EasyEASM

EasyEASM is an open-source, automated External Attack Surface Management (EASM) tool that provides organizations with a simplified, cost-effective way to discover and monitor their internet-facing digital assets.

Created by cybersecurity experts Jason Haddix, Gunnar Andrews, and Olivia Gallucci, the tool was developed to address the complexity and high cost of commercial EASM platforms. It markets itself as a "Zero-Dollar" solution that leverages existing, powerful open-source reconnaissance technologies to deliver high-fidelity visibility into an organization's external footprint.

In the context of cybersecurity, EasyEASM functions as an orchestrator. It automates the chaotic process of running multiple reconnaissance scripts, aggregating their results, and filtering the data to provide security teams with a clear, daily snapshot of what they own on the public internet.

Core Functionality and Architecture

EasyEASM operates by wrapping and chaining together several industry-standard reconnaissance tools into a single, cohesive workflow. It does not reinvent the discovery process; instead, it streamlines the execution of proven tools such as Amass, Subfinder, Chaos, and Notify.

• Aggregated Discovery: Instead of relying on a single data source, EasyEASM queries multiple passive data sources (like Certificate Transparency logs, DNS datasets, and search engines) to find every possible subdomain associated with a target organization.

• Delta Analysis: A defining feature of EasyEASM is its ability to track changes over time. It stores the state of the attack surface from previous scans and compares it with the current scan. This allows it to identify net new assets—such as a developer spinning up a new staging server overnight—rather than just providing a static list of thousands of domains.

• Automated Notification: The tool integrates directly with collaboration platforms. When a new asset is discovered, EasyEASM sends a real-time alert to Slack or Discord. This "Push" notification model ensures that security engineers are immediately aware of attack-surface expansion without having to manually check dashboards.

Key Features and Capabilities

EasyEASM focuses on the fundamental "Discovery" and "Inventory" phases of the attack surface management lifecycle.

Versatile Scanning Modes The tool offers two primary operational modes to suit different operational needs:

• Fast Mode (Passive): This mode relies solely on passive data sources (querying APIs and databases). It is extremely fast and poses a low risk of service disruption because it does not send traffic directly to the target infrastructure.

• Complete Mode (Active): This mode performs active brute-force enumeration using wordlists. It is more thorough and can find hidden subdomains not listed in public records, though it runs significantly longer.

Asset Inventory Generation EasyEASM automates the creation of an asset register. It outputs a structured CSV file that serves as a "Risk Register Skeleton." This file includes critical metadata for every discovered asset, including:

• Domain and Subdomain names

• IP Addresses

• HTTP Response Codes (to identify live vs. dead sites)

• Page Titles (to quickly identify the function of a site, e.g., "Login Page" or "Test Environment")

• Web Server Headers

Tech Stack Fingerprinting Beyond simple domain listing, the tool attempts to identify the underlying technologies running on the discovered assets. By analyzing HTTP headers and response bodies, it can flag if a site is running specific web servers (like Nginx or Apache) or frameworks, adding a layer of context to the inventory.

Strategic Benefits for Security Teams

Adopting EasyEASM offers specific advantages for organizations with limited budgets or those needing a "sanity check" against their commercial tools.

• Cost Efficiency: As an open-source project, it eliminates the licensing fees associated with enterprise EASM vendors, making it accessible for smaller companies or individual researchers.

• Simplicity of Deployment: Unlike complex platforms that require weeks of tuning, EasyEASM is designed for "One-Click" deployment. It typically runs from a simple configuration file or a Docker container, consistent with the "Easy" in its name.

• Continuous Monitoring: By scheduling the tool to run daily (e.g., via a cron job), organizations establish a continuous monitoring loop. This prevents the "Stale Inventory" problem, where asset lists become outdated weeks after a manual audit.

Frequently Asked Questions

Is EasyEASM a vulnerability scanner? No. EasyEASM is primarily an asset discovery tool. It finds the door (the asset) but does not necessarily check if the lock is broken (the vulnerability). It provides the target list that you would subsequently feed into a vulnerability scanner.

