Getting Started Guide

Best practices for getting up and running with Halo Security.

It's easy to get started with Halo Security. Initial onboarding can be completed in as little as a few hours. In this guide, we'll dive into our recommended steps for getting started.

Let us help! Our security engineers are always happy to configure your account for you. Just schedule a security review.


Here's what you'll want to have before you begin:

  • A Halo Security account

  • A few pieces of information about your organization:

    • A list of domains you own: We recommend downloading these from your domain registrar or using our connectors

    • A list of your static network ranges

    • Admin access to any connectors you want to use (like AWS, Azure, or Google Cloud Platform)

While we can work with as little as your primary domain name, more information can help ensure more comprehensive discovery.

Understanding the Process

To get a complete picture of the attack surface of an organization, you'll start by adding seeds to your account. These can include known domains, network ranges, connectors to cloud providers, and more. From these seeds, the platform automatically discovers assets that belong to your organization.

You can review these discovered assets and add them as targets. As targets are scanned, additional connected assets are discovered. Based on these targets, the platform also suggests other potential seeds to add.

Scanning the targets also identifies issues, technologies, ports, services, and other web elements to help you improve the security posture of your attack surface.


You can use this checklist to complete your initial setup.

Add Seeds

Seeds are the things you know about your organization. We'll use these to discover your external assets. While we can work with as little as your domain name, adding more seeds will generally improve the comprehensiveness of the discovery.

The Seeds section allows you to input all of your seeds.


Add connectors to automatically pull in data from your DNS and cloud hosting providers. These API connections allow Halo Security read-only access to pull in asset information from the following providers:

We also support an HTTP connector that accesses data from a specified URL.


Add domains that your organization has registered. We recommend downloading a list from your registrar, or manually entering the ones you know about.


If your organization uses static network ranges or netblocks, add those in as well. We'll scan those to identify any internet-accessible ports and IP addresses.


Searches allow you to find unknown assets using information about your organization. There are 5 search types. We'll walk through some recommended searches.

For the following recommendations, we'll use a fictional business called Rincon Bags.

Add a Domain Registry search to find registered domains that may belong to your organization.

Query: rinconbags Match: contains

This will find any domains that contain rinconbags, like

Query: rinconbags Match: Levenshtein Max Levenshtein Score: 3

Levenstein is a similarity algorithm which works best for more unique brand names. With this we can identify a domain like

Add a Web search to find websites that contain words and phrases associated with your organization.

Query: © Rincon Bags, Inc Site: (leave empty)

This will find websites that use the specified phrase.

Add a Whois search to find domains registered with your organization's contact information.


This finds domains registered with corporate email addresses.

Query: Rincon Bags, Inc

This finds domains registered with your organization's name.

Query: 1 (800) 940-2375

This finds domains registered with your corporate phone number.

Add an Image Search seed to find websites using specific images, such as your organization's logo.

Name: Rincon Bags Logo Image URL:

This will find other websites using the corporate logo.

Add a Business search to find subsidiaries, parent companies, and acquisitions.

Business: Rincon Bags, Inc.

This will find other websites using the corporate logo.

Time for a break. Once you've added your initial seeds, you'll want to give the scanners a bit of time to complete their initial discovery.

Identify Icons

Once your initial discovery scans are complete, you'll start to see assets populate in the Assets section. Before diving into those, it can be helpful to identify the icons (or favicons) associated with your organization.

Jump over to the Manage Icons section. Here you'll see all of the icons associated with the discovered assets.

Click the icons that belong to your organization once to highlight them in green. Click unfamiliar icons twice to highlight them in red.

When you click Save, icons highlighted in green will be added as "My Icons" while red icons will be acknowledged. You'll now be able to filter assets that have the icons you've associated with your brand.

Add or acknowledge discovered assets

It's time to review the discovered assets and start adding them to your inventory for additional scanning.

On the Assets Overview, you'll see a summary of your discovered assets and your progress in evaluating them. Green bars represent the assets that have been added as targets. Yellow indicates assets that are restricted from scanning. Grey indicates assets that you've acknowledged and don't view as part of your inventory. Black indicates assets that haven't yet been evaluated. We call this the shadow bar.

We recommend approaching asset evaluation in the following order.

1. Add all discovered hosts

Discovered hosts are all subdomains of your organization's domains. Use the pencil icon to bulk-select all of the assets here, then select Add Target.

