Web property scanning

Automated and semi-automated reconnaissance against a target's web properties — typically triggered by Certificate Transparency log monitoring within minutes of a new domain's first TLS certificate — looking for exposed credentials, configuration files, secret tokens, and backup archives before the operator has finished hardening. Includes both Nuclei-class burst scans from bulletproof-hosting clusters and slower curated curl/LLM-assisted recon passes.

Also known as: fresh-deploy scanning, CT-log scraping, credential reconnaissance, Nuclei-class probing, secrets-wordlist sweep
The formal term: Automated reconnaissance against web infrastructure for credential and configuration exposure; opportunistic mass-scale attack surface scanning.
Overlay / cover: legitimate security-research scanning (LeakIX, Censys, Shodan); academic crawlers; bug-bounty researchers under platform-issued scope; honest pen-testers under contract.

Tactic entry to be written. Sections to fill in: definition + mechanism (CT-log monitoring + Nuclei templates + bulletproof-hosting reseller infrastructure), what it produces (credential scrapes monetized via wallet drains or spam infrastructure), the legitimate-scanning overlays (LeakIX, Censys, Shodan, bug-bounty programs) that provide cover and complicate detection, why fresh domains specifically are hit (no hardening window), what good ops practice looks like (no .env in webroot, no /backup.sql, no /config/ exposed, immediate hardening before first TLS issuance), and the bounty-system response David proposes in the inaugural entry.*

Where this appeared in the storm

Web Hackers — 4 distinct scanners hit plausibleadmission.org within hours of going live (2026-05-14)