SurfaceLens V2 — Infrastructure Attack Surface & Shadow IT Intelligence Engine by Rugero Tesla (404saint)

Most organizations don’t actually understand their infrastructure attack surface.

Across enterprise networks, cloud environments, and hybrid architectures, visibility breaks down quickly. Assets drift, services get exposed, and Shadow IT emerges outside controlled network boundaries.

From my work in network and infrastructure security—through hands-on lab simulations, recon workflows, and tool development—I kept running into the same limitation: we can discover assets, but we struggle to understand how they relate within an environment.

I’m Rugero Tesla (404saint), and SurfaceLens V2 is my attempt to approach attack surface analysis from an infrastructure-first perspective—focusing not just on discovery, but on attribution, context, and exposure patterns.

What is SurfaceLens V2?

SurfaceLens V2 is a modular Attack Surface Management (ASM) & Shadow IT Intelligence Engine designed to analyze infrastructure exposure across distributed environments.

Instead of acting as a traditional scanner, it operates as an intelligence pipeline—aggregating, correlating, and enriching asset data to produce structured visibility into an organization’s external footprint.

The goal is simple:

Move from raw discovery to meaningful infrastructure insight.

The Problem: Fragmented Visibility

Modern infrastructure isn’t centralized anymore.

During recon and lab simulations, I consistently observed:

• Subdomains pointing to decommissioned or unclaimed infrastructure (takeover risk)
• Publicly exposed services (RDP, SSH, databases) outside intended boundaries
• Assets that belong to an organization but don’t align with its DNS patterns
• TLS misconfigurations and missing security controls

Individually, these issues are well known.

But together, they form something harder to detect:

A fragmented and poorly understood attack surface.

Design Approach: Intelligence Over Enumeration

SurfaceLens wasn’t designed to be another high-speed scanner.

Instead, I structured it as a multi-stage intelligence pipeline.

1. Multi-Source Discovery

SurfaceLens aggregates asset data from:

• Shodan
• Censys
• LeakIX
• CriminalIP
• Local datasets

This creates a diverse and provider-agnostic asset pool.

2. State & Delta Tracking (SQLite)

One of the most important design decisions was introducing persistence.

Instead of treating scans as isolated events:

• Assets are stored locally
• First seen / last seen timestamps are tracked
• New exposures become immediately visible

This transforms recon into:

Continuous infrastructure monitoring rather than one-time discovery.

3. The Intelligence Pipeline (Core System)

Each asset is passed through a series of modular analysis components:

• SSL Auditor
  Extracts certificate data and evaluates TLS configurations

• DNS Correlator
  Performs attribution analysis to identify Shadow IT and misaligned assets

• Fingerprinter
  Identifies technologies and service layers (e.g., reverse proxies, web servers)

• Sensitive File Hunter
  Checks for exposed files like .env, robots.txt, and other common leaks

• Risk Prioritizer
  Assigns a weighted risk score (0–10) based on combined signals

This pipeline is where raw data becomes structured intelligence.

What Actually Matters: From Exposure to Attack Paths

Building SurfaceLens shifted my perspective from simple discovery to structural analysis.

Coming from a background in network and infrastructure research, I realized that individual findings—open ports, TLS issues, or orphaned domains—don’t mean much in isolation.

What matters is how these pieces connect.

When you start correlating:

• DNS attribution
• service exposure
• certificate data
• historical visibility

You begin to understand how assets fit (or don’t fit) within an environment.

That’s where Shadow IT becomes visible.

And more importantly:

That’s where exposure starts turning into potential attack paths.

This shift—from listing assets to understanding relationships—is what drives more realistic security insight.

Output & Operational Use

SurfaceLens presents the same intelligence through multiple interfaces:

• CLI Output
  Real-time, high-signal analysis for quick assessments

• Markdown Reports
  Structured, audit-ready documentation

• Web Dashboard (Flask)
  A centralized view of assets, risks, and historical changes

Each interface serves a different purpose—but they all rely on the same underlying data model.

Design Philosophy & Tradeoffs

SurfaceLens prioritizes:

• Passive intelligence collection
• Low-noise analysis
• Structured correlation over raw volume

It is intentionally not:

• an aggressive scanner
• or a noisy enumeration tool

Because in real-world environments:

Clarity and context matter more than volume.

Future Direction

SurfaceLens V2 is a foundation, not a finished system.

Areas I’m currently exploring:

• Improved attribution models for asset ownership
• Context-aware risk scoring
• Integration into automated security workflows
• Expanded detection for infrastructure misconfigurations

🛡️ Ethical Use

SurfaceLens is built for:

• defensive security research
• authorized assessments

It primarily relies on passive data sources, with non-intrusive active checks.

Do not use this tool on infrastructure without proper authorization.

Project

Explore the project or contribute:

👉 https://github.com/404saint/surfacelens_v2

👤 About the Author

Rugero Tesla (404saint) is an offensive security researcher focused on infrastructure and network security, with a strong interest in attack surface analysis, Shadow IT discovery, and attack path modeling.

His work centers around building practical tools, designing lab environments, and exploring how real-world exposure emerges across modern network architectures.

GitHub: https://github.com/404saint