other things that are part of your external attack surface
   • Deep Discovery can tell you the likelihood of a domain belonging to your organisation and what techniques have been used to find it. 

Discovery scans are typically done first using the default settings in the user interface. However, subsequent Discovery scans can be further configured with a number of parameters. (Setting Scan Parameters)A “reset to default” button can be found at the bottom of the page to undo any previous parameters.

Setting Scan Parameters

Select the Parameters view (top-right tab) for additional scan configuration settings. These parameters allow you to be more granular in your Discovery and adjust the scope of your scans if needed based on initial results. 

This view is divided into three tabs (switch between them using the left-hand panel).

Deep Discovery Settings  

The Deep Discovery settings control how deeply the scan should expand beyond original items and enable passive expansion into related domains and IPs. 

These settings comprise:

• Enable Google Analytics 
• Enable Redirect To 
• Enable Reverse Whois on Company 
• Enable Reverse Whois on Domain 
• Enable Artificial Intelligence 
• Enable IP Range Finding 
• Enable Other Countries 
• Enable Certificate DB Check. 

(See Key to All Scan Settings)

Discovery Settings (Static and Deep Discovery)

The Discovery settings define how certificates, WHOIS records, or DNS data are used during asset identification. They also include or exclude external service lookups. 

These settings comprise:

• Enable Subdomain Finder 
• Whitelisted IP Locations 
• HTTP Ports 
• HTTPS Ports 
• Enable Port Scanning 
• Port Scanning Blacklisted IPs 
• Enable Responsive IP Search. 

(See Key to All Scan Settings)

Crawling Settings (Static and Deep Discovery)

The crawling settings determine how web crawling will be handled (depth, timeouts, limits). They are useful for applications and URLs with complex structures.  

These settings comprise:

• Max Number of Pages 
• Enable Number of Pages Per Application 
• Find Application From Certificates 
• Enable Sitemap Check 
• Enable Fast http Port Checking 
• Page Timeout 
• Render Delay 
• Time To Render 
• Max Concurrent Crawling.

(See Key to All Scan Settings)
 

Key to All Scan Settings:

• Enable Number of Pages Per Application: Applies the “Max Number of Pages” per Application, instead of for the whole Project. (Default value: True)
  
   
• Enable Sitemap Check: The Scanner will try to find sitemap files to crawl more URLs. (Default value: True)

Scan Execution: How Scans Work

Discovery scans use a range of different techniques to map out external attack surface. Most are passive. The only exception is when the scan connects to an application and renders it to build a map (similar to what a visitor sees on browsing your application). 

Scan results returned are of a discovery or hygiene nature for applications, certificates and domains.

See: Running a Scan, Working with Scan Items

Running a scan

Starting a scan

When you have added one or more items to the work queue, you can start a scan by clicking the Scan icon in the top left corner of the dashboard, then clicking the Launch Scan button.

The ideal scan cadence depends on the size of the organisation, their risk profile/appetite and remediation frequency. Scans should be run regularly to monitor for new or changed assets, misconfigurations, and remediation progress.

General best practice recommendations are as follows:

 Monitoring scan progress

Once a scan is running, you can monitor its progress in the Jobs Module. Click on the Jobs Icon in the left-hand navigation pane to open this page.

The Jobs Module is an activity log and task monitoring centre. Whether tracking active tasks or investigating failures, the Jobs Module is your window on everything currently running or previously executed. It provides transparency into the automated and background processes across the platform. Scan work queue items can be updated and modified even while the scan is running.

Each scan is listed in the Jobs Module’s tabular view, which displays nine columns that provide detailed metadata and diagnostics for every job. Users can sort and filter jobs via the Column Headings, as well as filter jobs based on job type, status, or parameters via the search bar.

From this page, you can see when scans have completed and when they have failed or are stuck in a ‘pending’ status.

When scans show as ‘Completed’, you can proceed to reviewing the scan items.

Troubleshooting

When a job fails, three fields are critical for diagnostics:

• Failure Exit Code:
  1. Example: 1002, 503, etc.
  2. Useful for matching known errors
• Failure Exit Description:
  1. Example: "DNS resolution failed" or "File export path not found"
  2. Offers context for users or support teams
• Args:
  1. Shows what inputs were passed when the job ran
  2. Helps replicate or understand edge-case conditions

Share these values with your support or engineering team for fast resolution of recurring issues.

