Loading content...

Welcome to Orizon RECON

Attack Surface Management platform to map the external attack surface (EASM) + internal network discovery (IASM) + vulnerability intelligence + NIS2 compliance and business intelligence — in one unified platform.

Sign upLog in
🔒app.orizon.one/tools/attack-surface-mapping/dashboard
Orizon RECONOrizon RECON
Tools
acme-corp.com2h ago
example-target.com4h ago
Internal · Acme Corp1d ago
Internal · Globex Industries3d ago
13:47:21Rome
Orizon RECON
v3.2.0 BETA
Tools · Attack Surface · Dashboard
Attack Surface Mapping
DC
Entry Points
Entry PointsAssets
Number of Scans
12External·5Internal·17Total
Recent scans
5 total · live updates
Name
Targets
Assets
Vulnerabilities
Risk
Status
Internal scan: Acme Corp
less than a minute ago
192.168.0.0/21
197
12388124
9.3
Completed
example-target.com
2h ago
example-target.com
1770
4112619
7.1
Completed
Internal scan: Globex Industries
less than a minute ago
10.1.0.0/24+1
78
2143118
6.4
Running
acme-corp.com
1d ago
acme-corp.com
412
3128
3.2
Completed
Internal scan: Initech Ltd
6d ago
192.168.1.0/24+1
26
4116
4.2
Completed
BETA PROGRAM

Sign up and scan 3 domains free.

Create your account and we credit your company 270 Cyber Tokens — enough for 3 full external scans, every subdomain included.

270 Cyber Tokens on signup3 full domain scansEvery subdomain included
Sign Up Now→
External Attack Surface
Internal Network Scans
NIS2 & Industry Risk
Webhooks & Integrations
9+
CVE intel sources
7
Built-in integrations
16
NIS2 Art. 21 controls
3
Locales (EN · IT · ES)
Who is it for

Built for two roles. Useful to everyone in between.

Security and compliance pull in opposite directions every day. Orizon RECON gives both sides one source of truth.

Security Engineers
You run the perimeter and the internal segments. You need continuous discovery and triage that does not bury you in noise.
  • Continuous external + internal scanning on schedule
  • CVE triage with Applicable / Advisory split + active validation
  • Drift detection between scans — new assets, ports gone, configs changed
  • REST API + webhooks so it lives where your CI/CD already lives
Compliance Officers & NIS2 Owners
You own the framework. You need machine-generated evidence, sector-specific deadlines, and a board-ready risk narrative.
  • NIS2 Article 21 — all 16 controls auto-evaluated every scan
  • Annex I + II sector mapping from NACE, essential vs important
  • Country-aware deadlines: IT, ES, FR, DE — each with the right authority
  • Audit-ready PDFs + AI-written 150-word executive risk brief
How it works

Two pipelines. One unified report.

External attack-surface scans and internal network scans run in parallel pipelines, then feed the same compliance + risk engine.

External scan
From a domain to the open internet
Internal scan
From a CIDR to every asset on the wire
01
Reconnaissance
Subdomain enumeration with wildcard handling, DNS resolution, target deduplication.
01
Network Discovery
Agentless probe sweeps every CIDR with ARP, ICMP, mDNS, LLDP, NetBIOS, DHCP-listen + passive TCP-stack fingerprinting.
02
Probing
HTTP probing, port + service detection across the top ports, TLS handshake + certificate inspection.
02
Service Detection
SMB, SSH, HTTP and NTLMSSP fingerprinting per host. Service banners + OS build version extracted from every live port.
03
Fingerprinting
Technology + version detection across thousands of signatures — CMS, frameworks, JS libraries, cloud and CDN providers.
03
Asset Classification
Every host classified across 9 categories — server, workstation, mobile, IoT, printer, BMC, network gear, VoIP, storage.
04
Validation
Headless-browser DOM analysis confirms every detected technology. Cross-source verification drops false positives.
04
Drift Detection
Every scan compared to the previous run — new asset / asset gone / port change / OS change events flagged automatically.
05
CVE Correlation
CVEs aggregated from 8 sources, de-duplicated, scored with CVSS + EPSS + KEV. Active validation confirms what is exploitable.
05
CVE Correlation
Same 8-source aggregation as the external pipeline — applied to internal services, scored with CVSS + EPSS + KEV.
Final phase · both pipelines
Compliance & Risk

Up to 12 NIS2 Article 21 measures auto-evaluated (9 baseline + 3 essential-entity extras), Annex I + II sector mapping from NACE, AI-generated 150-word executive risk brief, and a single 0-10 composite score linking findings to compliance gaps.

