AI Agent Skill HUB

implementing-attack-surface-management

Implements external attack surface management (EASM) using Shodan, Censys, and ProjectDiscovery tools (subfinder, httpx, nuclei) for asset discovery, subdomain enumeration, service fingerprinting, and exposure scoring. Includes a weighted risk scoring algorithm based on OWASP attack surface analysis methodology and the Relative Attack Surface Quotient (RSQ). Use when building continuous ASM programs or performing external reconnaissance for security assessments.

4,032 stars
bymukul975
View on GitHubInstallation ↓

Best use case

implementing-attack-surface-management is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Implements external attack surface management (EASM) using Shodan, Censys, and ProjectDiscovery tools (subfinder, httpx, nuclei) for asset discovery, subdomain enumeration, service fingerprinting, and exposure scoring. Includes a weighted risk scoring algorithm based on OWASP attack surface analysis methodology and the Relative Attack Surface Quotient (RSQ). Use when building continuous ASM programs or performing external reconnaissance for security assessments.

Teams using implementing-attack-surface-management should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-attack-surface-management/SKILL.md --create-dirs "https://raw.githubusercontent.com/mukul975/Anthropic-Cybersecurity-Skills/main/skills/implementing-attack-surface-management/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-attack-surface-management/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-attack-surface-management Compares

Feature / Agentimplementing-attack-surface-managementStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Implements external attack surface management (EASM) using Shodan, Censys, and ProjectDiscovery tools (subfinder, httpx, nuclei) for asset discovery, subdomain enumeration, service fingerprinting, and exposure scoring. Includes a weighted risk scoring algorithm based on OWASP attack surface analysis methodology and the Relative Attack Surface Quotient (RSQ). Use when building continuous ASM programs or performing external reconnaissance for security assessments.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

AI Agent for Product Research

Browse AI agent skills for product research, competitive analysis, customer discovery, and structured product decision support.

Best AI Skills for ChatGPT

Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.

AI Agent for SaaS Idea Validation

Use AI agent skills for SaaS idea validation, market research, customer discovery, competitor analysis, and documenting startup hypotheses.

SKILL.md Source

# Implementing Attack Surface Management

## When to Use

- When building an external attack surface management (EASM) program from scratch
- When performing authorized external reconnaissance for penetration testing engagements
- When continuously monitoring organizational exposure across internet-facing assets
- When scoring and prioritizing external attack surface risks for remediation
- When integrating multiple discovery tools into an automated ASM pipeline

## Prerequisites

- Python 3.8+ with requests, shodan, censys libraries installed
- Shodan API key (free tier provides 100 queries/month)
- Censys API ID and Secret (free tier available)
- ProjectDiscovery tools installed: subfinder, httpx, nuclei
- Go 1.21+ for building ProjectDiscovery tools from source
- Appropriate authorization for all external scanning activities
- Target domains and IP ranges with written scope documentation

## Instructions

### Phase 1: Subdomain Enumeration with Multiple Sources

Use subfinder for passive subdomain discovery leveraging dozens of data sources
including certificate transparency logs, DNS datasets, and search engines.

```bash
# Install ProjectDiscovery tools
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Basic subdomain enumeration
subfinder -d example.com -o subdomains.txt

# Verbose with all sources and recursive enumeration
subfinder -d example.com -all -recursive -o subdomains_full.txt

# Multi-domain enumeration from file
subfinder -dL domains.txt -o all_subdomains.txt

# Using OWASP Amass for deeper enumeration
amass enum -d example.com -passive -o amass_subdomains.txt

# Merge and deduplicate results
cat subdomains.txt amass_subdomains.txt | sort -u > combined_subdomains.txt
```

### Phase 2: Live Host Discovery and Service Fingerprinting

Probe discovered subdomains to identify live hosts, technologies, and services.

```bash
# HTTP probing with technology detection
cat combined_subdomains.txt | httpx -sc -cl -ct -title -tech-detect \
    -follow-redirects -json -o httpx_results.json

# Detailed service fingerprinting
cat combined_subdomains.txt | httpx -sc -cl -ct -title -tech-detect \
    -favicon -hash sha256 -jarm -cdn -cname \
    -follow-redirects -json -o httpx_detailed.json
```

### Phase 3: Shodan Asset Discovery

Query Shodan for exposed services, open ports, and known vulnerabilities
associated with discovered assets.

```python
import shodan

api = shodan.Shodan("YOUR_SHODAN_API_KEY")

# Search by organization
results = api.search("org:\"Example Corp\"")
for service in results["matches"]:
    print(f"{service['ip_str']}:{service['port']} - {service.get('product', 'unknown')}")
    if service.get("vulns"):
        for cve in service["vulns"]:
            print(f"  CVE: {cve}")

# Search by hostname
results = api.search("hostname:example.com")

# Search by SSL certificate
results = api.search("ssl.cert.subject.cn:example.com")

# Get host details with all services
host = api.host("93.184.216.34")
print(f"IP: {host['ip_str']}")
print(f"Ports: {host['ports']}")
print(f"Vulns: {host.get('vulns', [])}")
```

