Discover external assets

Use External Attack Surface Management (EASM) in the Veracode Platform to discover your organization’s external attack surface and identify applications. Veracode helps reduce risk by automatically identifying key assets—such as domains, web applications, APIs, IP addresses, and certificates—and provides a visual representation of discovered issues. EASM scans use domains, FQDNs, URLs, or IP addresses to perform a comprehensive assessment of your environment.

EASM scans use both passive and active crawling to discover known and unknown externally exposed assets. You can choose what to scan and when, based on your priorities or current requirements. EASM scans do not exploit vulnerabilities, submit forms, or perform intrusive actions. The scans simulate the behavior of a standard user browsing a web application.

EASM lets you discover and assess digital assets and touchpoints. These can include everything from integration and data exchange points, such as APIs, to a wide range of web applications. You can choose to scan your organization’s entire digital footprint or target specific locations, business units, or individual assets.

Add items to scan queue

Add IP addresses, IP ranges, domains, FQDNs, or URLs to the scan queue. You can add items manually or upload a CSV file that contains a list of items.

Before you begin:

• You must have a Veracode account with the Project Admin role for EASM.
• The IP address, IP range, domain, FQDN, or URL that you add must not be behind a firewall.

To complete this task:

1. Sign in to the Veracode Platform.

2. Select Scans and Analysis > EASM.

3. Select the Scan icon .

4. In the Items tab, select ADD ITEM.

5. To add items, choose one of the following methods:

   • Add items manually: for the Name field, enter the IP address, IP range, domain, FQDN, or URL. To scan a specific item within the same domain, in the Scan type field, select Static. To scan all assets related to your organization, in the Scan type field, select Deep Discovery. The Deep Discovery scan provides a broader view of your organization's digital footprint.
   • Upload a CSV file: select a CSV file from File Explorer. The file can contain a list of domains, FQDNs, URLs, or IP addresses. Use the provided template to ensure proper formatting. To download the template, in the pop-up window, select Click here to download a example file.

6. Select ADD. The items appear in the Items tab with default attributes. For example, each item is assigned a trust level from 0 to 100. This level indicates how confident EASM is that the asset belongs to your organization. Items that are manually added are automatically assigned a trust level of 100.

Start a scan

Scan your organization's assets using the items in the scan queue. EASM scans are first performed with the default settings. You can customize subsequent scans by changing the scan settings.

Before you begin:

• You must add items to the scan queue.
• You must have a Veracode account with the Project Admin role for EASM.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > EASM.
3. Select the Run icon .
4. Select the scan type from the dropdown menu:
   • Update the current test: updates the existing scan results. It continues the scan from where it left off, using the current work queue. Any changes you’ve made, such as including or excluding items, are applied, and additional data is added to the scan results.
   • New test: starts a new scan using the existing work queue. This option generates an updated set of scan results.
   • New test based on user entries only: clears the existing work queue and starts a new scan using only the items you manually added, such as the main domain. This option generates a completely new set of scan results.
   note

   • In the report, you might see duplicate vulnerabilities if the same component is found in multiple locations within an application.
   • Updating a scan is faster and more efficient as it scans only the modified items in the work queue.
   • Run new scans regularly to identify unknown assets and track remediation progress.
   • Use the New test based on user entries only option if scan results include too many false positives (which is rare), the wrong starting domain was used, or your organization scans infrequently, such as a one-time annual scan.
   • To permanently remove all work queue items and scan data, submit a support request to Veracode Technical Support.
5. Select LAUNCH SCAN.

Monitor the scan progress

The Jobs module serves as an activity log and task monitoring center. Use it to track active tasks, investigate failures, and review all current and previously executed jobs. It provides visibility into automated and background processes across the platform.

You can update scan work queue items while a scan is in progress.

Before you begin:

• You must have a Veracode account with the Project Admin role for EASM.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > EASM.
3. Select the Jobs icon .

When the status of the scan is Completed, you can review the scan items.

View and filter scan status

Each scan appears in a tabular view that displays detailed metadata, diagnostics, status, duration, and, if applicable, the reason for failure. You can view whether a scan is complete, pending, or failed. You can also sort or filter jobs using the column headings or the search bar by job type, status, or other parameters.

The following table describes each column.

