Exposure Management
Attack Surface
Exposure monitoring watches the parts of your organization that face the public internet. You register the domains, hosts, and URLs you own as monitoring targets; ThreatWeaver verifies you control them, then scans them on a schedule and records what it sees. Every change — a new subdomain, a newly open port, an exposed endpoint, a certificate or DNS shift — becomes an event in the surface feed so nothing about your external footprint changes without you knowing.
What it's for
- Keep an inventory of your external attack surface — the domains, hosts, and URLs you want watched, each verified as yours.
- Get told when it changes — a running feed of new subdomains, opened ports, exposed endpoints, leaked credentials, and DNS or certificate changes.
- Control the watch — how often targets are scanned, how alerts are dispatched, and how findings are classified.
The screens in it
Exposure monitoring is made up of a few connected screens:
- Monitoring Targets — the registry where you add, verify, and manage the things you want watched.
- A target's workspace — a full-page view of everything discovered for one target: DNS, hosts, ports, endpoints, certificates, change history, and more.
- The Surface Feed — the stream of change events across all your verified targets.
- Continuous Monitoring Policy — the workspace-wide settings that govern how monitoring alerts are dispatched.
- Classification Rules — how findings are sorted into operating-system vs application layers and reviewed. (Administrators.)
Monitoring Targets
The Monitoring Targets screen is the registry of everything you're watching. Each row is one target with its verification status, schedule, and last-run result. Managing targets is available to administrators and analysts; other users see a note explaining they don't have the required role.
Toolbar and views
| Control | What it does |
|---|---|
| Search label or value | Filters the list by a target's name or address. |
| Verification filter | Show All verifications, or only Verified, Manual override, Unverified, Failed, or Pending targets. |
| State filter | Show All states, or only Enabled or Disabled targets. |
| Refresh | Reloads the list. |
| CSV / JSON | Export the current filtered list. |
| Bulk import | Add many targets at once from a pasted list or a CSV. |
| Add target | Register a single new target. Disabled when you've reached your target limit. |
A capacity indicator shows N of M targets used, and warns you when the limit is reached. Saved views let you keep a search-and-filter combination — choose Save current, name it, and reload it later from the chips.
The target table
| Column | What it shows |
|---|---|
| Target | The target's name and address, plus who created it, how it was verified, and how many people subscribe to it. |
| Type | Whether it's a single host, a whole domain, or a URL. |
| Env | The environment you tagged it with (production, staging, dev, or other). |
| Verification | Whether ownership is proven (see badges below). |
| Status | Where the target is in its monitoring lifecycle (see badges below). |
| Cadence | How often it's scanned. |
| Last run | When it last ran, and whether that run succeeded. |
| Next due | When the next scan is scheduled, or not scheduled. |
| Actions | Per-row controls (see below). |
Verification badges: Verified, Manual override, Pending, Unverified, or Failed.
Status badges: Awaiting verification, Disabled, Scheduled · first run due, Monitoring (running normally), or Last run failed.
Row actions
Each row offers, left to right: open the full target workspace; run this target now (available once it's verified and enabled); verify ownership; edit its cadence and settings; subscribe / unsubscribe to its events; reissue the verification token (which invalidates the current proof and requires re-verifying); and delete the target (with a confirmation).
Adding and verifying a target
Choosing Add target opens a form:
| Field | What it sets |
|---|---|
| Label | A friendly name for the target. |
| Target type | FQDN (a single host such as api.example.com), Root domain (such as example.com), or URL. |
| Value | The actual address to watch. |
| Environment | production, staging, dev, or other. |
| Cadence | How often to scan — Hourly, 6-hourly, Daily, or Weekly. |
| Include subdomains | (Root domains only.) Also discover and watch subdomains; changes to them appear in the surface feed. |
| Notes | Optional free-text notes. |
Registering a target doesn't start monitoring on its own — you verify ownership first. The Verify step offers up to three methods, depending on your setup: DNS TXT (publish a supplied TXT record), Well-known file (serve a supplied token at a given path), or Manual override (an operator-acknowledged bypass that asks you to provide a justification before it takes effect). After you've published the proof, choose Run check; a verified target moves into the schedule automatically.
To register many targets at once, use Bulk import: paste one target per line (or upload a CSV), preview the parsed rows, and import. Each row succeeds or fails on its own, and the result summary reports how many were created and any that failed.