2. Add all discovered IPs

These IPs are either part of your network ranges or attached to assets you own. We recommend adding all of these as targets.

Time for a break. We recommend waiting for initial scans to complete on these assets to help find more connected assets before moving on.

Connected domains are domains we've found through our various discovery techniques that seem to be connected to your organization. Easily sort them using the Connected Score to see how connected they are to your seeds and targets.

Add any domains that belong to you as domain seeds. Once the discovery process runs against those seeds, you'll be able to add each of the subdomains from the discovered hosts section. Acknowledge the rest.

4. Review connected hosts

Connected hosts are the hostnames we've found that aren't subdomains of any domains in your account. This can be useful for identifying and adding subdomains of cloud providers and vendors where you only control the subdomain and not the full domain space.

Add the ones that belong to you as targets. Acknowledge the rest.

Tip: You can easily filter by the assets that use one of your icons within the filter panel by selecting Icons: My Icons.

Once you've added any new targets or domain seeds, allow the scanners to run, and then check back to look at any newly discovered assets. This recursive process helps ensure more comprehensive coverage of your attack surface.

Review Suggested Seeds

As we scan your assets and targets, the platform learns more about your organization and suggests potential seeds that may help identify more unknown assets. Review those by visiting the Seeds Overview. Add any that make sense to you and dismiss the rest.

Whenever you add new seeds, wait for the discovery process to complete and then review any newly discovered assets.

Set Up Organizations

Now that you've built an inventory of your external assets, you can start organizing your assets to understand who is responsible for them and how they relate to your organization.

Start by enabling organizations from Settings, then visit the Organizations overview to begin building out your organizational structure.

Organizations are very flexible and can be used in different ways to match the way you think about your organization. A common approach is to set the Top as your organization's name, then add subsidiaries beneath it, and then add business units beneath those subsidiaries.

Experiment a bit to find the right balance for your organization. You can set target domains for each unit within the organizational structure to automatically include all targets from those selected domains. You can also use tags and auto tags to group targets within the organizational unit.

Set Up Auto Tags

Auto tags allow you to automatically group targets by nearly any data point that we collect. To get started, go to Settings → Auto Tag and click the plus to add a new ruleset.

Name your auto tag and select the tag that will be applied to the targets that match the rules you'll enter. You can require all the rules to match or tag all targets that match any of the rules you set.

Next, add the rules and easily see how many targets the rule set matches.


Tag all targets that are located outside of the USA:

Type: Country

Match: No

Value: USA

Tag all targets using AWS CloudFront:

Type: Technology

Match: Yes

Value: AWS CloudFront

Tip: Use the auto tags you've created to automatically group the targets within your Organization.

Add additional users

Head over to Account -> Users to add your colleagues and teammates. '

Use the auto tags you created to limit each user's access to a specific subset of targets.

Review findings

With your account set up, it's time to take a look at what's been found. While this guide is not intended to walk through the full breadth of security information we find, here are a few places to start:

  • Issues: The issues section lists all of your most critical vulnerabilities and misconfigurations, and is your central hub for remediation. You can easily view and assign issues to the relevant users, and use workflows to track your remediation progress.

  • Open Ports: Minimizing your internet footprint can make it easier to defend. Check out what ports are open and ensure you're not accidentally exposing ports and services that shouldn't be on the internet.

  • Technology: See what third-party technology is being used. People often find vendors they thought were off-boarded, or technologies with many different versions. A banner will appear if any technology is detected that has known exploited vulnerabilities. You can also see and address any technology versions that are associated with known CVEs.

  • DNS Records: Review DNS records to ensure you're not accidentally pointing your domains anywhere you don't intend to.

  • Script Secrets: Review any possible secrets or API keys that might accidentally be exposed within your JavaScript files.

  • Web Server Redirect Locations: Make sure you don't have servers redirecting places you don't expect.

  • HTTP codes: Look for unexpected response codes that may indicate a potential issue.

Complete the Security Review Checklist

The Security Review checklist is designed to be completed quarterly to help ensure your attack surface management program remains as strong as possible. It provides a checklist of best practices to ensure things don't fall through the cracks and your Halo Security settings are optimized. With these recommendations, you can efficiently assess discovery seeds, security risks, and account settings.

Schedule a human security review

Once you've configured your account, it's a great time to meet with one of our external security experts. Schedule a time to review your account and findings, and get help strategizing and prioritizing your security efforts.

Last updated