Column	Description
Job Type	Specifies the type of task that was run. - tra: Discovery scan - tre: Export - trc: Comparison
Created at	Shows the timestamp when the job was triggered.
Status	Displays the current state of the job. Possible values: Pending, Executing, Failed, Completed, Aborted, Abort Requested.
Exited at	Shows the timestamp when the job completed or was stopped.
Failure exit code	Displays the numeric error code for a failed job, if applicable.
Failure exit description	Provides a human-readable explanation of the failure reason, if applicable.
Duration	Shows how long the job took to complete.
Abort requested at	Indicates when a user manually requested to terminate the job, if applicable.
Args	Lists the parameters passed to the job during execution.

Troubleshoot failed jobs

If a job fails, the following fields are key for diagnosing the issue:

• Failure exit code: use this code to identify known errors. E.g., 1002, 503.
• Failure exit description: provides context for troubleshooting and support teams. E.g., DNS resolution failed, File export path not found.
• Args: shows the parameters passed when the job was executed. Useful for reproducing or understanding edge-case scenarios.

Share these values with the support or engineering team to help resolve recurring issues efficiently.

Review scan items

After a scan completes, review the results in the Items tab of the scan module. A sortable, filterable table lists all discovered items as your new work queue.

Before you begin:

• You must have a Veracode account with the Project Admin role for EASM.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > EASM.
3. Select the Scan icon.
4. In the Items tab, review the items in the table.
5. To view the trust score of an item, locate it in the table. In the Trust column, view the assigned score, which ranges from 1 to 100. The trust score indicates Veracode's confidence that the item belongs to your organization. Manually added items have a trust score of 100.
6. Review the items to ensure that all discovered items are associated with your organization. Items with a trust score above 50 are automatically included in scan results, and items with a trust score of 50 or lower are excluded. Use sort and filter to review items with a trust score above 50. Toggle off any items that don’t belong to your organization. Then, check items below 50 and toggle on those that belong to your organization. Update scans as needed.
7. To permanently remove items that are not needed, in the Actions column of the table, select delete icon . However, the items may reappear in the work queue if they are rediscovered in future scans.
8. To manually override the inclusion of an item in the scan results, locate it in the table. In the Use column, toggle the switch. After making manual overrides, update the current test. To view insights from the scan results, go to the Dashboard.

View and filter scan results

You can sort and filter items, or use the search bar to filter by name, type, or finding category.

The following table describes each column.

Column	Description
Name	The identifier of the discovered asset, such as a domain name or IP address.
Type	The classification of the item, such as a domain or IP address.
Finding from	The seed item from which the discovery was made.
Finding from type	The method used to discover the item.
Finding from details	The evidence or reasoning behind the discovery.
Scan Mode	The method used for the scan (Static or Deep Discovery).
Created at	The date and time when the discovery started.
Updated at	The date and time the item was last updated.
Status	The current state of the item. Possible values: Done, In Progress, Pending, or Ignored.
Status detail	Real-time updates on discovery or scan results.
Trust	The confidence level that the asset belongs to the organization. Items below 50% are excluded by default.
Use	Toggle to include or exclude the item from the current scan run.
Domain	The domain name of the asset.
Duration	The time it took to discover the item.
Comments	A field to add notes or justifications for specific items.
Actions	Option to remove the item from the scan list.

Stop a scan

A user may choose to stop a scan for several reasons, including typographical errors and incorrect domain entries. In some cases, the scan may return a high number of false positives, such as domains that are no longer in scope. This can happen when an organization divests a subsidiary but hasn't updated DNS records or related configurations.

Before you begin:

• You must have a Veracode account with the Project Admin role for EASM.
• The status of the scan must be Pending or In Progress.

To complete this task:

1. Sign in to the Veracode Platform.
2. Select Scans and Analysis > EASM.
3. Select the Jobs icon .
4. To stop a scan that is in the Pending status, select the pause icon , then select ABORT.

Best practices

The ideal scan cadence depends on your organization’s size, risk profile, and how often you remediate issues. Run scans regularly to detect new or changed assets, identify misconfigurations, and monitor remediation progress.

The following table provides best practice recommendations.

Risk level	Recommended scan frequency
High risk (e.g., financial services, healthcare, technology companies, or environments with frequent changes)	Run a full scan monthly. Run targeted scans daily or weekly for critical areas.
Moderate risk (most medium-sized organizations)	Run a full scan monthly.
Low risk (small, stable organizations with minimal internet-facing assets)	Run a scan every one to three months.