01 · EXTERNAL

From a single domain to your entire perimeter — in minutes

Subdomain enumeration, port and service detection, technology fingerprinting, TLS grading, cloud and CDN identification, and a full Web Security Suite — all from one target URL.

  • Subdomain enumeration with wildcard handling, plus multi-domain group scans
  • Port and service detection with top-N port modes
  • Technology fingerprinting — DOM detectors, JS library scanning, favicon hashing, TLS-stack fingerprinting
  • TLS / certificate analysis — grade, SAN extraction, expiry tracking, cipher + version capture
  • Cloud + CDN detection (AWS / Azure / GCP / Cloudflare) via IP and headers
  • Web Security Suite — CSP / HSTS / X-Frame-Options grading + sitemap crawl
🔒app.orizon.one
Orizon
Attack Surface · Scans · github.com
github.com
DC
COMPLETED
Surface map
1,770 nodes · 5 categories
github.com
DomainSubdomainIPTech
7.1Risk
Risk score
High — 4 critical · 11 high CVEs · 3 expired certs
KEVEOL TLS
Top vulnerable technologies
nginx 1.18.012 CVEs
OpenSSH 8.2p17 CVEs
jQuery 3.5.14 CVEs
Bootstrap 4.52 CVEs
By severity
4
Critical
11
High
26
Medium
19
Low
02 · INTERNAL

Discover every device on every subnet — without an agent on each host

Drop the Scout probe on one Linux box. It maps every CIDR you point it at, fingerprints services, classifies every asset, and surfaces drift since the last scan — all on your private network, all in minutes.

  • One-line install (curl | bash). Linux amd64/arm64. SSH-accessible logs at /opt/scout/logs/.
  • Multi-protocol discovery — ARP, ICMP, mDNS, LLDP, NetBIOS, DHCP listen + TCP-stack OS fingerprinting
  • Service fingerprinting — SMB, SSH, HTTP, NTLMSSP + application detection + OS build version
  • 9-class asset taxonomy — server, workstation, mobile, IoT, printer, BMC, network gear, VoIP, storage
  • Drift detection — new asset / asset gone / port change events between scans
  • Multi-tenant probe sharing — adopt + share probes across users via invite tokens
🔒app.orizon.one
Orizon
Attack Surface · Scans · Internal
Internal scan: Acme Corp
DC
All (197)Server (119)Workstation (7)Network (11)IoT (1)Mobile (4)BMC / OOB (8)Storage (14)VoIP (3)
Host
Type
OS
Vendor
Ports
192.168.1.2
syneto-storage-01
Storage
Debian 13 (Trixie)
Supermicro
22804439001
192.168.1.42
dc-primary
Server
Windows Server 2022
Dell
5388389445+2
192.168.5.18
dev-laptop-luca
Workstation
macOS 14.5
Apple
225000
192.168.5.115
—
Mobile
iOS 17.5
Apple
—
192.168.1.201
idrac-syneto-01
BMC / OOB
Dell iDRAC 9
Dell
2280443623+1
192.168.5.31
printer-meeting-room
Printer
embedded Linux
HP
806319100
10.1.1.4
sophos-utm
Network
Sophos UTM
Sophos
224434444
192.168.5.7
voip-conf-room
VoIP
Yealink firmware
Yealink
22804435060
03 · VULNS

8 intelligence sources. One truth. Plus active validation.

Every CVE gets enriched, normalized and de-duplicated across NIST NVD, OSV, CISA KEV, GitHub Security Advisory, ExploitDB, CIRCL, EPSS and Metasploit. Active validation confirms which findings are actually exploitable in your environment. Then we tell you what to fix first.