Stopping a scan

Scans that are pending or in progress can be terminated immediately by clicking on the Scan Icon and selecting ‘abort’.  Note that all results to this point are kept but no further scanning is done.

A scan may be aborted by a user for several reasons, including:

• Typographical errors
• Incorrect domains
• While rare, the scanner might return a large volume of false positives, ie domains that are not considered in scope. This can occur, for example, when an organisation divests of a subsidiary, but DNS records and so on are not updated accordingly.
  
  

See: Working with Scan Results (options for starting/re-starting scans).

Working with Scan Results

Items Tab 

When a scan completes, you can view the results by returning to the Scan Module and using the table of items in the Items tab. This table will populate with new items as they are discovered, and this list of items becomes the new work queue.

The table comprises sixteen columns that provide detailed information about every item. Users can sort and filter jobs via the Column Headings, as well as filter jobs based on the name, type, or finding from categories via the search bar.

System items

After you have run your first scan, two System Items will appear in the work queue table: 

• Database Calculation: runs at the end of every scan and performs data analysis and many other tasks to calculate and build the final set of results including attack surface score, risk score, application comparison, supplier detection, indicator assessment, and so on.
• trWebScan: assigned by default to all projects, this task is passive until applications are onboarded to the TR Web Scan Security program, at which point it activates this service.

These items are automatically generated and cannot be modified.

The Work Queue and Trust

Below the system items, every item manually added to the work queue or discovered by a scan will be listed. When you run a new scan (or update the existing scan), these items will be included in the discovery process.

Before you run a new scan, it is important that you review the work queue and manually remove items not relevant to your organisation. To help you make this assessment, every item is assigned a Trust score from 0–100, where 100 is the most trusted. This Trust score indicates how confident the TR Discovery algorithms are that an asset or ‘Thing’ belongs to your organisation and is relevant to the process. 

Items added manually will automatically have a score of 100. Items discovered through scanning might have a lower Trust score, based on the pivoting algorithms and intelligence gathering of the TR Discovery platform.

You can permanently remove unneeded items using the ‘Delete a scan item’ button in the Actions column. However, these items may return to the Work Queue if they are rediscovered in subsequent scans. Therefore, a better option is to use the toggling ‘Use/Don’t use’ feature, which controls when items are included in reporting, dashboards, and scan updates. By default, items with a Trust score under 50 are toggled to ‘Don’t use’.

Updating or starting a scan

After making any necessary changes—such as reviewing items based on Trust and manually adding or removing items—you can update scan results by clicking on the main scan icon and selecting one of the options from the drop-down menu.

The options are:

• Update the current test
  1. the user makes changes to the work queue to exclude/include items and re-starts the scan which continues from where it left off
  2. additional findings are added to the already existing data

• New test
  1. uses the existing work queue items
  2. generates an updated set of findings
• New test based on user entries only
  1. this option wipes the existing work queue items and starts over with user-input items (for example main domain) generates a completely new set of findings.
     
     

Using the Dashboard

The Dashboard Module is the visual intelligence hub of the ThingsRecon Discovery platform. It aggregates and displays key insights from discovery scans and timeline-based comparisons, providing a real-time and historical view of an organisation’s:

• complete digital footprint
• overall ‘cyber hygiene’ posture
• risk exposure and attack surface insights.

The Dashboard presents data visually, contextually and interactively, making it a powerful decision-making tool.

The colour coding of applications in the different dashboard views (Heatmap, World Map, Things) is based on hygiene indicators where Green = Good, Red = Requires attention.
The risk rating is assigned according to the following criteria:

 Heatmap View

The Heatmap View is a high-level visualisation of issues by severity and category. It provides information about Discovery, Hygiene, and Attack Surface Reduction, and this data is broken down by business unit and location. (See Filtering with Indicators for more.)

This is the default view you'll see on your Dashboard when you log in. It quickly pinpoints your highest risks, so you can take swift and appropriate action.