Does EasyEASM require API keys? For optimal performance, yes. While it can run with some default sources, providing API keys for services like Chaos or other DNS datasets significantly increases the number of assets it can find.

Can it detect Shadow IT? Yes. By monitoring for new subdomains that appear outside standard change-management windows, EasyEASM is highly effective at spotting Shadow IT, such as a marketing microsite created without IT approval.

Is it suitable for enterprise use? While powerful, it lacks Role-Based Access Control (RBAC), executive reporting dashboards, and SLA support that are typical of commercial enterprise tools. It is often used by enterprises as a technical validation tool alongside a commercial platform.

How is it different from Amass? Amass is a discovery engine. EasyEASM is a workflow wrapper around Amass (and other tools). EasyEASM handles the scheduling, alerting (Slack/Discord), and simplified output formatting that Amass does not do natively out of the box.

ThreatNG and EasyEASM: A Layered Defense Strategy

ThreatNG complements EasyEASM by serving as the "Intelligence and Assessment Layer" built on top of the "Discovery Layer" provided by open-source tools. While EasyEASM excels at the rapid, automated detection of new subdomains and assets (the "What"), ThreatNG answers the critical business questions regarding risk, ownership, and context (the "So What?" and "Now What?").

Together, they form a robust External Attack Surface Management (EASM) ecosystem. EasyEASM provides the rapid, low-cost tripwire for new asset creation, while ThreatNG provides the deep forensic analysis, risk scoring, and strategic reporting required to govern those assets effectively.

External Discovery: Validating the Signal

EasyEASM is a powerful "aggregator" that generates a raw list of domains and subdomains. ThreatNG ingests this discovery concept and refines it into a managed inventory.

• Correlating Passive vs. Active Discovery: EasyEASM relies heavily on passive data sources (like DNS and Certificate logs). ThreatNG complements this with "Seedless Discovery," which identifies business relationships and supply chain connections. If EasyEASM identifies a list of 50 new subdomains, ThreatNG serves as the validator, determining which are active, which are dormant, and which belong to third-party vendors rather than the organization itself.

• Expanding the Scope: While EasyEASM focuses on domains, ThreatNG extends discovery to include Exposed Open Cloud Buckets and code repositories. If EasyEASM finds a subdomain named storage-dev.company.comThreatNG complements this by scanning the associated cloud provider's infrastructure to determine whether the subdomain is linked to an unsecured S3 bucket, effectively closing the loop between "Domain" and "Data."

External Assessment: From Inventory to Risk

The primary limitation of open-source discovery tools is that they typically provide asset lists without context. ThreatNG fills this gap by performing deep assessments on the assets EasyEASM finds.

• Technical Assessment (Technical Resources):

  • The Workflow: EasyEASM detects a new asset portal.company.com and reports it via Slack with a "200 OK" status.

  • ThreatNG's Role: ThreatNG investigates this asset and performs a technology stack analysis. It indicates that the portal is running an end-of-life CMS version with critical vulnerabilities. It converts EasyEASM's "New Asset" alert into a "Critical Risk" finding.

• Business Viability Assessment (Financial & Legal Resources):

  • The Workflow: EasyEASM identifies a subdomain pointing to a third-party SaaS provider.

  • ThreatNG's Role: ThreatNG assesses the vendor associated with that connection using Financial and Legal Resources. It determines if that vendor is financially solvent or facing data privacy lawsuits. This adds a layer of "Supply Chain Risk" that the open-source tool cannot see, warning the team that their new asset relies on a shaky partner.

Investigation Modules: Deep Dive Forensics

When EasyEASM triggers an alert for a suspicious new asset, security teams need forensic tools to investigate it without alerting the attacker. ThreatNG’s investigation modules provide this capability.

• Sanitized Dark Web Investigation:

  • The Scenario: EasyEASM finds a staging server staging-login.company.com that was accidentally exposed.

  • ThreatNG Deep Dive: Analysts use ThreatNG’s Sanitized Dark Web module to check if credentials for this specific staging environment are already circulating on underground marketplaces. This confirms whether the exposure identified by EasyEASM has already been exploited by threat actors.

• Archived Web Page Investigation:

  • The Scenario: EasyEASM reports a new asset that returns a "404 Not Found" error.