  • 8 sources: NIST NVD · OSV · CISA KEV · GitHub Security Advisory · ExploitDB · CIRCL · EPSS · Metasploit
  • Active validation with proof-of-concept badging
  • Applicable vs Advisory split — real exploitable vs version-unknown informational
  • CVSS v2/v3 + EPSS exploitation probability + CISA KEV priority badging
  • 7 finding categories — CVE, default creds, weak crypto, misconfig, OS-CVE, service-CVE, app-CVE, EOL
  • Risk score 0-100 (CVSS + EPSS + KEV + exposure) · False-positive marking · 2018+ cutoff filters legacy noise
🔒app.orizon.one
Orizon
Attack Surface · Scans · Vulnerabilities
Vulnerabilities
DC
147 findings
132 applicable·15 advisory·9 KEV
VulnerabilityTitleCVSSEPSSAffected host
CVE-2024-31497APPLICABLEKEV
PuTTY ≤ 0.80 — ECDSA P521 nonce recovery (private-key exposure)
9.894%192.168.1.42
CVE-2023-46604APPLICABLEKEV
Apache ActiveMQ — OpenWire deserialization RCE
10.097%192.168.1.18
CVE-2024-21413APPLICABLE
Outlook moniker link bypass — credential leak
8.878%192.168.5.7
—CREDS
Default credentials: admin/admin on Dell iDRAC
9.1—192.168.1.201
—EOL
EOL OS — Windows Server 2012 R2 (out of support since Oct 2023)
7.5—192.168.1.42
Advisory — version unknown, informational
CVE-2023-44487ADVISORY
HTTP/2 Rapid Reset — version-unknown, present in many stacks
7.588%Network-wide
CVE-2024-3094ADVISORY
xz-utils backdoor — applies if liblzma versions 5.6.0/5.6.1 present
10.0—Network-wide
CVE-2022-22965ADVISORY
Spring4Shell — version-unknown Java apps
9.892%Network-wide
Note: 8 legacy CVE entries (pre-2018) were excluded for clarity.
04 · COMPLIANCE & RISK

NIS2-ready out of the box. Industry threat intelligence per scan.

Every scan auto-evaluates up to 12 Article 21 risk-management measures (9 baseline + 3 essential-entity extras), classifies your sector against Annex I + II, and runs a Claude-driven 150-word risk brief — anchored to real breaches in your industry over the last 90 days.

  • Up to 12 Article 21 measures auto-evaluated — access, segmentation, EOL, MFA, backup, audit logging…
  • Annex I + II sector mapping from NACE code (essential vs important classification)
  • Country-aware — IT (Feb 25), ES/FR (Sept 25), DE (Dec 25). ACN, CCN-CERT, ANSSI, BSI authorities
  • Supplier vs operator classification with sector-specific deadlines
  • AI-generated 150-word executive brief (Claude) — links CVEs to compliance gaps
  • Industry risk + 90-day similar-breach feed + Markov-chain 12-month breach probability with patch-impact overlay
🔒app.orizon.one
Orizon
Attack Surface · Scans · Compliance
NIS 2 — Article 21 controls
DC
NIS 2 — Article 21 controls
Annex I — Essential
11
Pass
3
Warn
2
Fail
21.1Access control
21.2Asset management
21.3Encryption at rest
21.4Secure code
21.5Incident response
21.6Supply chain risk
21.7Network segmentation
21.8Admin isolation
21.9EOL OS prohibition
21.10Secure auth (MFA)
21.11Malware defense
21.12Continuous monitoring
21.13Crisis management
21.14Data protection
21.15Backup
21.16Audit logging
62Risk
Financial services
Sector baseline 58 · Org profile 72 · Composite 62 / 100
12-month breach probability
Markov chain MC
Current posture38%
After patching 2 critical CVEs14%
Similar breaches (90d)
LockBit 3.0First Continental Bank12d ago
ALPHVRiverstone Credit Union34d ago
Cl0pPinnacle Capital Co67d ago
05 · INVENTORY

Every asset, every port, every service — visually.

A D3-force interactive map of every subnet in scope, plus a deep per-host drawer with ports, services, technologies, OS, vendor, and MAC. Filter by anything, export per asset.

  • Interactive force-graph topology — subnets + gateways + per-host orbits, multi-CIDR clustering
  • Per-host detail drawer — ports, services, technologies, OS, vendor, MAC address
  • MAC-based billing — multi-IP hosts on the same MAC counted once
  • Asset-type colour coding + status badges (up/down/flapping)
  • Filter / search by hostname, IP, MAC, OS, service · per-asset export
🔒app.orizon.one
Network topology — 5 subnets · 349 assets
SubnetGatewayAsset
192.168.0.0/21197 hosts192.168.5.0/2478 hosts192.168.6.0/2432 hosts10.1.0.0/2424 hosts10.1.1.0/2418 hosts
06 · AUTOMATION

Set and forget. Daily, weekly, monthly — your scan cadence on autopilot.

