Security Shodan DNS Automation n8n

Automate External Attack Surface Mapping with Shodan API

Free n8n workflow template for security teams to automatically discover exposed assets, identify vulnerabilities, and map your external footprint.

Download Template JSON · n8n compatible · Free
n8n workflow diagram showing Shodan API and DNS lookup automation for security reconnaissance

What This Workflow Does

This automation transforms the manual, time-consuming process of external security reconnaissance into a systematic, repeatable workflow. It's designed for security professionals, ethical hackers, and IT teams who need to maintain continuous visibility into their organization's internet-facing assets.

The workflow takes a target domain as input, performs comprehensive DNS lookups to identify all associated IP addresses and subdomains, then queries the Shodan API to gather intelligence on each discovered asset. This includes service banners, open ports, running technologies, SSL certificate details, and known vulnerabilities—all organized into a structured report.

Instead of spending hours manually checking different tools and compiling spreadsheets, this automation delivers actionable security intelligence in minutes, enabling proactive vulnerability management and reducing your organization's attack surface before malicious actors can exploit it.

How It Works

The workflow follows a logical reconnaissance pipeline that mimics how security professionals approach external footprinting, but with automation handling the repetitive tasks.

1. DNS Enumeration & Subdomain Discovery

The workflow begins by taking your target domain and performing comprehensive DNS lookups. It identifies all associated IP addresses, subdomains, and DNS records that might represent entry points to your infrastructure.

2. Shodan API Intelligence Gathering

Each discovered IP address is then queried against the Shodan database. Shodan returns detailed banners from services running on open ports, revealing software versions, configurations, and potential vulnerabilities.

3. Data Enrichment & Correlation

The workflow correlates DNS data with Shodan results, eliminating duplicates and false positives. It identifies which services are running on which assets and flags any discrepancies or unexpected exposures.

4. Report Generation & Alerting

Finally, the workflow compiles all findings into a structured report (CSV, JSON, or formatted message) and can trigger alerts via email, Slack, or other channels when critical vulnerabilities or unexpected exposures are detected.

Pro tip: Schedule this workflow to run weekly to maintain continuous visibility. The real value comes from detecting changes in your external attack surface, not just taking a one-time snapshot.

Who This Is For

This template is specifically designed for security teams and professionals who need to maintain external visibility:

  • Security Operations (SecOps) Teams responsible for continuous monitoring and vulnerability management
  • Penetration Testers & Ethical Hackers conducting external security assessments
  • IT & DevOps Teams managing cloud infrastructure who need to verify nothing is accidentally exposed
  • Compliance Officers needing documented evidence of external security monitoring
  • Bug Bounty Researchers looking to automate initial reconnaissance phases

If you're responsible for knowing what's exposed to the internet and whether it's secure, this workflow will save you dozens of hours per month.

What You'll Need

  1. n8n instance (self-hosted or cloud)
  2. Shodan API key (free tier available with limited queries, paid for regular scanning)
  3. DNS resolution capability (built into n8n or via external DNS lookup services)
  4. Output destination (Google Sheets, database, or webhook endpoint for results)
  5. Basic understanding of your organization's legitimate external domains and IP ranges

Quick Setup Guide

Getting started with this security automation takes about 15 minutes:

  1. Download the template using the button above and import it into your n8n instance
  2. Configure your Shodan API credentials in the HTTP Request nodes (sign up at shodan.io if needed)
  3. Set your target domains in the initial trigger or manual execution node
  4. Configure output destinations—choose where results should go (Google Sheets, database, notification channels)
  5. Test with a single domain to verify everything works before scanning your entire portfolio
  6. Schedule the workflow for regular execution (daily, weekly, or monthly depending on your needs)

Security note: Always ensure you have authorization to scan the target domains. For internal use, scan only assets you own or have explicit permission to test. Consider rate limiting to avoid overwhelming services.

Key Benefits

Save 10+ hours per week on manual reconnaissance. What typically takes a security analyst a full day of manual work completes automatically in under 30 minutes.

Discover shadow IT and forgotten assets. Automated scanning regularly uncovers services and subdomains that weren't documented in asset inventories.

Proactive vulnerability identification. Get alerted about exposed databases, outdated software, and misconfigured services before they're exploited.

Compliance evidence generation. Maintain documented proof of continuous external monitoring for audit requirements like SOC 2, ISO 27001, or PCI DSS.

Scalable security operations. As your organization grows, this workflow scales with you—monitoring hundreds of domains with no additional manual effort.

Frequently Asked Questions

Common questions about security automation and external attack surface management

External attack surface mapping is the process of identifying all internet-facing assets (servers, services, open ports) that belong to your organization. It's critical for security because you can't protect what you don't know exists.

Automated mapping helps security teams discover forgotten subdomains, exposed databases, outdated software, and misconfigured services before attackers do. It's the foundation of proactive security posture management.

Shodan is a search engine for internet-connected devices. It scans the entire internet and indexes banners from services running on open ports. For security teams, Shodan reveals what information about your infrastructure is publicly visible.

This includes software versions, open ports, SSL certificates, and even known vulnerabilities. This data is invaluable for identifying weak points in your external perimeter without actively scanning your own networks.

Yes, absolutely. Regular external attack surface assessment is a requirement in many compliance frameworks. This automated workflow provides documented evidence of continuous monitoring, which auditors look for.

It helps identify unauthorized external services and demonstrates proactive security controls. The workflow's output can be formatted to directly support compliance reports for requirements around asset inventory and vulnerability management.

Traditional vulnerability scanners often require internal network access and can be noisy, potentially triggering intrusion detection systems. This workflow uses passive reconnaissance through Shodan and DNS lookups.

The key difference is approach: this workflow focuses on what's already exposed to the internet from an external perspective, while traditional scanners probe from inside your network. They're complementary approaches for comprehensive security.

For most organizations, weekly scans are sufficient. However, companies undergoing rapid digital transformation, frequent cloud deployments, or M&A activity should consider daily monitoring.

The key is to establish a baseline and then monitor for changes—new subdomains, unexpected services appearing, or previously unknown IP addresses hosting your brand. More frequent scanning is valuable during periods of significant infrastructure change.

The collected data should feed directly into your vulnerability management process. Prioritize findings based on risk: critical services with known vulnerabilities first, then misconfigurations, then informational findings.

Integrate the results with ticketing systems like Jira for tracking remediation, or SIEM tools for correlation with other security events. Regular reporting to leadership demonstrates security program maturity and helps justify security investments.

Absolutely. The n8n workflow is modular—you can add nodes to check specific services (like exposed Redis or MongoDB instances), integrate with internal CMDBs to validate assets, or add notification channels like Slack or Microsoft Teams for critical findings.

You can also extend it to include additional reconnaissance sources like Censys or SecurityTrails for more comprehensive coverage, or add validation steps to reduce false positives from cloud provider infrastructure.

Yes, GrowwStacks specializes in building custom security automation solutions tailored to your specific infrastructure and compliance needs. We understand that every organization's attack surface and risk profile is unique.

Our team can design workflows that integrate with your existing security tools, create custom alerting logic based on your risk thresholds, and establish automated remediation processes. We help security teams scale their capabilities without increasing headcount through intelligent automation.

  • Integration with your existing SIEM, ticketing, and monitoring systems
  • Custom risk scoring based on your organization's specific concerns
  • Automated remediation workflows for common security findings
  • Compliance reporting tailored to your audit requirements

Need a Custom Security Automation?

This free template is a starting point. Our team builds fully tailored security automation systems for your specific infrastructure and compliance needs.

Get Free Consultation Browse More Workflows