In-depth OSINT collection and external attack surface mapping for everyone!

The OWASP Amass Project has developed a system to help information security professionals perform mapping of attack surfaces and external asset discovery using open source intelligence gathering and reconnaissance techniques.

The system includes key efforts and tools to help understand attack surfaces:

• Docker Compose - for in-depth attack surface mapping and asset discovery
• Docker Image - all the capabilities built from the amass repo in one Docker image
• The Amass Platform - for all the development related to external attack surface collection
• Asset Database - for easy storage, navigation, and management of the OAM data
• Open Asset Model - the uniform way to represent assets exposed on the Internet

You can find detailed installation instructions and documentation in the Amass Docs repo.

If you have any questions about the OWASP Amass Project, please email the project leader Jeff Foley, or contact us on the project's Discord server (Discord is highly preferred).

"For FortifyData, Amass is an invaluable tool in our arsenal for quickly and accurately determining asset footprints for cyber risk assessment. It reliably provides superior results without false positives. Further, the OAM database model provides inherent benefits beyond asset footprinting, such as identifying third parties associated with the target and nth-party detection. Working closely with the Amass team, we've watched Amass steadily enhance its capabilities. Our clients are deeply impressed with the results our platform generates using Amass data. We look forward to continuing to work with Amass and supporting its development!"

- J. Eric Smith, VP of Technology Services Delivery

"Accenture’s adversary simulation team has used Amass as our primary tool suite on a variety of external enumeration projects and attack surface assessments for clients. It’s been an absolutely invaluable basis for infrastructure enumeration, and we’re really grateful for all the hard work that’s gone into making and maintaining it – it’s made our job much easier!"

- Max Deighton, Accenture Cyber Defense Manager

"For an internal red team, the organisational structure of Visma puts us against a unique challenge. Having sufficient, continuous visibility over our external attack surface is an integral part of being able to efficiently carry out our task. When dealing with hundreds of companies with different products and supporting infrastructure we need to always be on top of our game.

For years, OWASP Amass has been a staple in the asset reconnaissance field, and keeps proving its worth time after time. The tool keeps constantly evolving and improving to adapt to the new trends in this area."

- Joona Hoikkala (@joohoi) & Alexis Fernández (@six2dez), Visma Red Team

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leader is key.

Yes, you can certainly participate in the project if you are not a programmer. The project needs different skills and expertise at different times during its development. Currently, we are looking for researchers, programmers, testers, writers, and graphic designers.