Getting Started with Escape's Attack-Surface Management (ASM)¶
Escape ASM gives security teams a single source of truth for every external *and internal* Asset in their Code-to-Cloud estate.\ With just a primary domain—and, optionally, read-only cloud or code integrations—it performs agent-less, non-intrusive discovery and then immediately runs a surface-level security test against each asset it finds.
Why it matters: you don’t just know what you have; you get an instant first-pass assessment of its exposure.
The resulting ASM appears in five filterable, sortable, searchable tables that let you zero in on the riskiest hosts, APIs, and web apps in seconds.
ASM + DAST: Coverage Meets Depth¶
Escape is the first platform where ASM and DAST work in native symbiosis:
| Layer | What it delivers | How they interact |
|---|---|---|
| ASM (Coverage) | Discovery + Surface Security Testing of every asset—internal or external | Feeds a continuously updated asset list (with basic risk signals) into… |
| DAST (Depth) | Deep, business-logic testing with authenticated flows, fuzzing, and complex attack simulations | …so security teams can target the most critical or high-value assets first, without wasting crawl time on unknowns. |
Think of ASM as your radar and DAST as your guided missile: together they ensure maximum breadth and depth of protection.
How It Works¶
- Input – Supply a domain such as
example.comand any optional read-only integrations. - Discovery – Escape combines open-source reconnaissance, proprietary AI, and integration data to enumerate external and internal assets.
- Surface Security Testing – For every discovered asset, ASM runs lightweight checks (open-port audit, headers, TLS hygiene, unauthenticated endpoint probes, etc.) to flag obvious misconfigurations or exposures.
- Deep Testing (Optional) – Select any asset (or the whole ASM) to queue for DAST, which performs stateful, business-logic testing.
- Output & Automation – Findings flow to your SIEM, ticketing, or chat tool via “Finding Destination Integrations” for rapid triage and remediation.
Discovery Approach: Integration-Based, Not Traffic Monitoring¶
Escape ASM uses an integration-based discovery model rather than live traffic monitoring. This means ASM does not deploy agents (such as eBPF) to capture and analyze production traffic. Instead, it discovers APIs and services through non-invasive methods that avoid operational overhead and privacy concerns.
Discovery methods:
- Infrastructure integrations – Direct integration with cloud providers, orchestration platforms, and service registries
- Network scanning – Active scanning to identify exposed services, open ports, and API endpoints
- Application crawling – Analyzing responses, following links, and mapping accessible endpoints
- Code and schema analysis – Parsing OpenAPI specifications, Swagger documentation, and introspection endpoints
- Reconnaissance techniques – DNS enumeration, certificate transparency logs, and public data sources
Advantages of this approach:
| Benefit | Description |
|---|---|
| Zero runtime impact | No performance overhead or latency added to production applications |
| No infrastructure | No agents to deploy, maintain, or scale with traffic volume |
| Simple deployment | Integration via API, configuration files, or network scanning |
| Privacy by design | No interception or processing of live user traffic or sensitive request data |
| Independent scaling | Discovery performance unaffected by application traffic patterns |
| No privileged access | Does not require kernel-level or privileged access to production systems |
| Reliable operations | Discovery issues cannot impact application availability or uptime |
Discovery coverage:
ASM can identify that services and APIs exist through infrastructure integrations and network scanning. Complete endpoint mapping—including all available routes, methods, and parameters—is achieved through additional techniques such as:
- Exposing OpenAPI or Swagger specifications at standard paths
- Enabling schema introspection for GraphQL endpoints
- Configuring authentication for ASM to crawl protected endpoints
- Integrating with CI/CD pipelines to provide schema definitions
This approach ensures comprehensive attack surface visibility without the deployment complexity, performance degradation, or privacy risks associated with traffic capture solutions.
