Attack Surface Monitoring Checklist for SMB IT Teams
You don't need a 20-person security team to monitor your attack surface. You need a checklist, a cadence, and the discipline to follow it. This guide gives you all three — built for IT teams of one to five people who are already stretched thin.
- A 15-minute weekly attack surface check (7 items)
- A 30-minute monthly deep review (4 items)
- A quarterly strategic review (3 items)
- Which open-source tools cover each step
- How to automate 90% of this checklist
- Three actions you can take in the next 10 minutes
12 min read
Who This Checklist Is For
This checklist is designed for the IT generalist who wears too many hats. You manage the network, handle help desk tickets, run backups, keep the website up, and somewhere in there you're also supposed to be doing "security." Sound familiar?
If your organization has between 10 and 500 employees, no dedicated security hire, and at least a few internet-facing assets (a website, a mail server, maybe a VPN), this checklist is for you. It's tool-agnostic — you can do most of this with free tools and a browser. But we'll also show you how to automate the boring parts so you can focus on what actually needs your attention.
A 15-minute weekly check you actually do is infinitely more valuable than a 4-hour monthly audit you keep pushing to next week. This checklist is designed to be short enough that you'll actually complete it every time.
What makes attack surface monitoring different from vulnerability scanning? Vulnerability scanners check known assets for known CVEs. Attack surface monitoring answers a more fundamental question: what assets do you actually have exposed to the internet right now? New subdomains, new open ports, DNS changes, expired certificates — these are the gaps that attackers exploit before your vulnerability scanner ever sees them.
The 15-Minute Weekly Attack Surface Check
Block 15 minutes every Monday morning. Put it on your calendar. Treat it like a standup meeting — quick, focused, non-negotiable. Here are the seven items to check every single week.
- Check for any new subdomains that appeared since last week
- Verify each new subdomain is authorized and expected
- Flag unknown subdomains for immediate investigation
- Look for patterns: staging servers, test environments, shadow IT
- Compare this week's port scan results against last week's baseline
- Investigate any new ports that weren't open before
- Pay special attention to management ports (22, 3389, 8080, 8443)
- Confirm any new services have proper authorization
- Check certificates expiring within 30 days
- Verify no certificates have already expired
- Confirm certificate chains are valid and trusted
- Initiate renewal for anything expiring within 14 days
- Check for any DNS records added, modified, or deleted
- Look for dangling CNAME records pointing to decommissioned services
- Verify MX records haven't been tampered with
- Confirm SPF/DKIM/DMARC records are intact
- Scan for common admin paths (/admin, /wp-admin, /login, /phpmyadmin)
- Verify all admin interfaces require MFA
- Confirm admin panels are not accessible from the public internet
- Check for any new management interfaces that appeared
- Check for any new critical or high-severity vulnerabilities
- Verify that previously identified vulns are being remediated
- Look for newly published CVEs affecting your tech stack
- Prioritize anything internet-facing with a public exploit
- Review any configuration drift alerts from the past week
- Investigate unexpected changes to running services
- Check for technology version changes (upgrades or downgrades)
- Verify that all changes correspond to approved change requests
That's the entire weekly check. Seven items, fifteen minutes. If you find something concerning during the check, don't try to fix it on the spot — log it, assign it a priority, and schedule the remediation. The weekly check is for detection, not resolution.
DriftAlarm runs all seven weekly checks automatically — subdomain discovery, port monitoring, SSL tracking, DNS change detection, admin panel scanning, vulnerability assessment, and drift alerting. Instead of spending 15 minutes checking manually, you spend 2 minutes reviewing what DriftAlarm already found.
Monthly Deep Review (30 Minutes)
Once a month, block 30 minutes for a deeper look. This is where you catch the slow-moving risks that don't trigger weekly alerts — the gradual drift, the forgotten assets, the trends that only become visible over time.
