Asset discovery is an essential part of Praetorian’s service delivery process. When we are engaged to carry out continuous external penetration testing, one key action is to build and maintain a thorough target asset inventory that goes beyond any lists or databases provided by the system owner. Pius is our open-source attack surface mapping tool designed to solve exactly that.
Historically, we’ve used a handful of sources for asset enumeration, including certificate transparency logs, public DNS records, WHOIS records, public filings in SEC’s EDGAR database, and others.
Unfortunately, these techniques have been spread out among several internal tools of varying maturity levels. We’ve always wanted to organize them into a single, extensible, and publicly-releasable tool. Today, we are pleased to achieve this objective by releasing Pius.
Pius is a standalone Go binary that discovers an organization’s external attack surface by querying all five Regional Internet Registries, Certificate Transparency logs, and more than 20 intelligence sources. Findings are annotated with confidence scores to surface ambiguous matches without flooding results with false positives. Multiple output formats support direct integration with port scanners, fingerprinting tools, and credential testers. With a single command, you get comprehensive asset enumeration with minimal noise.
$ pius run --org "Acme Corp" -d acme.com
[cidr] 198.51.100.0/24 (arin)
[cidr] 203.0.113.0/26 (ripe)
[cidr] 192.0.2.128/25 (apnic)
[domain] github.com/acme-corp (github-org)
[domain] github.com/acme-labs (github-org) ⚠ needs-review [confidence:0.40]
[domain] api.acme.com (crt-sh)
[domain] staging.acme.com (crt-sh)
[domain] vpn.acme.com (crt-sh)
[domain] mail.acme.com (crt-sh)
[domain] Acme Holdings Ltd (gleif) ⚠ needs-review [confidence:0.35]
[domain] Acme Industries GmbH (gleif) ⚠ needs-review [confidence:0.35]
[domain] Acme Financial Services (edgar)
You Cannot Secure What You Cannot See
Every penetration test begins with the same question: what are we actually testing? The scope document says “Acme Corp and all subsidiaries.” That phrase carries more complexity than it appears. The corporate network is straightforward enough. But what about the European subsidiary acquired three years ago? The development team in Singapore that spun up their own AWS account? The marketing department’s campaign landing pages hosted on a third-party platform? Each of these represents an attack surface that exists whether or not it appears in an asset inventory.
Security teams face an uncomfortable reality. The assets they know about are often a subset of what attackers can find. Shadow IT proliferates. Cloud instances multiply. Acquisitions bring infrastructure that was never fully cataloged. When penetration testers miss these assets, they deliver an incomplete picture of organizational risk. When attackers find them first, the consequences are far worse.
The reconnaissance phase is supposed to solve this problem. In practice, it often does not.
The Reconnaissance Bottleneck
The reconnaissance playbook is well established. You start with passive collection from public sources, enumerate DNS records and subdomains, query WHOIS databases and certificate transparency logs, and probe discovered hosts to see what is actually live.
The challenge is not knowing what to do. The challenge is doing it comprehensively across a fragmented landscape of data sources.
Consider the tools security professionals currently rely on. Amass correlates data from diverse sources but can take over 20 minutes to enumerate a few hundred subdomains. Subfinder runs faster but is limited to passive collection. Neither tool covers the full data landscape. Over 200 providers now offer subdomain and DNS intelligence through APIs. Amass integrates with 87. Subfinder integrates with 45. Each misses sources the other queries.
Security teams compensate by running multiple tools, merging outputs, and deduplicating results manually. The approach works but does not scale. It requires constant maintenance as APIs change. It leaves gaps when sources are missed or misconfigured. Meanwhile, the attack surface keeps growing.
Comprehensive asset discovery requires pulling from data sources that most tools treat separately or ignore entirely. Three categories are particularly valuable and underutilized: Regional Internet Registry data for IP range discovery, Certificate Transparency logs for subdomain enumeration, and ASN routing data for network mapping. Each addresses a blind spot in traditional reconnaissance workflows.