The Heatmap View offers multiple ways to visualise data, including:

• Circular Chart: Provides an overall rating. That could be across all Things discovered; for specific items; or based on selected filter options
• Banner Stats: Values shown are based on selection and filtering criteria, from global insights down to those at a more granular level: 
  1. Specific business units
  2. Individual countries
  3. Domains
  4. Applications
• Expandable Sections: for more detail by:
  1. Discovery – Status of discovered assets
  2. Hygiene – Breakdown of indicator type and severity
  3. Attack Surface Reduction – Actions needed to reduce exposure.

Hover over any Heatmap block to open a mini menu that will allow you to:

• Launch a report using a pre-defined template
• See updated banner stats for a particular domain/item
• View detailed breakdowns.

Alternatively, use the breadcrumb navigation on the left to drill down into specific locations and see how they're performing.

Use the breadcrumb to filter by:

• Business Units: to view assets relevant to teams, subsidiaries, or clients
• Locations: showing the geographical distribution of assets and risks (automatically populated from scan results).

The Heatmap is divided into three sections: Discovery, Hygiene, and Attack Surface Reduction. 

Navigating the Timeline

The Timeline at the bottom of the Dashboard highlights test results over time, enabling valuable comparisons and a deeper understanding of an organisation’s evolving cyber security posture.

Each entry here displays:

• The test date
• A colour-coded hygiene indicator (Green = Good, Red = -Requires Attention)
• A five-level cyber-hygiene rating, from A–F

You can use the Timeline Navigator to switch between historical test results via the Dashboard, including the corresponding scan results and hygiene ratings.

World Map View

The World Map View (accessible via the drop-down menu) highlights where risks are located geographically. It displays the physical distribution of discovered assets, showing the concentration of risks across different countries. This means it can be used to understand the relative or changing situation in priority locations.

Again, you can filter data by Discovery, Hygiene, and Attack Surface Reduction. But with this view you can zoom in to see hygiene issues and attack surface reduction opportunities in specific locations.

Regions are colour-coded to indicate their overall hygiene ratings, and users can view additional information about Discovery, Hygiene, and Attack Surface Reduction in the right-hand panel.

Things View

The Things View is a deep-dive, Configuration Management Database (CMDB) - style interface that categorises all discovered “Things”, including:

• Applications
• API endpoints
• Domains
• IPs
• Certificates
• Cookies, etc 

Select different types of “Things” using the selection bar in the upper-right corner.

Each “Thing” type opens in a table view with:

• Filterable columns
• Bulk actions
• Direct links to detailed Passport Views.

This view is ideal for asset inventory, triage and tagging.

(See Detailed “Things” Guide for more.)

Filtering with Indicators 

The dashboard view provides actionable insights by indicating issues and opportunities related to discovery, hygiene, and attack surface reduction. In heatmap view, these indicators are displayed in a window above the heatmaps. You can expand this view by clicking the expand icon in the top-left corner. You can also click on an application to open a ‘passport’ view, where indicators are shown in a small summary. 

In the world map view the indicators are shown in a column on the right side of the map.

In both views, you can click on specific entries to see filtered indicators relevant to specific areas and business units.

You can also click on the indicators themselves to go to the Things view and see a list of the relevant discovered ‘things’ (applications, domains, devices/IP addresses, certificates, cookies, and so on).

Discovery Indicators

Hygiene Indicators

Attack Surface Reduction Indicators

Certificate, Domain and Network Indicators

There are several more indicators relating to certificates, networks, and domains that are currently only included within exportable reporting, but which will be added to the user interface in an upcoming update.

Compare With

A single Discovery scan is useful, but the ability to make comparisons and monitor changes and improvements over time provides even more powerful (and actionable) insights. It can highlight progress (useful for executive reporting), as well as new or developing areas of concern.

When a scan or test data set is selected from the timeline, use the “Compare with” feature to add context and meaning. 

Click on the “Compare with” text in the main header section and select another data set to launch a side-by-side comparison, highlighting: 

1. What’s new
2. What’s changed
3. What’s resolved.

After entering the comparison mode, the central panel transforms into a three-part comparison view: 

• Discovery: Highlights assets that were added or removed
• Hygiene: Shows new, resolved, or changed hygiene indicators 
• Attack Surface Reduction: Displays changes in action-required applications and services. 

To return to the standard scan view, click the “X” next to the scan timestamp at the top of the central view panel. 

