Skip to main content

Discover external assets

Use External Attack Surface Management (EASM) in the Veracode Platform to discover your organization’s attack surface and identify applications. Veracode helps reduce risk by automatically identifying key assets—such as domains, web applications, APIs, IP addresses, and certificates—and provides a visual representation of discovered issues. You can use the reports to quickly address vulnerabilities and strengthen your overall cybersecurity posture. EASM scans use domains, FQDNs, URLs, or IP addresses to perform a comprehensive assessment of your environment.

Add items to scan queue

Add IP addresses, IP ranges, domains, FQDNs, or URLs to the scan queue. You can add items manually or upload a CSV file that contains a list of items.

Before you begin:

  • You must have a Veracode account with the Security Lead role.
  • The IP address, IP range, domain, FQDN, or URL that you add must not be behind a firewall.

To complete this task:

  1. Sign in to the Veracode Platform.

  2. Select Scans and Analysis > EASM.

  3. Select the scan icon scan.

  4. In the Items tab, select ADD ITEM.

  5. To add items, choose one of the following methods:

    • Add items manually: for the Name field, enter the IP address, IP range, domain, FQDN, or URL. To scan a specific item within the same domain, in the Scan type field, select Static. To scan all assets related to your organization, in the Scan type field, select Deep Discovery. The deep discovery scan provides a broader view of your organization's digital footprint.
    • Upload a CSV file: select a CSV file from File Explorer. The file can contain a list of domains, FQDNs, URLs, or IP addresses. Use the provided template to ensure proper formatting. To download the template, in the pop-up window, select Click here to download a example file.
  6. Select ADD.

Start a scan

Scan your organization's assets using the items in the scan queue.

Before you begin:

  • You must add items to the scan queue.
  • You must have a Veracode account with the Security Lead role.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > EASM.
  3. Select the run icon start_scan_easm.png.
  4. Select the scan type from the dropdown menu:
    • Update the current test: updates the current test results with any new findings.
    • New test: starts a new scan and generates a fresh set of test results.
    • New test based on user entries only: scans only the items that you've manually added.
  5. Select LAUNCH SCAN.

Monitor the scan progress

You can monitor the status of EASM scans in the Veracode Platform.

Before you begin

  • You must have a Veracode account with the Security Lead role.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > EASM.
  3. Select the jobs icon jobs_easm.png. The list of scans is displayed in a table. The table includes the status, duration, and, if applicable, the reason for scan failure. From this page, you can view the completion status of each scan, including whether a scan has failed or is in a pending state.
  4. To stop a scan that is in the Pending status, select the pause icon pause_easm.png, then select Abort.

When the status of the scan is Completed, you can review the scan items.

Review scan items

You can review the scan items after the scan is completed.

Before you begin:

  • You must have a Veracode account with the Security Lead role.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > EASM.
  3. Select the scan icon.
  4. In the Items tab, review the items in the table.
  5. To view the trust score of an item, locate it in the table. In the Trust column, view the assigned score, which ranges from 1 to 100. The trust score indicates Veracode's confidence that the item belongs to your organization. Manually added items have a trust score of 100. Review the list to ensure that all discovered items are associated with your organization. Items with a trust score above 50 are automatically included in scan results; items with a trust score of 50 or lower are excluded.
  6. To manually override the inclusion of an item in the scan results, locate it in the table. In the Use column, toggle the switch. After making manual overrides, update the current test.

Review scan results

To view insights from the scan results, go to the dashboard. You must have a Veracode account with the Reviewer role.

Export scan results

Exports include archived reports generated by the dashboard and jobs section. You can search for reports, download, and delete them.

Before you begin:

  • You must have a Veracode account with the Admin role to search for, download, and delete reports.

Export reports

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > EASM.
  3. Select the dashboard icon dashboard_easm.png.
  4. Select CREATE A NEW EXPORT.
  5. Locate the required report template and in the Actions column, select the export icon export_easm.png. To view the status of the report, select the reports icon export_report_easm.png.

Download reports

You can download the report after it is generated.

Before you begin:

  • The report must be generated. To view the status of the report, select the reports icon.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > EASM.
  3. Select the export icon.
  4. To download the report, select the export icon. Locate the report in the table, and in the Actions column, select the download icon download_easm.png.

Delete reports

You can delete the reports from the export table.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Scans and Analysis > EASM.
  3. Select the export icon.
  4. Locate the report that you want to delete, and in the Actions column, select the delete icon delete_report_easm.png.