### Phase 4: Censys Asset Discovery

Use Censys to discover internet-facing assets through certificate and host search.

```python
from censys.search import CensysHosts, CensysCerts

# Host search
hosts = CensysHosts()
query = hosts.search("services.tls.certificates.leaf.subject.common_name: example.com")
for page in query:
    for host in page:
        print(f"IP: {host['ip']}")
        for service in host.get("services", []):
            print(f"  Port: {service['port']} Protocol: {service['transport_protocol']}")
            print(f"  Service: {service.get('service_name', 'unknown')}")

# Certificate transparency search
certs = CensysCerts()
query = certs.search("parsed.names: example.com")
for page in query:
    for cert in page:
        print(f"Fingerprint: {cert['fingerprint_sha256']}")
        print(f"Names: {cert.get('parsed', {}).get('names', [])}")
```

### Phase 5: Vulnerability Scanning with Nuclei

Run targeted vulnerability scans against discovered assets using Nuclei templates.

```bash
# Update nuclei templates
nuclei -ut

# Scan with all templates
cat combined_subdomains.txt | httpx -silent | nuclei -o nuclei_results.txt

# Scan with specific severity
cat combined_subdomains.txt | httpx -silent | \
    nuclei -severity critical,high -o critical_findings.txt

# Scan with specific template categories
cat combined_subdomains.txt | httpx -silent | \
    nuclei -tags cve,misconfig,exposure -o categorized_findings.txt

# Scan for exposed panels and sensitive files
cat combined_subdomains.txt | httpx -silent | \
    nuclei -tags panel,exposure,config -o exposed_panels.txt
```

### Phase 6: Exposure Scoring Algorithm

Score each asset based on OWASP attack surface analysis principles, using
a weighted formula derived from the Relative Attack Surface Quotient (RSQ)
and damage-potential-to-effort ratio.

The scoring algorithm considers:
1. **Open ports and services** - weighted by service risk (management ports score higher)
2. **Known vulnerabilities** - weighted by CVSS score
3. **Technology age** - outdated software increases score
4. **Exposure level** - internet-facing vs. authenticated access
5. **Data sensitivity** - based on service type and content indicators

```python
# Exposure Score = sum of weighted factors, normalized to 0-100
# See agent.py for the full implementation
```

## Examples

```bash
# Run complete ASM pipeline against a target domain
python agent.py \
    --domain example.com \
    --action full_scan \
    --shodan-key YOUR_KEY \
    --censys-id YOUR_ID \
    --censys-secret YOUR_SECRET \
    --output asm_report.json

# Subdomain enumeration only
python agent.py \
    --domain example.com \
    --action enumerate \
    --output subdomains.json

# Exposure scoring on previously discovered assets
python agent.py \
    --domain example.com \
    --action score \
    --input previous_scan.json \
    --output scored_assets.json

# Multi-domain scan from file
python agent.py \
    --domain-list targets.txt \
    --action full_scan \
    --output multi_domain_report.json
```

Related Skills

recovering-from-ransomware-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Executes structured recovery from a ransomware incident following NIST and CISA frameworks, including environment isolation, forensic evidence preservation, clean infrastructure rebuild, prioritized system restoration from verified backups, credential reset, and validation against re-infection. Covers Active Directory recovery, database restoration, and application stack rebuild in dependency order. Activates for requests involving ransomware recovery, post-encryption restoration, or disaster recovery from ransomware.

performing-web-cache-poisoning-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.

performing-web-cache-deception-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content.

performing-vlan-hopping-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Simulates VLAN hopping attacks using switch spoofing and double tagging techniques in authorized environments to test VLAN segmentation effectiveness and validate switch port security configurations against Layer 2 bypass attacks.

performing-supply-chain-attack-simulation

4032
from mukul975/Anthropic-Cybersecurity-Skills

Simulate and detect software supply chain attacks including typosquatting detection via Levenshtein distance, dependency confusion testing against private registries, package hash verification with pip, and known vulnerability scanning with pip-audit.

performing-ssl-stripping-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Simulates SSL stripping attacks using sslstrip, Bettercap, and mitmproxy in authorized environments to test HSTS enforcement, certificate validation, and HTTPS upgrade mechanisms that protect users from downgrade attacks on encrypted connections.

performing-ssl-certificate-lifecycle-management

4032
from mukul975/Anthropic-Cybersecurity-Skills

SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading

performing-packet-injection-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Crafts and injects custom network packets using Scapy, hping3, and Nemesis during authorized security assessments to test firewall rules, IDS detection, protocol handling, and network stack resilience against malformed and spoofed traffic.

performing-kerberoasting-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names

performing-jwt-none-algorithm-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Execute and test the JWT none algorithm attack to bypass signature verification by manipulating the alg header field in JSON Web Tokens.

performing-indicator-lifecycle-management

4032
from mukul975/Anthropic-Cybersecurity-Skills

Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes f

performing-http-parameter-pollution-attack

4032
from mukul975/Anthropic-Cybersecurity-Skills

Execute HTTP Parameter Pollution attacks to bypass input validation, WAF rules, and security controls by injecting duplicate parameters that are processed differently by front-end and back-end systems.