“Things” Detailed Description  

In the context of ThingsRecon’s Discovery platform, “Things” are the various known or unknown assets exposed to the Internet, as identified during Discovery scans. In other words, they are all of the component parts of an organisation’s potential cybersecurity threat surface.

These are broken down as follows, and viewable in respective tables via the Dashboard Things page:

• Applications (any software exposed on internet, e.g. web application, SSH server, database, etc.) 
• API Endpoints (any URIs callable by a program and returning a result. Also called web service)
• Certificates (SSL digital entity’s identity)
• Cookies (retained user information)
• Domains (any internet names described with WHOIS records)
• FQDNs (Fully Qualified Domain Names: complete, specific/unambiguous and verified addresses of websites, servers, or other online resources)
• Headers (information attached to a digital asset, including metadata e.g. creation date, file type, etc)
• Inputs (web application fields expecting data from user)
• IPs (IP addresses: the numeric labels identified as part of the attack surface, assigned to web-connected entities)
• IP Ranges (groups of IP addresses sharing the same network address; identified as belonging to the aimed organisation)
• Mobile Apps (applications to be installed on mobile endpoints and used by the intended organization)
• Scripts (Java script locations, displayed as URIs)
• Script Variants (Java script codes, identified by checksums. A script variant is always linked to a script (checksum of code found out from a script URI) or a URL (inline script)
• Software Components (distributed software entities offering a specific set of services through well-defined interfaces)
• SSL Services (identified SSL server. An SSL server can cover several HTTPS web applications)
• Supplier Connections (any clues proving some digital proximity with identified and known suppliers. A supplier is a third-party company. Supplier Connections are used to build the Supply Chain).
• URLs (Uniform Resource Locators, used by browsers to retrieve published resources, such as HTML pages, CSS documents, images, etc)
• Vulnerabilities (potential point of security weakness e.g. through integration with third party tools) 

Dashboard: Things View

You can view all discovered Things via your Dashboard. 

The Things View is where everything is categorised. The selection bar in the upper-right corner makes it easy to view Things by type (eg. Applications, Domains, etc). 

Each Things type opens in its own table view, simplifying asset inventory, triage and tagging. 

These tables are displayed with 

• Filterable columns
• Bulk actions (e.g. you may wish to filter and bulk select all things found on port 80, tag them and add them to a security program)
• Direct links to a detailed ”Thing Profile” (a graphical presentation of the attack surface with additional information on related things/software components, and the ability to add the application to a security program and tag it).

Working with Things

Once discovered, all Things are put into a graph dataset and a number of insights are created using a combination of rules, analytics and AI.  

Discovered Things are categorised based on risk severity, business context and potential for vulnerability exploitability. This helps focus any remediation efforts on the most critical threats.

Application View

When you navigate to the Things page (Things View) in your dashboard, you’ll arrive at the Application view first.

Here you'll find a comprehensive list of all discovered applications, complete with details such as status, risk level, and more. Effectively, it serves as your configuration management database for applications.

By default, the Application view displays all discovered applications. You can easily navigate this view by minimising the left-hand panel to focus on the table. This gives you a clear, detailed overview of your applications.

Application View - Table details

Each identified application is described under a series of key fields. There are over 20 in total, including the following:

• The name: the Fully Qualified Domain Name (FQDN) or the IP address if the application is reachable on IP directly, which includes the sub domain and top-level domain
• The port: where the application is running
• The risk level: calculated based on discovered hygiene issues
• The status: whether the application is online, offline, or inaccessible
• The server technology behind the application and the main technology running it.

Note that the name and port will be sufficient to identify an application.

Application filtering

One of the most powerful features in the Things View is the ability to filter applications. You can do this by risk grade to focus on high-risk applications, by status to show only online or offline ones, or by server type to narrow down specific technologies.

You can also filter by Attack Surface Score to prioritise applications with the highest exposure. (The higher the attack surface score, the greater the exposure.)

See: Dashboard – Working with Results for details on how the risk grade is assigned.

Attack surface score

The attack surface score is arrived at using an algorithm that takes into account the following seven key vectors:

1. Security mechanisms: Are you using HTTP, HTTPS or a mix?
2. Page creation method: Is the application built with server side, client side or mixed technologies?
3. Degree of distribution: How many pages and connections does the application have?
4. Authentication: Does the application have login pages?
5. Input vectors: Are there forms or fields for user input?
6. Active content: Are there internal, external, or embedded scripts?
7. Cookies: How many cookies does the application use?

