Skip to main content

Ghost App Recon

Your First Step to Mapping and Securing Your Apps & APIs

Updated over 3 weeks ago

Welcome to Ghost App Recon, the first step in gaining visibility into your applications and APIs. Ghost App Recon is designed to help Application Security (AppSec) analysts discover the external-facing applications and API endpoints they are responsible for protecting. While identifying vulnerabilities is a key benefit, the primary goal is mapping your attack surface and ensuring security best practices and hygiene across your environment.

This guide will walk you through how Ghost App Recon works, how to use it, and what to do next in your security journey with Ghost.

Getting Started

Step 1: Activate Your Ghost Account

  • When your organization signs up for Ghost, we automatically provision your tenant on our SaaS platform.

  • You’ll receive an account activation email—click the link inside to set up your password and log in.

Step 2: Enter Your Top-Level Domain (TLD)

  • Once logged in, Ghost will prompt you to enter your organization’s top-level domain (TLD) (e.g., example.com).

  • Simply enter the domain and hit Run Ghost App Recon.

  • That’s it—no additional setup required! Ghost will begin scanning immediately.

Step 3: Wait for Discovery to Complete

  • Typical scan time: 5 minutes (may take up to 20 minutes for larger domains).

  • Progress updates: The Ghost UI will indicate that scanning is in progress. Some results will begin loading before the scan fully completes.

  • Once the first set of results are in, you’ll see a popup congratulating you on completing your first step in securing your apps! 🎉

How Ghost App Recon Works

Once you provide a TLD, Ghost App Recon automatically:

  1. Finds subdomains using combination of proprietary and open-source reconnaissance tools.

  2. Probes each discovered subdomain to identify live hosts.

  3. Identifies hosts serving web applications by checking HTTP responses.

  4. Runs a headless browser to visit the root of each web application.

  5. Extracts metadata from each application, including:

    • API Endpoints (host, path, method, port).

    • Host details (certificate info, issuer, provider, IP addresses, DNS records, CNAMEs).

    • Scripts and front-end assets (used to evaluate security hygiene).

  6. Feeds all collected data into the Ghost platform, where our Issue Rules Engine analyzes findings for security misconfigurations and best practices.

Note: The headless browser does not crawl sites, click links, fill forms, or interact with applications beyond loading the application root.

What Ghost App Recon Detects

Ghost App Recon evaluates applications, hosts, APIs, and scripts for potential security issues, including:

  • Misconfigured or invalid certificates

  • Misconfigured CORS policies

  • Potential XSS risks in front-end scripts

  • Leaked secrets in JavaScript

  • Unhandled errors in the browser console

  • Other security hygiene best practices

  • and more!

Ghost does not currently perform authenticated scans or access internal/private domains—these capabilities are planned for future releases.

Accessing Your Recon Data

Where Does the Data Go?

Your discovery results are immediately available in the Ghost UI and API.

  • UI Dashboard: View discovered apps, APIs, hosts, and security findings.

  • API Access: Query data programmatically for integration with security workflows.

How Risks Are Categorized

Ghost App Recon classifies findings by severity and provides remediation guidance for security issues.

Configuring Ghost App Recon

Managing Domains

  • Ghost App Recon scans run once per day for all enabled TLDs.

  • You can disable scans for any TLD at any time from the Setting > Domains page.

  • Ghost will also suggest other TLDs discovered during scanning—enabling scans for all your organization’s TLDs ensures the best visibility.

    • Enable Ghost App Recon for more domains from the Settings > Domains page.

Understanding Scan Traffic

Ghost App Recon scans originate from Google Cloud Platform (GCP). Customers can reference GCP’s IP blocks to identify scan traffic.

Ghost includes custom User-Agent strings in all requests so customers can easily identify traffic from our platform. You may observe one or both of the following User-Agent string patterns:

User-Agent: ghost-discovery/<release-hash>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 ghost-profiler/<release-hash>

Note that ghost-discovery and ghost-profiler are fixed identifiers. The remaining string values and release hash values may change.

What’s Next?

Once external discovery is complete, continue your security journey with Ghost by:

1. Connecting to Source Code

2. Ingesting SAST Findings

  • Ghost enriches, validates, and prioritizes static analysis security testing (SAST) findings.

  • Gain code-to-runtime context and actionable risk analysis.

3. Deploying Log Forwarders

  • Help Ghost build a complete API inventory by forwarding logs from your environment.

Support & Feedback

If you encounter issues or have feedback:

  • Use the in-product feedback mechanism to report problems.

  • Email any Ghost point of contact for support.

Final Thoughts

Ghost App Recon is your first step toward complete application security visibility. By enabling Ghost to continuously discover your apps and APIs, you’ll stay ahead of misconfigurations, security gaps, and attack surface changes.

Ready to dive in? Log in now and start securing your applications! 🚀

Did this answer your question?