June 30, 2026
TuesdayTool 47: AMASS — Discovering Your Hidden Attack Surface Before Attackers Do
Introduction

By Oloyede Olajumoke Elizabeth
4 min read
Introduction
In today's cybersecurity landscape, organizations are expanding their digital footprint faster than ever. Cloud migrations, acquisitions, third-party integrations, and rapid application deployments have made it increasingly difficult to maintain an accurate inventory of internet-facing assets. Unfortunately, attackers are well aware of this challenge and often target forgotten or poorly managed assets as their initial entry point.
This is where attack surface discovery becomes indispensable.
One of the most trusted tools for this purpose is OWASP AMASS. Developed under the OWASP Foundation, AMASS has become a go-to solution for security professionals, penetration testers, threat intelligence analysts, and red teams seeking to identify an organization's external assets before adversaries do.
In this edition of #TuesdayTool, we explore OWASP AMASS Version 4, its architecture, capabilities, installation process, practical commands, and how it can significantly improve attack surface visibility.
What is OWASP AMASS?
OWASP AMASS is an open-source attack surface mapping and external asset discovery framework. Rather than relying on a single source of information, it aggregates intelligence from numerous public and private data sources to enumerate an organization's internet-facing infrastructure.
The framework collects information such as:
- Subdomains
- IP addresses
- Autonomous System Numbers (ASNs)
- CIDR ranges
- DNS records
- SSL certificates
- Infrastructure relationships
Unlike many traditional subdomain enumeration tools, AMASS correlates multiple datasets to build a much richer understanding of an organization's digital presence.
This makes it an excellent choice for organizations implementing Continuous Threat Exposure Management (CTEM), Attack Surface Management (ASM), or External Attack Surface Management (EASM).
Why OWASP AMASS Matters
Every organization has assets that security teams are unaware of.
Examples include:
- Forgotten development environments
- Legacy applications
- Abandoned cloud resources
- Temporary testing servers
- Subsidiary domains
- Shadow IT deployments
These assets frequently become attractive targets because they often receive little monitoring or maintenance.
OWASP AMASS helps eliminate these blind spots by discovering assets that traditional asset inventories may overlook.
Key Features
Comprehensive Subdomain Enumeration
AMASS gathers intelligence from numerous sources, combining passive reconnaissance with optional active techniques to identify a broad range of subdomains.
Infrastructure Mapping
Rather than simply listing subdomains, AMASS establishes relationships between:
- Domains
- Nameservers
- IP addresses
- Autonomous Systems
- Netblocks
This contextual information is invaluable during threat investigations.
Passive and Active Reconnaissance
Passive mode queries external intelligence sources without interacting directly with the target infrastructure.
Active mode performs additional DNS resolution and validation, often discovering assets unavailable through passive methods alone.
Data Source Integration
Version 4 supports dozens of intelligence providers, including:
- Certificate Transparency logs
- Search engines
- Public DNS datasets
- Security APIs
- Internet scanning platforms
Organizations can also configure API keys to increase discovery coverage.
Graph Database Support
One of AMASS's strongest capabilities is storing discovered relationships inside a graph database, allowing analysts to visualize attack surfaces over time.
Installing OWASP AMASS v4
The recommended installation method is using Go.
go install github.com/owasp-amass/amass/v4/...@mastergo install github.com/owasp-amass/amass/v4/...@masterAlternatively, precompiled binaries are available for Linux, macOS, and Windows.
After installation, verify the version:
amass -versionamass -versionConfiguring Data Sources
AMASS performs reasonably well out of the box.
However, configuring API keys dramatically improves discovery.
The configuration file allows integration with services such as:
- SecurityTrails
- VirusTotal
- Shodan
- Censys
- GitHub
- BinaryEdge
- WhoisXMLAPI
Adding these credentials increases both the accuracy and coverage of enumeration results.
Basic Enumeration
The simplest command is:
amass enum -d example.comamass enum -d example.comThis instructs AMASS to enumerate subdomains belonging to the specified domain.