A target's workspace
Clicking a target's open action takes you to its full workspace — a page devoted to everything discovered for that one target. A title bar shows the address and its verification badge, with Refresh on the right. The workspace is organized into tabs:
| Tab | What it shows |
|---|---|
| Overview | Headline metrics — total and successful runs, success rate, distinct subdomains, open ports, exposed endpoints, observed hosts, DNS records, and DNS coverage — plus the last-run and next-due times. |
| Observed DNS | DNS records discovered from public sources. |
| Authoritative DNS | Provider-confirmed or imported-zone-file records (optional; see below). |
| Hosts / Subdomains | Every host and subdomain observed, with the source that reported each. |
| Ports / Services | Open ports found, both passively and by active probing. |
| Web / Endpoints | Reachable web endpoints, with their response status and content type. |
| Certificates / TLS | Hosts discovered from the target's TLS certificate names. |
| Git / OSINT | Public-intelligence findings — code references, exposed secret references, technology hints, and breached-email matches. |
| Change Feed | This target's own change events, newest first; click one for full details. |
| Run History | Every scan run, with its start time, status, trigger, change count, and any error. |
| Source Health | Per-source health for the latest scan, so you can tell whether an empty section means "nothing there" or "a source was unavailable." |
| Integrations | Connect a DNS provider or import a zone file for authoritative DNS. |
When a data source is skipped or degraded for a scan, the affected sections say so on the Source Health and inventory tabs. An empty section under a degraded source means "we couldn't check," not "there's nothing there."
Authoritative DNS and integrations
Authoritative DNS is optional — the baseline product works entirely from public sources. To see provider-confirmed records, open the Integrations tab and either Add provider (connecting a supported DNS provider such as Cloudflare, Route 53, Azure DNS, Google Cloud DNS, or DigitalOcean DNS with that provider's credentials) or Import zone file (paste a standard zone file). Connected providers show their last sync status and record counts, and can be synced or removed at any time.
The Surface Feed
The Surface Feed is the single stream of change events across all your verified targets — new subdomains, opened ports, exposed endpoints, leaked credentials, and other external-surface signals.
| Control | What it does |
|---|---|
| Severity filter | Show All severities, or only High, Medium, or Low events. |
| Disposition filter | Show All dispositions, or only Open, Acknowledged, Dismissed, or Expected events. |
| Refresh | Reloads the feed. |
| CSV / JSON | Export the current filtered feed. |
| Save current | Save the current filter combination as a named view. |
Each event row shows when it was Detected, its Severity, the kind of change, the Target it came from (with a link to that target's workspace), and a Summary. From the summary you can View details (opens the full event, including its raw payload) and set the event's disposition: Acknowledge it, mark it Expected, Dismiss it, or Reopen it. A disposition badge — Open, Acknowledged, Dismissed, or Expected — records the current state, along with who set it. The feed is paged, with Prev and Next controls.
The Surface Feed covers external attack-surface changes from your monitoring targets. Changes to your imported asset inventory are tracked separately under the inventory-changes area of this module.
Continuous Monitoring Policy
The Continuous Monitoring Policy screen holds the workspace-wide settings that govern how continuous-discovery monitoring dispatches alerts. It applies to every asset in your workspace; individual assets can still be enabled or muted from their own detail view. This screen is available to administrators and analysts.
Controls
| Control | What it does |
|---|---|
| Minimum Severity | Choose HIGH, MEDIUM, or LOW. Only change events at or above this severity are dispatched as alerts — lower-severity events still happen, they're just not alerted on. |
| Quiet Hours toggle | Turns a suppression window on or off. While it's on, alert dispatch is held during the window, but the alert is still written to the audit trail — nothing is silently dropped. |
| Start hour / End hour | (Shown once Quiet Hours is on.) The window's boundaries, each chosen from a 24-hour list. |
| Timezone (IANA) | (Shown once Quiet Hours is on.) The timezone the start and end hours are evaluated in, entered as an IANA name (for example America/New_York or Asia/Kolkata); common timezones are suggested as you type. |
| Re-deliver after quiet hours | (Post-Window Delivery.) When on, alerts suppressed during the window are flushed by the scheduler once it closes, instead of being lost. Only available when Quiet Hours is on. |
| Collapse into a digest | (Post-Window Delivery.) When on, if more than one alert was deferred for the same asset, ThreatWeaver sends one summary instead of one notification per alert. Only available when Re-deliver after quiet hours is also on. |
| Save Changes | Commits your edits. Stays disabled until something has actually changed. |
Classification Rules
(Administrators.) The Classification Rules screen controls how ThreatWeaver sorts each finding into a layer — Operating System, Application, or Unclassified — and how findings that need a human decision are reviewed. Changes are applied in the background; a progress banner reports when a reclassification is running, complete, or failed. The screen has four tabs.