- Compare your asset register against discovery scan results
- Identify any assets in scans that aren't in your register (shadow IT)
- Remove decommissioned assets that no longer resolve
- Confirm asset ownership is current — people leave, roles change
- Update criticality ratings if business context has changed
- Review all detected technologies across your assets
- Check for end-of-life (EOL) software approaching or past end of support
- Look for technology version inconsistencies across environments
- Verify all web frameworks and CMS platforms are on supported versions
- Flag any technology that requires an upgrade plan
- Check domain expiration dates — renew anything within 90 days
- Verify registrar lock is enabled on critical domains
- Confirm WHOIS contact info is accurate and monitored
- Check for unauthorized domain transfers or NS record changes
- Review your overall risk score trend over the past 30 days
- Identify which assets are driving risk score increases
- Check if remediation efforts are actually reducing your score
- Compare against your target risk posture
- Adjust priorities if certain assets are chronically risky
Quarterly Strategic Review
Every quarter, step back and look at the bigger picture. This isn't about individual vulnerabilities — it's about whether your monitoring program is keeping pace with how your organization is growing and changing.
- Has the company acquired new domains, IPs, or cloud accounts?
- Are there new SaaS tools that expose branded login pages?
- Has the company merged with or acquired another organization?
- Add any new assets to your monitoring scope
- Retire monitoring for assets that have been fully decommissioned
- Review vendor integrations that connect to your infrastructure
- Check for third-party services hosting content on your domains
- Verify that vendor-managed assets meet your security standards
- Assess whether any vendor relationships have changed or ended
- Export scan reports and remediation evidence for audit readiness
- Document your monitoring cadence and coverage for compliance
- Verify that monitoring meets any regulatory requirements (SOC 2, ISO 27001, HIPAA)
- Archive quarterly summary for board or leadership reporting
Tools You Need
You can build a monitoring program with open-source tools. It takes more manual effort, but it works. Here's what covers each checklist item — and how DriftAlarm automates each step so you don't have to stitch it together yourself.
| Checklist Item | Open-Source Tools | DriftAlarm Automation |
|---|---|---|
| Subdomain discovery | Amass, Subfinder, crt.sh | Automated weekly discovery scans with change alerts |
| Port monitoring | Nmap, Masscan, RustScan | Daily port scans with baseline comparison and drift detection |
| SSL certificate tracking | testssl.sh, sslyze, certbot | Continuous certificate monitoring with expiry alerts |
| DNS change detection | dig + cron scripts, DNSdiff | Automated DNS baseline with change notifications |
| Admin panel scanning | Nuclei, httpx, ffuf | Vulnerability scans include admin path detection |
| Vulnerability scanning | Nuclei, OpenVAS, Nikto | Daily vulnerability scans with AI-assisted prioritization |
| Drift alerting | Custom scripts + diff | 32 built-in drift rules with notification channels |
| Asset inventory | Spreadsheet + manual updates | Automatic asset register with technology fingerprinting |
| Tech stack review | WhatWeb, Wappalyzer, httpx | Technology normalization with EOL tracking |
| Risk scoring | Manual spreadsheet formulas | Automated risk scores with trend tracking per asset |
Stitching open-source tools together works, but it takes time — typically 2-4 hours per week to run, aggregate, compare, and investigate results manually. That's time most SMB IT teams don't have. The real question is whether your time is better spent running Nmap or investigating the one finding that actually matters.
Getting Started Today: 3 Actions in 10 Minutes
Don't wait until next Monday. Here are three things you can do in the next 10 minutes to start monitoring your attack surface.
Open a spreadsheet. Write down every domain, IP address, and cloud service your company exposes to the internet. Don't overthink it — you can refine later. Just get the list started.
Put a 15-minute recurring calendar event on Monday mornings. Label it "Attack Surface Check." Invite yourself. Protect this time — it's the most important 15 minutes of your security week.
Pick one domain from your list. Run a discovery scan with DriftAlarm (takes under 3 minutes) or use Amass and Nmap manually. Either way, you'll immediately see what's exposed — and that's the first step.
Related Security Guides
This checklist gets you started. These guides go deeper on specific topics:
Start Your 30-Day Trial
First scan in under 3 minutes. No credit card required. See what attackers see before they see it first.