Drop a schedule on any external target or internal probe and RECON runs the scan, retries on failure, deltas against last run, and notifies your team — automatically, on your timezone.

  • 5 frequencies: daily · weekly · bi-weekly · monthly · quarterly — with preferred day + time
  • Same scheduler runs external targets AND internal probes — one mental model
  • Timezone-aware execution — IT, ES, DE local time honored even on shared infra
  • Auto-retry on failure · offline policy (defer / fail-fast / cancel) · drift highlights since last run
  • Per-schedule email + integration notifications — only when something actually changes
  • Per-schedule success-rate sparkline · pause/resume in one click · scan-mode override per cadence
🔒app.orizon.one
Orizon
Attack Surface · Automation · Schedules
Schedules
DC
5
Total
4
Active
1
Paused
96.8%
Success rate
Europe/Rome
ScheduleFrequencyNext runLast 12 runsStatus
Daily — acme-corp.com perimeter
acme-corp.com
Dailyin 4h 12m
98%
Active
Weekly — HQ /24
192.168.1.0/24
Weeklyin 2d 8h
100%
Active
Bi-weekly — supplier portfolio
group: vendors (24 domains)
Bi-weeklyin 9d
86%
Active
Monthly — DMZ deep scan
10.10.0.0/16
Monthlyin 21d
100%
Paused
Quarterly — compliance sweep
corp.example.com + 4 subsidiaries
Quarterlyin 47d
100%
Active
Cron-style scheduler with timezone awareness, retry on failure, and email + integration notifications.
07 · INTEGRATIONS

Wire RECON to the tools your team already lives in.

Every scan completion, every critical finding, every probe offline event — pushed to Slack, your SIEM, your ticketing system. Signed, retried, auditable. No polling. No glue scripts.

  • 7 outbound types — generic webhook · Slack · email digest · Jira · ServiceNow · Splunk HEC · Azure Sentinel
  • Secrets encrypted at rest (AES-256-GCM) · per-delivery HMAC signing · SSRF guard against internal targets
  • Per-event scope: scan.completed · finding.critical · probe.offline · schedule.failed — pick what fires
  • Jira / ServiceNow auto-ticket on critical findings — issue type, priority, project all configurable
  • Splunk HEC + Azure Sentinel native — every event lands as a structured log line for correlation
  • Exponential-backoff retry (6 attempts · 30s → 1m → 5m → 30m → 2h → final) · auto-pause on 10 consecutive failures · full per-delivery audit log with response body
🔒app.orizon.one
Orizon
Settings · Outbound integrations
Integrations
DC
6 active integrations
AES-256-GCM · HMAC-signed
#sec-ops SlackSlack
1,284 deliveries · 2m ago
ACTIVE
SIEM webhookWebhook
4,061 deliveries · 12m ago
ACTIVE
Weekly digest — exec teamEmail digest
12 deliveries · 3d ago
ACTIVE
IT-SEC Jira boardJira
217 deliveries · 47m ago
ACTIVE
ServiceNow ITSMServiceNow
89 deliveries · 1h ago
FAILED
Splunk HEC — corpSplunk HEC
9,842 deliveries · 5m ago
ACTIVE
Delivery history
scan.completed
#sec-ops Slack
200
248ms
finding.critical
SIEM webhook
201
412ms
scan.completed
Splunk HEC — corp
200
187ms
finding.critical
IT-SEC Jira board
201
893ms
scan.completed
ServiceNow ITSM
502
30000ms
scan.completed
ServiceNow ITSM
—
queued
probe.offline
#sec-ops Slack
200
156ms
Auto-retry with exponential backoff (6 attempts) · SSRF guard · per-delivery HMAC · auto-pause on 10 consecutive failures.
08 · OUTPUT

Professional PDFs. Raw JSON. A fully scoped REST API.

Every scan produces a multi-page PDF report with cover, table of contents, vulnerability tables and per-asset detail. Plus exports your team can pipe anywhere via API or webhook.

