Top 10 Open Source ASM Software Based on GitHub Stars
Attack surface management tools need four core capabilities: discovering internet-facing assets, prioritizing risks, fixing vulnerabilities, and continuously monitoring your network.
Based on the key features and market presence, we identified the top 10 open source attack surface management (ASM) software:
Market presence of top 10 open source ASM software
Software | Specialization | # of stars on GitHub (k) | Supported languages |
|---|---|---|---|
Internet-scale port scanner | 23 | C | |
Network mapping | 12 | Go, Lua | |
Network mapping | 10 | C, Lua, C++, Shell, Python | |
AWS attack surface mapping | 6 | JavaScript, Python, CSS, HTML | |
aquatone | HTTP-based attack surface management | 6 | Go, HTML, Shell |
openvas-scanner | Vulnerability scanner | 3 | Rust, C |
Subdomain discovery (e.g. port scan, HTTP check) | 3 | Rust, Roff | |
assetfinder | Subdomain discovery | 3 | Go, Shell |
dismap | Network mapping | 2 | Go |
EasyEASM | Network mapping | 0 | Go |
Software is listed based on # of stars on GitHub (k) in descending order. For more, see: External Attack Surface Management (EASM) Tools.
Masscan
Network administrators scan entire IP ranges to identify exposed services. Security teams verify firewall rules across multiple subnets. Penetration testers map networks before detailed reconnaissance.
Masscan examples: See some commands to observe Masscan in action:
- Scan a single IP port: Masscan checks if port 443 (HTTPS) is open at the specified address. Response comes back in seconds.
Masscan verified that port 443 is open at the specified IP address.1
- Multiple port scanning: Users can examine multiple ports or a set of ports on an IP subnet by running the following code at Masscan:
- ./masscan 198.134.112.240/28 -p80,443,25 # Multiple Ports
- ./masscan 198.134.112.240/28 -p1000-9999 #Port Range
Masscan shows the number of hosts discovered (7 in this example) and the open ports on which IP addresses.2
Amass
Amass collects information about an organization’s internet presence through open-source intelligence (OSINT) and active reconnaissance. Security teams use it to discover subdomains, IP addresses, and network relationships that don’t appear in standard scans.
It runs from the command line with the following subcommands:
- amass intel – Discover targets for enumerations (listing all items in a collection)
- amass enum – Perform enumerations and network mapping
- amass viz – Visualize enumeration results
- amass track – Track differences between enumerations
- amass db – Manipulate the Amass graph database
Practical Example
Discovering an organization’s domains:
The amass intel Subcommand collects open source data about a target organization and locates root domain names. It queries databases like WHOIS (which stores information about IP addresses and domain ownership).
Run the command, and Amass returns domain names associated with the organization, IP address ranges, and related infrastructure.
Why Security Teams Use Amass
Organizations don’t always know their complete internet footprint. Acquired companies bring domains. Developers spin up test environments. Shadow IT creates unapproved cloud resources.
Amass maps everything, revealing assets that manual inventories miss.
Nmap
Nmap became the industry standard for network discovery. It’s been around since 1997 and remains the go-to tool for security professionals.
What Nmap Does
- Identify active IP addresses: Distinguish between legitimate services and potential attackers.
- Inventory your network: See live hosts, open ports, and operating systems for each connected device.
- Simulate attacks: Scan your server the way a hacker would to identify vulnerabilities before they do.
Common Nmap Commands
Basic domain scan:
Checks for open ports on the domain scanme.nmap.org (Nmap’s official test server).
SYN scan (stealth scanning):
Performs a “half-open” scan that’s harder for intrusion detection systems to notice.
Check specific port:
Verifies if SSH (port 22) is accessible on your firewall.
Why Nmap Matters
Security audits start with Nmap. Compliance checks require it. Penetration tests depend on it. If you’re securing a network, you’re using Nmap.
Source: Blumira3
Cloudmapper
CloudMapper analyzes Amazon Web Services environments, answering questions that manual console navigation can’t efficiently address.
Questions CloudMapper Answers
- Which resources are publicly accessible? S3 buckets, EC2 instances, RDS databases CloudMapper identifies everything exposed to the internet.
- Which resources communicate internally? Security groups and network ACLs create complex permission matrices. CloudMapper visualizes which services can talk to which.
- Is your architecture resilient to availability zone failures? Multi-AZ deployments matter for uptime. CloudMapper shows single points of failure.
- How complex is your network topology? Accounts with dozens of VPCs across multiple regions become challenging to understand. CloudMapper renders the entire structure visually.
How Security Teams Use It
Engineers verify their infrastructure matches their mental model. Security teams audit configurations before incidents happen. CloudMapper generates reports showing misconfigurations that increase risk.