  • ThreatNG Deep Dive: ThreatNG’s Archived Web Page module allows the analyst to travel back in time to see what that page hosted yesterday. This might reveal that the 404 page hosted sensitive customer data just hours earlier, turning a "dead link" into a "data breach investigation."

• Domain Intelligence and Pivoting:

  • The Scenario: EasyEASM finds a domain that looks like a phishing site targeting the brand (c0mpany-support.com).

  • ThreatNG Deep Dive: ThreatNG provides the attribution. Analysts use the Domain Intelligence module to pivot on the registrant's email address, linking the single domain found by EasyEASM to a larger network of 50 other malicious domains owned by the same attacker.

Continuous Monitoring: Managing Drift

EasyEASM excels at "snapshot" monitoring (detecting net-new assets). ThreatNG provides "Drift" monitoring (detecting changes in state).

• Security Posture Drift: If an asset discovered by EasyEASM changes its configuration—for example, if a developer accidentally opens Port 22 (SSH) on a previously secure server—ThreatNG’s Continuous Monitoring detects this security regression immediately. This complements EasyEASM’s daily scans by providing real-time alerts on risk, not just existence.

Intelligence Repositories: Threat Context

ThreatNG provides the "Why" behind the "What."

• Threat Actor Correlation: If EasyEASM discovers a specific type of VPN concentrator on the perimeter, ThreatNG’s Intelligence Repositories inform the team if that specific VPN technology is currently being targeted by known ransomware groups. This helps prioritize remediation efforts based on the global threat landscape.

Reporting: Strategic Communication

EasyEASM typically outputs raw text or CSV files suitable for engineers. ThreatNG translates this data into executive-level intelligence.

• Governance Reporting: ThreatNG aggregates the findings (potentially including those verified from EasyEASM) into compliance reports (GDPR, PCI, NIST). It provides an "Executive Summary" that describes the organization's attack-surface reduction progress, turning raw discovery data into a business metric.

Complementary Solutions: Operational Workflows

ThreatNG and EasyEASM work together to create a mature DevSecOps workflow.

The "Red Team / Blue Team" Dynamic

• Cooperation: Teams can use EasyEASM as a "Red Team" tool to simulate how quickly an attacker can find new assets using open-source methods. ThreatNG acts as the "Blue Team" platform, ensuring that every asset the Red Team finds is already known, assessed, and governed. If EasyEASM identifies something ThreatNG missed, it highlights a gap in the enterprise scope; if ThreatNG secures an asset that EasyEASM identifies, it validates the defense.

Vulnerability Management Prioritization

• Cooperation: EasyEASM provides the target list. ThreatNG provides the prioritization context. When EasyEASM generates a list of 1,000 subdomains, it is impossible to patch them all at once. ThreatNG filters this list, identifying the "Critical Top 10" that host PII or have open management ports, allowing the vulnerability management team to focus their efforts effectively.

Shadow IT Remediation

• Cooperation: EasyEASM detects Shadow IT signals (e.g., a new Heroku app). ThreatNG provides the evidence needed to take action. By using ThreatNG’s investigation modules to capture screenshots and technology fingerprints, security teams have the documentation needed to hold the responsible business unit accountable and enforce governance policies.

Frequently Asked Questions

Why use ThreatNG if EasyEASM is free? EasyEASM is a discovery tool; ThreatNG is a risk management platform. EasyEASM tells you a door exists. ThreatNG tells you if the door is unlocked, who owns the building, if the landlord is bankrupt, and if criminals are selling the key.

Can ThreatNG assess assets found by EasyEASM? Yes. Any asset identified by EasyEASM can be investigated using ThreatNG’s modules (Domain Intelligence, Technology Stack, Cloud Exposure) to determine its true risk profile.

Does ThreatNG replace EasyEASM? Not necessarily. Many advanced security teams use EasyEASM for rapid, lightweight operational monitoring (e.g., hourly cron jobs) while relying on ThreatNG for the deep, regulated, and comprehensive assessment of the entire estate. They act as "Speed" (EasyEASM) and "Depth" (ThreatNG).