name: attack-surface-monitoring
description: >-
  Continuously monitor an organization's external attack surface using
  Shodan. Inventory the externally exposed services for one or more IP
  ranges, create monitored alerts so new services and changes are reported
  in real time, and route those events into the right Slack / webhook /
  email channel for the security team.
provider: shodan
workflow:
  - capability: shodan-rest
    operation: getApiInfo
    purpose: Confirm the account has scan and monitored-IP credits before configuring monitoring.
  - capability: shodan-rest
    operation: searchHosts
    purpose: Baseline the current externally exposed footprint of the organization's IP ranges.
  - capability: shodan-rest
    operation: createAlert
    purpose: Create a network alert covering the organization's owned IP ranges.
  - capability: shodan-rest
    operation: enableAlertTrigger
    purpose: Enable triggers (new_service, vulnerable, ssl_expired, etc.) on the alert.
  - capability: shodan-rest
    operation: createNotifier
    purpose: Configure a Slack, webhook, or email notifier for the security operations channel.
  - capability: shodan-rest
    operation: listAlerts
    purpose: Confirm the alert and triggers are in place.
  - capability: shodan-stream
    operation: streamBannersByAsn
    purpose: Optionally tail the firehose for ASNs owned by the organization for richer real-time context.