Asset OS Categories
Manage how assets are grouped into operating-system categories (the same groups you filter by elsewhere in the module).
Finding Layers
The rules that decide each finding's layer, evaluated in order.
| Control | What it does |
|---|---|
| New Rule | Create a rule. You give it a Label, choose a Resolver (the kind of signal it looks at), a Target Layer, whether it's Active, and optional Match Conditions (field, operator, value). |
| Dry Run | Preview a rule's impact — how many findings would change, become unclassified, or keep a manual override — without applying it. |
| Reclassify All | Re-run classification across all findings. |
| Order controls | Reorder rules; order decides which rule wins. |
| Edit / Delete | Change a rule, or remove it (deletion asks for a reason and preserves existing manual overrides). |
The rules table shows each rule's Order, Label, Target Layer, Resolver, number of Conditions, and Status (Active or Inactive).
Review Queue
The queue of scanner checks that need an ownership decision — unclassified findings, unresolved conflicts, and cases where the automatic evidence is weak. A row of summary tiles counts what's outstanding (vulnerabilities, scanner checks, families, critical/high, unclassified, conflicts, and more), and a rich set of filters (search, source, family, layer, reason, severity, override status, patch relevance, and sort) narrows the queue.
For any check you can review its Evidence, set an Override to force a layer (with a reason), ask for an AI Suggestion, Clear an existing override, or jump to the matching vulnerabilities. You can also act in bulk — override the checks you've selected, override everything matching the current filters or a whole plugin family, preview AI suggestions across many checks at once, or Bulk Upload overrides from a CSV. Results and exports are available in CSV, Excel, and JSON.
An AI suggestion sometimes recommends no change — when a check looks like it's inventory-only, has weak evidence, or is specific to your environment. In those cases ThreatWeaver keeps the finding in manual review rather than guessing.
Audit Log
A complete, newest-first history of every classification change — rules created, updated, deleted, or reordered; overrides set or cleared; and reclassification runs started, completed, or failed. Filter by event type, expand any entry to see its details, and reveal the raw record when you need it.
Common workflows
Workflow: start watching a new domain
-
On Monitoring Targets, click Add target.
Step 1 — the Add target form -
Enter a Label, choose Root domain as the type, enter the domain, pick an Environment and a Cadence, and — to watch subdomains too — tick Include subdomains. Click Create target.
-
On the new row, choose Verify, follow one of the offered methods (for example publish the supplied DNS TXT record), then click Run check.
Step 3 — verifying ownership with a DNS TXT record -
Once verified, the target moves into the schedule and starts producing events in the Surface Feed. Use run this target now if you don't want to wait for the first scheduled scan.
Workflow: triage a change event
-
Open the Surface Feed.
-
Set the Severity filter to High to focus on the most significant changes.
Step 2 — the feed filtered to high-severity events -
Click View details on an event to see exactly what changed and where.
-
Set a disposition: Ack if you're handling it, Expected if it's a known change, or Dismiss if it's not relevant. Use Reopen later if you need to revisit it.
Workflow: correct a misclassified finding
-
Open Classification Rules and go to the Review Queue.
-
Filter to the check you want to fix, then choose Evidence to see why it was classified the way it was.
Step 2 — a check's classifier evidence in the Review Queue -
Choose Override, pick the correct layer, enter a reason, and confirm. ThreatWeaver queues a reclassification and records the change in the Audit Log.
Workflow: suppress alerts overnight without losing them
- On Continuous Monitoring Policy, set Minimum Severity to the level you want alerted on — for example HIGH, to skip lower-signal noise.
- Turn on Quiet Hours, then set a Start hour, End hour, and Timezone (IANA) that match your team's off-hours.
- Turn on Re-deliver after quiet hours so nothing suppressed overnight is lost — it's held until the window closes, then dispatched.
- (Optional) Turn on Collapse into a digest so a busy night produces one summary per asset instead of a burst of individual alerts.
- Click Save Changes.