The Five-Registry Problem
Here is something that many reconnaissance workflows get wrong: the IP address space is not registered with a single authority. A regional Internet registry manages the allocation and registration of Internet number resources within a specific geographic region. There are five of them. ARIN covers North America. RIPE NCC handles Europe, the Middle East, and Central Asia. APNIC manages Asia-Pacific. LACNIC serves Latin America. AFRINIC covers Africa.
A multinational corporation will have allocations registered with multiple authorities, sometimes all five. If you query only ARIN for a multinational company, you miss their European infrastructure in RIPE, their Asia-Pacific presence in APNIC, and any other regional allocations. You are seeing a fraction of their actual footprint.
Working with five registries means working with five different systems. ARIN and RIPE support RDAP, which returns structured JSON. APNIC and AFRINIC provide bulk database downloads in RPSL format. Query parameters, response structures, and organization identifiers all differ. Combining results into a coherent asset list requires normalizing across these incompatible formats.
Correlating results across five registries, normalizing inconsistent data formats, and deduplicating overlapping allocations is tedious manual work. Pius queries all five registries in parallel and normalizes the results automatically. But IP ranges are only part of the picture.
Certificate Transparency: The Append-Only Record
Certificate Transparency is an open framework that requires Certificate Authorities to publish all issued SSL/TLS certificates into publicly accessible logs. These logs are append-only and immutable by design. Once a certificate is logged, it cannot be removed. Tools like crt.sh provide searchable access to this permanent record.
For reconnaissance, this is remarkably useful. Every subdomain that has ever received a certificate is recorded. Unlike wordlist-based bruteforce enumeration, which only finds subdomains matching its dictionary, Certificate Transparency captures subdomains regardless of naming convention.
The techniques extend beyond simple subdomain discovery. Organization pivoting extracts the Organization field from a certificate and queries for that name across all logged certificates, revealing domains and assets under different top-level domains. Temporal analysis tracks certificate issuance patterns to identify infrastructure changes, new service launches, or decommissioned systems. Multi-level queries uncover deeply nested subdomains that surface-level enumeration would miss.
For defenders, CT logs are a double-edged sword. Every certificate request permanently reveals the hostname it protects. Internal infrastructure names, project codenames, and customer-specific subdomains all become public record. Wildcard certificates and strict naming policies help limit this exposure. For penetration testers, the same transparency provides a rich source of organizational intelligence that cannot be hidden or deleted.
Pius monitors CT logs as part of its discovery pipeline. Combined with registry data, this captures infrastructure that neither source reveals alone.
ASN Enumeration and Network Mapping
An Autonomous System Number identifies a network with a unified routing policy. Organizations with significant infrastructure announce their IP prefixes under their ASN through the Border Gateway Protocol.
ASN data reveals what is actually being routed, not just what is registered. WHOIS records can be outdated or incomplete. Infrastructure acquired through mergers may retain old registration details. ASN announcements reflect current reality. Querying ASN data uncovers IP ranges that standard WHOIS lookups might miss. It also reveals network relationships, upstream providers, and the geographic distribution of announced prefixes.
Pius correlates ASN routing data with WHOIS and DNS findings, validating what is registered against what is actually in use.
Where Pius Fits
Pius automates comprehensive organizational reconnaissance using a three-phase concurrent pipeline:
Phase 0: Independent Discovery
Domain plugins and the ASN-BGP plugin run immediately and concurrently. Certificate transparency, GitHub organization search, GLEIF corporate registry, passive DNS, and reverse WHOIS all execute in parallel without waiting for other phases.
Phase 1: Handle Discovery
The WHOIS plugin queries all five Regional Internet Registries for organization handles. The EDGAR plugin pattern-matches SEC filings for public companies. Discovered handles are grouped by registry and injected into the pipeline.
Phase 2: Handle Resolution
RDAP plugins for ARIN, RIPE, and LACNIC fetch CIDR blocks for each discovered handle. RPSL plugins for APNIC and AFRINIC parse locally-cached registry databases. This phase only runs after Phase 1 completes.