  • Multi-page PDF — cover, TOC, navigation bookmarks; merged Networks & Topology, Applicable / Advisory split
  • Localized in EN, IT, ES — finding titles translated per locale
  • JSON, CSV and Excel exports — asset list, vulnerabilities, raw scan data
  • REST API + Personal Access Tokens with scope-based access
  • Async delivery — pipe new reports to Slack, Jira, S3 via integrations
🔒app.orizon.one
Vulnerabilities
Top 50 findings
CVESevHost
CVE-2024-31497APPLICABLE192.168.1.42
CVE-2023-46604KEV192.168.1.18
CVE-2024-21413APPLICABLE192.168.5.7
CVE-2023-44487ADVISORYNetwork-wide
CVE-2024-3094APPLICABLE192.168.5.31
Note: 8 legacy CVE entries (pre-2018) were excluded for clarity.
Executive Summary
Risk overview
12
Critical
38
High
81
Medium
24
Low
Lorem ipsum scan summary describing the discovered surface, top critical findings, and prioritized remediation actions. The probe identified 197 assets across the network, with 12 critical and 38 high-severity vulnerabilities…
Top recommendations
  1. Patch CVE-2024-31497 on 7 hosts running PuTTY ≤ 0.80
  2. Rotate Dell iDRAC default credentials on 4 BMCs
  3. Disable SMBv1 on 3 Windows Server 2012 R2 hosts
  4. Replace TLS 1.0 with TLS 1.2+ on the Sophos UTM gateway
Orizon RECON
Internal Network Scan Report
Acme Corp
Scan date
May 11, 2026
Networks
192.168.0.0/21
Risk score
9.3 / 10
Assets
197
09 · PLATFORM

Built for production. Not a demo.

Multi-tenant. EU-hosted. Self-healing. Audited end-to-end. Every piece — auth, secrets, queue, workers, integrations — designed to run unattended for security teams that already have enough fires to fight.

  • NextAuth + 2FA TOTP · RBAC (admin / analyst / viewer) · per-user scan token quotas
  • AES-256-GCM at rest · CSRF + SSRF guards · OWASP top-10 aligned · scoped + revocable API tokens
  • Auto-scaling workers (1-10) · self-healing on crash · orphan-scan auto-recovery after 10 minutes stale
  • Tamper-evident audit log — every login, scan, token issue, role change, integration · 90-day retention
  • Multi-tenant by design — full user isolation · shared probes via invite tokens · per-org scan history
  • EU-hosted (Digital Ocean Frankfurt) · TLS everywhere · health-checked · auto-deployed from main
🔒app.orizon.one
Orizon
Admin · Operations · Health
Platform · System Health
DC
3 / 8
Workers
auto-scaling, healthy
12
Queue depth
FOR UPDATE SKIP LOCKED
47 / 200
DB pool
PostgreSQL · p95 18ms
OK
Redis
TLS · 0.4ms RTT
API tokens
scope-limited · revocable
CI · scan-trigger4m ago
orz_ci_a7e2…
scans:create · scans:read
Splunk HEC reader18m ago
orz_splunk_f3b1…
scans:read · findings:read
GRC export bot2h ago
orz_grc_9d4c…
scans:read · reports:export
Probe-mgmt automation3d ago
orz_probe_b85e…
probes:* · scans:create
Audit log
90-day retention · tamper-evident hash chain
[email protected]
Signed in (2FA · TOTP)
32s ago
[email protected]
Started scan · acme-corp.com
2m ago
[email protected]
Issued API token · CI · scan-trigger
14m ago
[email protected]
Granted role · ANALYST → [email protected]
1h ago
[email protected]
Created integration · ServiceNow ITSM
3h ago
system
Orphan scan auto-reset · stale > 10m
5h ago
NextAuth + 2FA TOTP · RBAC · AES-256-GCM secrets · CSRF + SSRF guards · OWASP-aligned
FAQ

Common questions

Everything we get asked the most — capabilities, pricing, security, legality. Click any question to expand.

Product & Capabilities

A unified attack-surface platform combining external discovery, internal network scans (via the Scout probe), vulnerability intelligence from 8 sources, NIS2 compliance auto-evaluation, and Claude-driven industry risk briefs — all in one product.

What a scan delivers

Pricing & tokens

Security, privacy and legality

Reporting & NIS2

Integrations & API

About the platform

Orizon

Leading European cybersecurity company protecting organizations with advanced security solutions.

LinkedInYouTubeGitHub

Navigation

WebsitePartner AreaOrizon RECON

Legal & Compliance

Privacy PolicyTerms & ConditionsISO 9001:2015ISO 27001:2022

Contact Info

Italy HQ
Via Cefalonia 70, 25124
Brescia (BS), Italy
+39 030 0946 499
[email protected]

2025 Orizon S.R.L. All rights reserved.