Do you continuously discover internet-facing assets (subdomains, IPs, services, SaaS tenants) automatically?
Demonstrate that the organization maintains automated, continuous discovery processes that identify internet-facing assets without reliance on manual reporting or periodic scans.
Description
What this control does
This control validates the organization's capability to automatically and continuously identify all internet-facing digital assets, including subdomains, IP addresses, open ports and services, cloud service tenants, and shadow IT. The process involves deploying automated asset discovery tools that scan external DNS records, certificate transparency logs, IP ranges, and cloud provider APIs to maintain a real-time inventory of the external attack surface. Continuous discovery is critical because organizations frequently deploy new infrastructure, developers spin up test environments, and acquisitions introduce unknown assets, all of which expand the attack surface without security's knowledge.
Control objective
What auditing this proves
Demonstrate that the organization maintains automated, continuous discovery processes that identify internet-facing assets without reliance on manual reporting or periodic scans.
Associated risks
Risks this control addresses
- Attackers exploit forgotten or unmonitored subdomains and staging environments that lack security controls or contain outdated, vulnerable software
- Shadow IT deployments create unauthorized external entry points that bypass network security monitoring and data loss prevention controls
- Orphaned or decommissioned assets remain accessible on the internet with outdated credentials or unpatched vulnerabilities
- Merger and acquisition activity introduces unknown internet-facing infrastructure that is not incorporated into vulnerability management programs
- Development and test environments with production-like data are exposed without authentication or encryption
- Third-party SaaS integrations and OAuth grants create persistent access channels that are not inventoried or reviewed
- Cloud resource sprawl across multiple accounts and regions creates visibility gaps where compromised resources operate undetected
Testing procedure
How an auditor verifies this control
- Request and review documentation of the automated asset discovery solution(s) deployed, including tool names, versions, and scope configuration
- Obtain configuration exports or screenshots showing the discovery parameters, including target domains, IP ranges, cloud accounts, and certificate transparency log monitoring settings
- Verify the frequency of automated scans by reviewing scan schedules, job logs, or API query timestamps covering the past 90 days
- Select a sample of 10-15 known internet-facing assets across different categories (subdomains, cloud services, third-party integrations) and confirm each appears in the automated discovery inventory
- Request evidence of alert or notification mechanisms triggered when new internet-facing assets are discovered, including sample alerts from the past 30 days
- Interview the security operations team to confirm the workflow for triaging and validating newly discovered assets and review documentation of at least three recent discovery events
- Test discovery coverage by identifying an asset manually (using external reconnaissance techniques) and verifying its presence in the automated inventory within the configured scan interval
- Review integration points between the asset discovery system and vulnerability management, CMDB, or SIEM platforms to confirm discovered assets flow into security monitoring and patching workflows