These vectors will help you understand how exposed an application is, so you can prioritise your security efforts.

Additional insights

The more you know about discovered Applications and their status and make-up, the better equipped you are to act appropriately and contain or reduce any potential risk. The Things View provides the following additional detail to help inform and prioritise next steps:

Need Action

The Need Action column highlights applications that require attention. You can filter this information by actions such as ‘Fix’, ‘Protect’ or ‘Remove’ to address vulnerabilities and reduce risks.

CNAME

The CNAME column helps pinpoint where an application is hosted or what it is connected to.

It can reveal whether an application is pointing to a third-party service, or another domain within your infrastructure.

Category 

This column identifies specific types of applications, such as web apps, file-sharing or other services (if scan parameters have been configured accordingly). 

Web Application: an application running on HTTP or HTTPS protocol.

Web Server Default Page: a misconfigured web server, showing the default page (ex: IIS, NGINX, etc).

Third Party: a known solution instance from the industry, running on an FQDN belonging to the intended organisation.

Domain For Sale: responsive FQDN running on a parked domain name.

URI: responsive web application where only blank pages were found. ThingsRecon suspects web services here, rather than a web application.

DB: typical database open port exposed on internet.

DNS: DNS server exposed on internet.

File Sharing: file sharing service exposed to the internet (ex: FTP).

Mail Service: mail service exposed to the internet (ex : IMAP).

Protocol: LDAP, NTP or NetBIOS port exposed to the internet.

Remote Access: services like RDP or SSH exposed on internet. 

WAF: if there is an identified Web Application Firewall (WAF) responding from an FQDN rather than a web application.

Detail: the Detail column shows specifics about what has been discovered.

Scan criticality (vulnerability scanning)

Scan criticality relates to the assessment side of the application, helping you prioritise scans based on the level of risk or importance.

• No: not onboarded to any security program so, no vulnerability assessment done yet
• Safe: vulnerability assessment done, no vulnerability detected
• Low, Medium, High: vulnerability assessment done, severity of the most critical vulnerability found.

Advanced features

To complete the picture, the Things/Application View provides additional insights, to inform onward decision-making:

• Security onboarding. This lets you select programs to run on an application (such as manual pentesting or automated dynamic application scanning), whether you're working with an MSSP, a third party or an internal scanner
• Ownership. This column shows who owns the application
• Business criticality. This lets you define an application’s importance to the business as low, medium or high
• Update Frequency. Use this to track how often an application is updated
• Manual Complexity. This is to rate how complex the application is to manage. If used, this will replace the attack surface score for security program recommendation
• Program Recommendation. One of the most powerful tools, this suggests the best way to scan and assess an application based on automated data (for example risk score and other criteria selected by the organisation) and your manual inputs
• Tags. This lets you categorise applications. You can use system tags or create your own to group similar apps together.

Taking Action

ThingsRecon Discovery delivers a passive analysis of potential risks, including open ports, misconfigured services, outdated software and exposed sensitive data. Armed with this intelligence, you can choose what to do next.

Discovered applications are broken down into their individual components, providing an attack surface analysis and other data insights that can support penetration testing and DAST security assessment. Depending on the particular requirements and priorities, applications can be assigned to a security program as preferred. 

Managing Reports

Creating Report Templates

As well as viewing scan results in the Dashboard, you can create and export reports to share findings with other stakeholders. Reports can be both standardised and tailored, depending on your requirements.

To create a report, you must first create a Report Template, if none have been created already.

Click on the Project Settings Icon in the left-hand navigation pane, then select the Reports Tab to open the Reports View. 

This view shows your existing Report Templates in a tabular view, which displays six columns that provide information about each template. Users can sort and filter templates via the Column Headings and search bar.

If no templates exist, this view will be empty. To create a template, click the ‘Create a Report’ button in the top-right corner, then choose one of the three Report Categories from the drop-down menu.

The three Report Categories are:

• XLSX template 1: An Excel template, ideal for raw data extracts or remediation plans
• Xlsx delta template 2: A Delta template designed to compare data between two scans, highlighting any changes that have occurred
• Pptx template 1: A PowerPoint template - best for creating visually engaging reports.

