Inside Crossfeed: How CISA Built a Serverless Attack Surface Monitor
Hook
The U.S. government just open-sourced the same attack surface monitoring system it uses to protect federal agencies—and it runs on serverless infrastructure.
Context
Organizations don’t know what they don’t know. Shadow IT, forgotten subdomains, misconfigured S3 buckets, expired certificates on legacy systems—your external attack surface is constantly shifting, and attackers scan for these weaknesses 24/7. Traditional vulnerability management focuses on known assets, but the real danger often comes from the forgotten ones.
CISA (Cybersecurity and Infrastructure Security Agency) and the Defense Digital Service faced this problem at federal scale. They needed continuous enumeration and monitoring across hundreds of government organizations, each with sprawling infrastructure they couldn’t manually track. The solution became Crossfeed: a serverless TypeScript application that orchestrates multiple open-source security tools to automatically discover public-facing assets and flag potential flaws. Rather than keeping it internal, they released it under CC0 public domain, making enterprise-grade attack surface management available to any organization.
Technical Insight
Crossfeed’s architecture makes an interesting trade-off: it sacrifices the simplicity of monolithic scanning tools for the scalability and cost-efficiency of serverless orchestration. The system splits into three distinct pipelines—frontend, backend, and infrastructure—each independently deployable through GitHub Actions workflows, as evidenced by the separate badge statuses in the repository.
The backend is where the orchestration magic happens. Rather than building yet another security scanner, Crossfeed acts as a coordinator for existing open-source tools. It runs scans on scheduled intervals, aggregates findings from passive and active reconnaissance modes, and stores everything in a centralized database. This separation of concerns means CISA can swap out individual scanning tools as the security landscape evolves without rewriting the entire platform.
The dual scanning mode architecture is particularly clever. Passive mode relies on data feeds and public sources—think certificate transparency logs, DNS records, and threat intelligence feeds—to enumerate assets without ever touching target infrastructure. Active mode actually probes discovered assets, running tools that make HTTP requests, port scans, and vulnerability checks. This architectural split isn’t just about technical implementation; it’s a compliance feature. Government agencies and regulated industries can run passive enumeration continuously while restricting active scans to maintenance windows or excluding them entirely.
The serverless deployment appears to use ephemeral compute resources that spin up for scan execution and shut down afterward. This approach has cost implications—you pay for actual scan execution time rather than idle infrastructure. For organizations monitoring hundreds of domains but only running scans daily or weekly, the serverless model can provide significant cost advantages compared to maintaining dedicated scanning servers.
The frontend functions as a self-service portal, which is where Crossfeed differentiates itself from command-line scanning tools. Non-technical stakeholders—compliance officers, executives, domain owners—can log in, view their organization’s attack surface, customize which scans run against their assets, and export reports. This democratization of security tooling shifts attack surface monitoring from a periodic security team exercise to continuous organizational awareness.
The repository structure reveals TypeScript throughout, leveraging type safety for scan configurations and API contracts between frontend and backend. The Serverless Framework badge indicates they’re using industry-standard infrastructure-as-code rather than raw CloudFormation, making the deployment more maintainable and potentially more portable.
While the README doesn’t expose specific implementation details (documentation lives externally at docs.crossfeed.cyber.dhs.gov), the architecture appears to follow event-driven patterns common in serverless scanning systems where scan results flow asynchronously through the system. Individual scanning tools can likely fail without breaking the entire scan run, and results can be processed as they complete rather than waiting for the slowest scanner.
The continuous enumeration aspect is crucial. Crossfeed isn’t a point-in-time scanner you run manually. It’s designed for scheduled, recurring execution that builds historical data over time. This lets you track when assets appear or disappear, when certificates are nearing expiration, or when new vulnerabilities surface on existing infrastructure—all without manual intervention.
Gotcha
The serverless architecture is both Crossfeed’s strength and its biggest barrier to adoption. Deploying this properly appears to require significant cloud infrastructure expertise—you’re not just installing a Docker container or running a binary. The repository shows three separate deployment pipelines, suggesting complexity that small teams may struggle with.
The external documentation at docs.crossfeed.cyber.dhs.gov is a documentation anti-pattern for open-source projects. If that domain goes down, changes ownership, or the docs fall out of sync with the codebase, you’re left with a minimalist README that provides almost no setup guidance. The repository itself should contain comprehensive documentation, especially for a government project meant for public use.
Active scanning modes carry inherent risks that the architecture can’t solve for you. Running automated vulnerability scanners against production infrastructure can trigger security alerts, overwhelm small services, or violate terms of service for third-party platforms. Crossfeed gives you the orchestration layer, but you still need security expertise to configure scanning safely and maintain whitelisting arrangements with your service providers. This isn’t a tool you can deploy and forget.
Verdict
Use Crossfeed if you’re managing attack surface for multiple organizations or business units, have cloud infrastructure expertise in-house, and need the cost efficiency of serverless scaling. It’s particularly valuable for government agencies, MSSPs, or large enterprises where the self-service portal justifies the deployment complexity. The dual passive/active scanning modes give you compliance flexibility that commercial tools often lock behind enterprise tiers. Skip it if you’re a small team looking for simple periodic scanning, lack serverless infrastructure capabilities, or need on-premise deployment. For single-organization use cases, tools like Amass or Nuclei with basic scripting might deliver much of the value with less operational overhead. Also skip if the external documentation dependency and serverless complexity don’t align with your team’s capabilities or timeline requirements.