Sample output:
www.example.com
mail.example.com
vpn.example.com
api.example.com
dev.example.comwww.example.com
mail.example.com
vpn.example.com
api.example.com
dev.example.comPassive Enumeration
When stealth is important:
amass enum -passive -d example.comamass enum -passive -d example.comPassive enumeration relies solely on external intelligence sources.
Benefits include:
- Lower detection risk
- Faster execution
- Suitable for reconnaissance
- No direct interaction with target infrastructure
Active Enumeration
For broader discovery:
amass enum -active -d example.comamass enum -active -d example.comActive enumeration validates discovered assets through DNS techniques, often identifying additional infrastructure.
Discovering ASN Information
AMASS can also collect Autonomous System information.
amass intel -org "Example Corporation"amass intel -org "Example Corporation"This command identifies:
- ASNs
- Netblocks
- CIDR ranges
- Registered infrastructure
This capability is particularly useful during threat intelligence investigations.
Reverse Infrastructure Discovery
Analysts can investigate infrastructure associated with specific IP ranges.
Example:
amass intel -addr 192.0.2.15amass intel -addr 192.0.2.15This reveals related infrastructure associated with the supplied address.
Visualizing Results
One of the most powerful aspects of AMASS is visualization.
Generate graph files using:
amass viz -dir output/amass viz -dir output/These visualizations help analysts understand relationships between:
- Domains
- Subdomains
- IP addresses
- ASNs
- Nameservers
This context is extremely valuable when mapping complex enterprise environments.
Tracking Changes Over Time
Organizations continuously add and remove assets.
AMASS provides tracking functionality to identify newly discovered infrastructure.
amass track -dir output/amass track -dir output/This allows security teams to monitor attack surface growth and identify unexpected changes.
Practical Use Cases
1. External Attack Surface Management
Maintain a current inventory of internet-facing assets.
2. Threat Intelligence
Enrich investigations with infrastructure relationships and ownership information.
3. Penetration Testing
Identify additional targets before beginning assessments.
4. Red Team Operations
Expand reconnaissance beyond publicly documented infrastructure.
5. Blue Team Asset Validation
Compare discovered assets against official inventories to identify unmanaged systems.
Strengths
✔ Excellent discovery coverage
✔ Infrastructure relationship mapping
✔ Graph visualization
✔ Extensive data source integration
✔ Mature open-source ecosystem
✔ Suitable for enterprise environments
Limitations
Despite its strengths, AMASS is not without challenges.
- Configuration can be complex for beginners.
- API integrations require setup effort.
- Large enumerations may take considerable time.
- Some intelligence sources impose rate limits.
- Passive-only mode may miss recently created assets.
Best Practices
To maximize results:
- Configure multiple API keys.
- Run passive enumeration before active scans.
- Validate findings with HTTP probing tools.
- Store historical results for trend analysis.
- Integrate AMASS into continuous attack surface monitoring workflows.
Many practitioners pair AMASS with tools such as DNSx, HTTPX, Naabu, Katana, and Nuclei to build a comprehensive reconnaissance pipeline, from discovery to validation and vulnerability assessment.
Conclusion
Asset discovery is no longer a one-time activity; it is an ongoing security discipline. As organizations grow, so does the complexity of managing their external attack surface.
OWASP AMASS v4 provides defenders with a powerful framework for identifying internet-facing assets, understanding infrastructure relationships, and uncovering forgotten systems before attackers can exploit them.
Whether you are conducting threat intelligence, validating an asset inventory, supporting penetration testing, or implementing an external attack surface management program, AMASS remains one of the most capable open-source tools available.
The more complete your visibility, the stronger your security posture becomes.
References
- OWASP AMASS Documentation
- OWASP Foundation
- Project GitHub Repository
Till I come your way again in the next 2 weeks, Tuesday, #BeCyberSmart
Cyberliza writes TuesdayTool