Your First Scan
A step-by-step walkthrough of adding a domain and running your first Surfbot scan.
Before You Start
You'll need:
- A Surfbot account (sign up free)
- A domain you own (business email for instant verification, or DNS/HTTP access for manual verification)
Step 1: Add Your Domain
From the Surfbot dashboard, click Add Domain in the top navigation.
Enter your root domain — for example, yourcompany.com. Surfbot will automatically discover and scan all subdomains under this root.
Tip: Start with your primary domain. You can add more later.
Step 2: Verify Ownership
If you registered with a business email ([email protected]), your domain is already verified. Skip to Step 3.
If you used a generic email, choose your verification method. DNS TXT is the fastest for most users:
- Copy the verification token from the modal
- Add a TXT record at
_surfbot-verify.yourcompany.comwith the token value - Click Verify
See Domain Verification for detailed instructions on both methods.
Step 3: Choose a Scan Profile
Select a scan profile based on how thorough you want the assessment:
| Profile | What It Does | Duration | Best For |
|---|---|---|---|
| Passive | Tech fingerprinting, SSL, DNS — no intrusive checks | Fastest | Domains you don't fully own |
| Standard | Misconfigs, exposures, CVEs, secrets | Moderate | Most domains (recommended) |
| Deep | Everything except denial of service | Longest | Domains you fully control |
When in doubt, start with Standard. You can always run a Deep scan later.
Step 4: Start the Scan
Click Start Scan. Surfbot will begin the full pipeline:
- Discovery (1–3 min) — Finds subdomains via subfinder + dnsx
- Port Scan (2–5 min) — Checks for open ports via naabu
- HTTP Probe (1–3 min) — Fingerprints web services via httpx
- Vuln Scan (2–5 min) — Tests against 8,000+ Nuclei templates (filtered by profile)
- Diff Analysis (< 1 min) — Compares to previous scan
You can watch progress in real-time on the scan detail page.
Step 5: Review Findings
When the scan completes, you'll see a summary dashboard with:
Assets Tab
Every subdomain, IP, and endpoint discovered. Click any asset to see its full details — ports, technologies, certificates, and associated vulnerabilities.
Findings Tab
All findings sorted by severity. Each finding includes:
- Description — What was found and why it matters
- Severity — Critical, High, Medium, Low, or Info with CVSS score
- Evidence — The specific request/response that triggered the finding
- Remediation — What to do about it
- References — CVE links, OWASP references, etc.
Changes Tab
On your first scan, everything is "new." On subsequent scans, this tab becomes the most valuable — showing exactly what changed (new findings, resolved issues, changed assets).
What's Next?
- Set up webhooks to get alerts on new findings
- Integrate with CI/CD to scan on deploy
- Use the API to pull data into your tools