XLSX template 1

If you choose the XLSX template 1 option, you will be redirected to this page, where you can customize the template.

First, name your template in the field labelled ‘Report title’.

Next, choose a report type:

Raw extract: Provides all data matching the  detailed filtering and rules applied (e.g. to target specific criteria such as applications, IP ranges, or certificates).

• Use the drop-down menus to filter what is included in the report

Use Case 1: Find all applications with log-in fields that are online and available on port 80. Select Thing Type = Application.
Add rules: applications with authentication greater than 50 and application status = online, and application port = 80 (see screenshot below).

 

Use Case 2: Find all applications on a particular IP (in the event of issues with a server).
Select: Thing Type = IP. Related Things = Application
Add rule: IP = 91.216.XX.XXX (see screenshot below).

The raw extract option provides extreme flexibility in filtering for all or specific datasets. Adding groups when using this functionality allows even more advanced filtering and is the equivalent of putting logical operations into brackets, providing the ability to combine “and” / “or” arguments.

Remediation plan: Template report providing guidance on applications and software so that remediation can be properly prioritised. While the top-level parameters are preset in this template, rules and filtering can be applied by the user.
Use-case: Find all applications that are online and have the lowest application risk rating since they are most likely posing the greatest risk.
Add rules: “application status = online, and application risk = F (see screenshot below).


 

Xlsx delta template 2

Select the Xlsx delta template 2 option from the drop-down menu, and you will be redirected to this page, where you can customize the template.

First, name your template in the field labelled ‘Report title’. Then select the ‘Things’ you want to compare from the drop-down menu—options include applications, IP addresses, and URLs among others.

You can also add custom Rules and Groups, as well as use the toggle and/or function 

Finally, click ‘Save’ in the lower-right corner to save the template and make it available for use.

Because the Xlsx delta template 2 option is designed to produce reports that compare data, you need to switch to Delta Mode to use it. Use the left-hand navigation panel to view the Dashboard, and from there, use the Compare With function to select the date you would like to compare your scan with. Then select your Xlsx Delta template from the exports menu. 

Pptx template 1

If you choose the Pptx template 1 option, you will be redirected to this page, where you can customize the template.

First, name your template in the field labelled ‘Report title’.

Next, choose how many (1–4) graphical indicators (“dashlets”) you want to include on each page of your report using the slider. Dashlets display data in various graph formats—line, bar, or column—and indicators are added to represent key data points, such as missing headers or expired certificates.

There is also an option to include a main page in your report, which gives an overall snapshot of the findings. Toggle this on or off using the switch next to the slider.

To configure dashlets, click the ‘Add a Dashlet’ button. In the pop-up window, give your dashlet a label, choose the chart-type from the first drop-down menu, and select which indicators you want to be included from the second drop-down menu. Finally, click ‘Add a Dashlet’, and it will appear in the Dashlet Table, which includes five columns. 

Individual dashlets can be edited or deleted using the Action Icons in the Action Column.

Once you have finished configuring dashlets, save your template by clicking the ‘Save’ button in the lower-right corner.

• Once configured, add the dashlet to your report.
• Once everything is set up, the report is saved.
   

Generating Reports

Once you have set up your templates, you can start generating reports. To begin, navigate to the Dashboard Module by clicking the Dashboard icon in the left-hand navigation pane.

You can export reports at a project level, business unit level, or domain level. Use the heatmap view to focus on the information you want to include, then click on the Create A New Export button in the top-right corner.

Choose your template from the pop-up window and click the export icon in the Actions column to begin the exporting process. If there are numerous templates in the list, you can use the search bar to find the one you want more easily.

The numeric icon in the Universal Banner will change to show the number of exports currently in progress, and you can click it to see more information about that and other exports.

Using the Exports Module

Depending on the volume of data, it can take from minutes to a few hours to generate reports. When your report is ready, it will appear in the main Exports Module view. Click on the Exports Icon in the left-hand navigation pane to navigate there.

Exports are shown in a tabular view, which displays seven columns that provide information about each template. Users can sort and filter templates via the Column Headings  and the search bar.

You can download and delete exports using the icons in the Actions column. Simply click on the icons to perform the action.