Results are deduplicated, normalized, and annotated with source attribution. The output is a unified asset inventory ready for downstream tools. Multi-tier caching stores API responses for 24 hours and keeps RPSL registry databases locally, reducing redundant queries on repeated runs. Graceful degradation ensures plugin errors are logged but never fail the pipeline. Partial results are always returned. The tool compiles to a single binary with no runtime dependencies. The plugin system provides flexibility. Run passive-only discovery when stealth matters. Enable active modules like DNS bruteforce when comprehensive coverage is the priority.
Confidence Scoring: Handling Ambiguity
Organizational names are inconsistent across data sources. ARIN might list “Acme Corporation” while RIPE shows “ACME CORP” and a CT log certificate reads “Acme Holdings LLC.” Are these the same organization? Sometimes yes. Sometimes no. Acquisitions, regional naming conventions, and inconsistent registration practices make automated matching difficult.
Pius addresses this with confidence scoring. Each plugin that resolves names to identifiers annotates its findings with a score based on string similarity and contextual signals.
Score | Interpretation |
|---|---|
0.85+ | High confidence match |
0.65 to 0.84 | Likely match |
0.35 to 0.64 | Needs manual review |
Below 0.35 | Filtered out |
Borderline matches surface with warning flags, letting you cast a wide net without drowning in false positives. This is critical for large organizations where name variations are common and false negatives mean missed attack surface.
Output Formats for Pipeline Integration
Pius outputs are designed for direct integration with downstream tools:
- # Default terminal output for interactive review
- pius run –org “Acme” -d acme.com
- # JSON for programmatic processing
- pius run –org “Acme” -o json > acme-discovery.json
- # Newline-delimited JSON for streaming pipelines
pius run –org “Acme” -o ndjson | jq -r ‘select(.Type==”cidr”) | .Value’ | naabu -silent | nerva
The JSON output includes all metadata from source queries, confidence scores, and provenance information. This supports audit trails and allows downstream tooling to make informed decisions about which assets to prioritize.
Practical Applications
Penetration Test Scoping: The scope document says “Company X and all subsidiaries.” Pius transforms that phrase into a complete inventory of CIDR ranges, domains, and subdomains. What previously required hours of manual research across multiple tools and data sources now runs in minutes. The output feeds directly into port scanners and fingerprinting tools, eliminating the gap between scoping and active testing.
Bug Bounty Reconnaissance: Many programs define scope as “anything owned by the company.” The researchers who find vulnerabilities are often the ones who find assets that others overlook. Pius systematically queries sources that manual reconnaissance might skip, surfacing forgotten infrastructure, historical subdomains, and subsidiary assets that expand the searchable attack surface.
M&A Due Diligence: Acquiring a company means inheriting its security posture. Pius performs external, unauthenticated discovery that maps the target’s digital footprint without requiring internal access. Shadow IT, forgotten test environments, and infrastructure from previous acquisitions all surface in the results. This visibility informs risk assessment before the deal closes.
Shadow IT Discovery: Every security team has encountered the alert tied to infrastructure nobody remembers deploying. Orphaned servers, unauthorized cloud instances, and legacy systems accumulate over time. Pius identifies these assets through external reconnaissance, finding what internal inventories miss.
Attack Surface Monitoring: Infrastructure changes constantly. New domains are registered. Subsidiaries are acquired. Development environments go live. Running Pius periodically surfaces these changes, enabling security teams to maintain current visibility rather than discovering gaps reactively.
The Praetorian Offensive Toolkit
Pius joins our growing suite of open-source offensive security tools. Each tool is designed to do one thing well and integrate seamlessly with the others. Pius provides the asset inventory. Nerva identifies what is running. Brutus tests for default credentials on running services. Together they support in forming an offensive security pipeline from initial reconnaissance through exploitation.
Getting Started
Pius is available on GitHub as an open-source project at https://github.com/praetorian-inc/pius. Prebuilt binaries for Linux, macOS, and Windows are on the releases page: https://github.com/praetorian-inc/pius/releases.
Some plugins require API keys for rate-limited or paid services. Pius gracefully degrades when credentials are missing. Plugins without required credentials are skipped with a warning, and the remaining plugins continue execution.