Practical Benefit: AWS Console shows individual resources. CloudMapper shows relationships between resources revealing security issues that component-level views miss.
Source: Medium4
Findomain
Findomain monitors target domains for new subdomains and sends instant notifications when it discovers changes. The service prevents subdomain takeovers and tracks shadow IT.5
How Findomain Works
- Integrates multiple tools: Runs OWASP Amass, Sublist3r, Assetfinder, and Subfinder simultaneously, combining results from all sources.
- Real-time notifications: New subdomain discovered? Get alerts via Discord, Slack, Telegram, email, or push notifications (Android/iOS/desktop).
- Certificate Transparency logs: Monitors CT logs an internet security standard that records all SSL/TLS certificates issued. When someone requests a certificate for yourcompany-test.example.com, Findomain detects it.
- Installation: They provide ready-to-use binaries for the following systems (all are 64-bit only):
- Linux
- Windows
- MacOS
- Aarch64 (Raspberry Pi)
- NixOS
Real-World Applications
- Subdomain discovery: Security teams locate subdomains connected to the target domain, revealing the complete attack surface.
- Asset inventory: Continuous scanning builds a comprehensive inventory of internet-facing assets. Forgotten staging servers and abandoned test environments appear in the results.
- Automation: Findomain sends data to webhooks, triggering automated responses when new assets appear.
Why This Matters
Subdomain takeovers happen when organizations abandon subdomains but forget to remove DNS records. Attackers claim the subdomain and host malicious content on your domain. Findomain detects new subdomains before attackers exploit them.
Source: BlackHat6
What is attack surface management?
Attack surface management (ASM) identifies, monitors, and controls all internal and external internet-connected assets to mitigate potential attack vectors and vulnerabilities. ASM aims to enhance visibility while lowering risk.
What Counts as Your Attack Surface
- Applications: Web apps, mobile apps, APIs
- Websites: Public sites, internal portals, e-commerce platforms
- Networks: Corporate internet, private networks, cloud networks
- Devices: Laptops, phones, servers, IoT devices
- Cloud infrastructure: Public, private, and hybrid cloud resources
Threat Actors Targeting Your Attack Surface
- Cybercriminals: Individuals or groups exploiting vulnerabilities for financial gain. Activities include identity theft, ransomware deployment, and data exfiltration.
- Nation-state actors: Government-sponsored teams conducting cyber-espionage or attacks to achieve political or military objectives. China, Russia, North Korea, and Iran operate sophisticated cyber programs.
- Insiders: Employees, contractors, or partners with legitimate access who misuse it for personal gain or to harm the organization.
- Hacktivists: Groups driven by social or political motives. They hack systems to promote causes or protest against organizations they oppose.
What to look for when selecting an open source ASM software
Here are a few things to consider while choosing an open source ASM technology.
- Check the tool’s popularity: The amount of GitHub contributors and community members who respond to user questions indicates the popularity of open-source technology. The greater the community, the more support your organization will receive.
- Review the tool’s features: Open source ASM solutions include asset discovery or monitoring. However, if your business intends to utilize the ASM tool for a variety of applications, you should search for a more comprehensive solution. For example, a company seeking network mapping may select a system that includes detailed topology visualization capabilities.
- Evaluate closed-source solutions: Open-source solutions often have restricted or add-on functionality; however, deploying a more personalized solution that provides a greater degree of features (for example, vulnerability management) may be more efficient for your company.
Here’s a list of closed-source ASM software.
Key benefits of open source attack surface management (ASM) software
1. Cost-effectiveness
- Free to use: Most open source ASM tools are free (with an option to upgrade paid versions for more comprehensive features), which is particularly beneficial for startups, small businesses, or organizations with limited budgets.
- No licensing costs: Unlike proprietary software, open source tools eliminate recurring subscription or licensing fees.
2. Transparency
- Full code access: Open source code offers transparent source codes on websites like GitHub, users can inspect the source code to ensure the software does exactly what it claims.
- Auditability: Open source ASM software enables users to audit codebase, components, license conflicts, and security vulnerabilities.
3. No vendor lock-in
- Freedom to switch: Since the software is open source, organizations are not tied to a specific vendor. If they choose to stop using a tool, they can simply move to another solution or integrate multiple tools.
4. Scalability
- Adaptable to cloud and on-premise environments: Many tools support cloud, hybrid, or multi-cloud environments. For example, OpenVAS may be executed on a single server or in a distributed multi-cloud system.
Further reading
- Agentic AI for Cybersecurity: Real-life Use Cases & Examples
- Top 10 Microsegmentation Tools
- Top 14 Intrusion Detection and Prevention Tools
Reference Links
Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE and NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and resources that referenced AIMultiple.
Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.
He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.
Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
Be the first to comment
Your email address will not be published. All fields are required.