Skip to main content
surfbot.

Differential Scanning

How Surfbot tracks changes across scans to surface what actually matters.

The Problem with Traditional Scanners

Most vulnerability scanners dump a full list of findings every time they run. If you have 500 assets and 200 findings, you get 200 findings on every scan — even if nothing changed. This creates alert fatigue and makes it nearly impossible to spot the signal in the noise.

How Differential Scanning Works

Surfbot maintains a complete history of every scan. When a new scan completes, the differential engine compares every finding against the previous scan results to produce three categories:

New

Something appeared that wasn't there before:

  • A new subdomain was discovered
  • A new port opened on an existing host
  • A new vulnerability was detected
{
  "change": "new",
  "type": "vulnerability",
  "asset": "staging.example.com",
  "finding": "CVE-2024-1234",
  "severity": "high",
  "first_seen": "2025-01-20T14:00:00Z"
}

Changed

Something was already known but its state changed:

  • A service version was upgraded or downgraded
  • A TLS certificate was renewed or expired
  • A vulnerability severity was reclassified

Removed

Something that was present before is now gone:

  • A subdomain no longer resolves
  • A port was closed
  • A vulnerability was remediated

What We Track

The differential engine tracks changes across every data type:

Data TypeTracked Changes
SubdomainsNew/removed, IP changes, CNAME changes
PortsOpened/closed, service version changes
TechnologiesFramework/CMS version changes
CertificatesRenewals, expirations, issuer changes
VulnerabilitiesNew/remediated, severity changes
HTTP ResponsesStatus code changes, redirect changes
DNS RecordsA/AAAA/CNAME/MX record modifications

Notifications

You can configure webhook and email notifications to fire only on specific change types. For example:

  • Alert me when a new high/critical vulnerability is found
  • Alert me when a new subdomain appears
  • Alert me when a certificate is about to expire (< 14 days)
  • Alert me when a port opens that wasn't open before

This turns Surfbot from a periodic scanner into a real-time change detection system.

Use Cases

Detecting Shadow IT

When someone in your org spins up a new subdomain or cloud instance, Surfbot catches it on the next scan and flags it as a new asset. No manual inventory needed.

Validating Remediation

After your team patches a vulnerability, the next scan will show it as "removed" — confirming the fix worked without manual re-testing.

Change Auditing

Need to know when a service version changed or a new port appeared? The scan history provides a complete audit trail with timestamps.

M&A Due Diligence

When acquiring a company, add their domains and get an immediate baseline. Subsequent scans reveal infrastructure changes during the integration period.

Previous

Scanning Pipeline

Next

Authentication

On this page