Supported Application Assets¶
| Category | Description | ASM Surface Tests | DAST Deep Tests |
|---|---|---|---|
| Hosts | DNS records, IPv4, IPv6 | Port scan, banner grab, TLS config, common CVEs | Authenticated service abuse, protocol fuzzing |
| API Services | REST, GraphQL, gRPC, WebSocket, SOAP | Endpoint enumeration, schema diff, OWASP top-10 lite | Auth-aware fuzzing, business-logic abuse, BOLA, IDOR |
| Web Apps | MPAs, SPAs, front-end deployments | Tech fingerprint, security headers, basic crawl | Session-handling, CSRF, privilege escalation |
| Work in progress: Repositories | Git projects linked via SCM | Ownership mapping, secret-scan preview | Full code/CI pipeline scanning (future roadmap) |
Fingerprinted Asset Characteristics¶
- Reachability – External (region-aware) or internal
- Status – Monitored, Out of Scope, False Positive, Deprecated
- Environment – Production, Staging, Development
- Technology Stack – Frameworks & runtimes
- Cloud Hosting – AWS, Azure, GCP, OVH, Akamai, etc.
- Edge / Firewall – Cloudflare, AWS ELB, Azure WAF, etc.
- Authentication Method – Keycloak, Auth0, API Key, etc.
- Code Owners – Pulled from connected SCM to speed assignment
- …and dozens of additional metadata points that power search, filtering, and risk scoring.
ASM Scanners¶
Escape ASM operates as a collection of specialized scanners, each designed to discover, validate, and monitor specific asset types across your environment. This approach ensures comprehensive coverage while maintaining performance and scalability. Here's how the ASM execution process works:
1. Asset Input and Validation¶
Each ASM scanner processes a single asset, either manually created or discovered automatically during the initial discovery phase. Upon receiving the asset, the scanner first performs a validation step. This validation checks the asset's status, reachability, and basic configurations, ensuring that the asset is legitimate and operational.
2. Asset Fingerprinting¶
Once an asset is validated, the scanner fingerprints metadata such as its environment, technology stack, cloud hosting, and authentication methods. This fingerprinting phase ensures that each asset is uniquely identified and categorized, which is critical for subsequent analysis and monitoring.
3. Asset Discovery and Exploration¶
Following validation and fingerprinting, the scanner enters the discovery phase, exploring the asset's connections and dependencies. This phase identifies related assets across the environment. For example, discovering a web application may reveal associated API services, databases, or other interconnected components. This cascading discovery ensures the full scope of the attack surface is mapped, including assets that were not initially visible.
ASM Execution¶
Once an asset is discovered, Escape ASM handles it differently depending on whether it is new or existing:
- New assets are scanned immediately to map the organization’s attack surface and identify any immediate risks. The scan also triggers the discovery of related or dependent assets, creating a cascading exploration across the environment.
- Existing assets are scanned periodically at random intervals each week. These re-scans detect misconfigurations, environmental changes, deprecate legacy assets, and identify any new assets in the organization. This ensures that the attack surface remains continuously updated.
Discover Internet-exposed Applications¶
Start with a Single Domain Name¶
The primary input required is your company's Domain name. This domain represents the minimal scope of discovery for the ASM process.
Escape employs advanced subdomain enumeration techniques combined with intelligent brute-force methods and crawling (including API Discovery from Frontend Code) to visit and inspect a comprehensive range of URLs. Each URL undergoes thorough fingerprinting analysis.
Escape utilizes AI-powered fingerprinting to identify and classify Assets by analyzing various characteristics, including structure, endpoints, and response patterns. This AI-based approach enables high-accuracy detection and categorization of various Asset Types, even for unique or non-standard configurations.
Add Additional Domains and Subdomains¶
While Escape requires only a single domain name as minimal input, you can use the Bulk Edit feature to add multiple Domains and Subdomains to your Exploration Scope.
Scanning Internal Networks¶
Escape supports Private Locations—lightweight connectors that create a secure reverse SOCKS5 tunnel from your on-prem or VPC environment to Escape’s cloud.
Deploying a Private Location lets the ASM detect and fingerprint internal Assets that sit behind firewalls or VPNs, using the same mechanism available for Internal Application testing in Escape DAST.
For setup instructions, see the Private Location Documentation.