Back to API Docs
Exposure Scanner
POST
/api/v1/exposure/scanScan a domain or IP address for attack surface exposure. Discovers subdomains, open ports, SSL certificates, DNS records, WHOIS data, and known vulnerabilities using 10+ intelligence providers.
Permission
exposure:read
Credits
10 credits per scan
Plans
Starter, Professional, Enterprise
Timeout
Up to 180 seconds
Request Body
{
"target": "example.com",
"target_type": "auto"
}| Field | Type | Description |
|---|---|---|
| target | string | Domain name or IP address to scan (required) |
| target_type | string | "domain", "ip", or "auto" (optional — default: auto-detect) |
Response
{
"risk_score": 42,
"risk_level": "medium",
"target": "example.com",
"target_type": "domain",
"subdomains": [
"www.example.com",
"mail.example.com",
"api.example.com",
"staging.example.com",
"dev.example.com"
],
"open_ports": [
{ "port": 22, "protocol": "tcp", "service": "ssh", "banner": "OpenSSH_8.9p1" },
{ "port": 80, "protocol": "tcp", "service": "http", "banner": "nginx/1.24.0" },
{ "port": 443, "protocol": "tcp", "service": "https", "banner": "nginx/1.24.0" },
{ "port": 8080, "protocol": "tcp", "service": "http-alt", "banner": "Apache Tomcat/9.0.82" }
],
"ssl_certificates": [
{
"subject": "*.example.com",
"issuer": "Let's Encrypt Authority X3",
"valid_from": "2026-01-15T00:00:00Z",
"valid_to": "2026-04-15T00:00:00Z",
"days_remaining": 26,
"key_size": 2048,
"signature_algorithm": "SHA256withRSA",
"san": ["*.example.com", "example.com"]
}
],
"dns_records": {
"a": ["93.184.216.34"],
"aaaa": ["2606:2800:220:1:248:1893:25c8:1946"],
"mx": [{ "priority": 10, "exchange": "mail.example.com" }],
"ns": ["ns1.example.com", "ns2.example.com"],
"txt": ["v=spf1 include:_spf.google.com ~all"]
},
"whois": {
"registrar": "ICANN",
"created_date": "1995-08-14T04:00:00Z",
"expires_date": "2027-08-13T04:00:00Z",
"updated_date": "2024-08-14T07:01:44Z",
"domain_age_days": 11176,
"name_servers": ["ns1.example.com", "ns2.example.com"]
},
"vulnerabilities": [
{
"cve_id": "CVE-2023-44487",
"title": "HTTP/2 Rapid Reset Attack",
"severity": "high",
"cvss_score": 7.5,
"affected_service": "nginx/1.24.0",
"port": 443
}
],
"providers_queried": [
"crtsh", "hackertarget", "ssllabs", "shodan",
"securitytrails", "whoisxml", "censys"
],
"scan_duration_ms": 12847,
"cached": false,
"scanned_at": "2026-03-20T14:23:01Z"
}| Field | Type | Description |
|---|---|---|
| risk_score | number | Overall risk score from 0 (safe) to 100 (critical exposure) |
| risk_level | string | Risk classification: "minimal", "low", "medium", "high", or "critical" |
| target | string | The normalized target that was scanned |
| target_type | string | Resolved target type: "domain" or "ip" |
| subdomains | string[] | Discovered subdomains from certificate transparency and DNS enumeration |
| open_ports | array | Open ports with protocol, service name, and banner information |
| ssl_certificates | array | SSL/TLS certificates with issuer, validity, key size, and SAN entries |
| dns_records | object | DNS records grouped by type (A, AAAA, MX, NS, TXT) |
| whois | object | WHOIS registration data including registrar, dates, and name servers |
| vulnerabilities | array | Known CVEs matched against discovered service versions with CVSS scores |
| providers_queried | string[] | List of intelligence providers that were successfully queried |
| scan_duration_ms | number | Total scan duration in milliseconds |
| cached | boolean | Whether this result was served from cache |
| scanned_at | string | Timestamp of the scan in ISO 8601 format |
Intelligence Providers
Each scan queries multiple intelligence providers to build a comprehensive picture of the target's attack surface. Provider availability may vary; partial results are returned if some providers are unreachable.
| Provider | Data Collected |
|---|---|
| CRT.SH | Certificate Transparency logs — discovers subdomains from issued SSL certificates |
| HackerTarget | DNS lookups, reverse DNS, and host search for subdomain enumeration |
| SSL Labs | SSL/TLS certificate analysis, grading, and configuration assessment |
| Shodan | Open ports, service banners, and device fingerprinting |
| SecurityTrails | Subdomains, DNS history, and associated domains |
| WhoisXML API | WHOIS registration data, registrar info, and domain age |
| Censys | Internet-wide scan data for hosts, certificates, and services |
| VirusTotal | Domain reputation, passive DNS, and known malicious associations |
| AlienVault OTX | Threat intelligence pulses and indicator correlation |
| NIST NVD | CVE vulnerability matching against discovered service versions |
Caching
Results are cached for 24 hours. Subsequent scans of the same target within 24 hours return cached results. The response includes "cached": true when serving from cache.
Cached results still cost credits. To force a fresh scan, wait for the cache to expire.
Code Examples
cURL
curl -X POST https://dfir-lab.ch/api/v1/exposure/scan \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-H "Content-Type: application/json" \
-d '{
"target": "example.com",
"target_type": "auto"
}'Python
import requests
url = "https://dfir-lab.ch/api/v1/exposure/scan"
headers = {
"Authorization": "Bearer sk-dfir-your-key-here",
"Content-Type": "application/json",
}
response = requests.post(
url,
json={"target": "example.com", "target_type": "auto"},
headers=headers,
)
data = response.json()
print(f"Risk score: {data['risk_score']}/100 ({data['risk_level']})")
print(f"Subdomains found: {len(data['subdomains'])}")
print(f"Open ports: {len(data['open_ports'])}")
print(f"Vulnerabilities: {len(data['vulnerabilities'])}")
print(f"Scan duration: {data['scan_duration_ms']}ms")
for vuln in data["vulnerabilities"]:
print(f" [{vuln['severity']}] {vuln['cve_id']}: {vuln['title']}")Important Notes
- Scans can take up to 3 minutes to complete. SSL Labs analysis is the slowest provider — the endpoint streams partial results and waits for all providers before returning.
- Private and internal IP addresses (
10.x.x.x,192.168.x.x,172.16-31.x.x,127.0.0.1) are blocked and will return a400 Bad Request. - Rate limits apply per API key: 3 scans/min (Starter), 10 scans/min (Professional). Enterprise plans have configurable limits.