Skip to content

OWASP Amass Project

In-depth Attack Surface Mapping and Asset Discovery

OWASP Flagship GitHub Release License Docker Images Follow on Twitter Chat on Discord

Our Goal

In-depth OSINT collection and external attack surface mapping for everyone!

The OWASP Amass Project has developed a system to help information security professionals perform mapping of attack surfaces and external asset discovery using open source intelligence gathering and reconnaissance techniques.

The system includes key efforts and tools to help understand attack surfaces:

  • Collection Engine - for in-depth attack surface mapping and asset discovery
  • The Amass Tool - for executing collection engine sessions from the command-line
  • Asset Database - for easy storage, navigation, and management of OAM data
  • Open Asset Model - for a uniform way to communicate assets exposed on the Internet
  • OAM Tools - for extracting, manipulating, and analyzing data in an OAM database

If you have any questions about the OWASP Amass Project, please email the project leader Jeff Foley, or contact us on the project's Discord server (Discord is highly preferred).

Corporate Supporters

ZeroFox Logo WhoisXML API Logo


"For FortifyData, Amass is an invaluable tool in our arsenal for quickly and accurately determining asset footprints for cyber risk assessment. It reliably provides superior results without false positives. Further, the OAM database model provides inherent benefits beyond asset footprinting, such as identifying third parties associated with the target and nth-party detection. Working closely with the Amass team, we've watched Amass steadily enhance its capabilities. Our clients are deeply impressed with the results our platform generates using Amass data. We look forward to continuing to work with Amass and supporting its development!"

- J. Eric Smith, VP of Technology Services Delivery

"Accenture’s adversary simulation team has used Amass as our primary tool suite on a variety of external enumeration projects and attack surface assessments for clients. It’s been an absolutely invaluable basis for infrastructure enumeration, and we’re really grateful for all the hard work that’s gone into making and maintaining it – it’s made our job much easier!"

- Max Deighton, Accenture Cyber Defense Manager

"For an internal red team, the organisational structure of Visma puts us against a unique challenge. Having sufficient, continuous visibility over our external attack surface is an integral part of being able to efficiently carry out our task. When dealing with hundreds of companies with different products and supporting infrastructure we need to always be on top of our game.

For years, OWASP Amass has been a staple in the asset reconnaissance field, and keeps proving its worth time after time. The tool keeps constantly evolving and improving to adapt to the new trends in this area."

- Joona Hoikkala (@joohoi) & Alexis Fernández (@six2dez), Visma Red Team


The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

How can I participate in the project?

All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leader is key.

If I am not a programmer can I participate in the project?

Yes, you can certainly participate in the project if you are not a programmer. The project needs different skills and expertise at different times during its development. Currently, we are looking for researchers, programmers, testers, writers, and graphic designers.


  1. amass amass Public

    In-depth attack surface mapping and asset discovery

    Go 11.4k 1.8k

  2. open-asset-model open-asset-model Public

    Asset definitions for an organization's external attack surface

    Go 33 10

  3. asset-db asset-db Public

    Database interaction layer to store open-asset-models in sqlite3 and postgres

    Go 14 10

  4. engine engine Public

    In-depth attack surface discovery with Open Asset Model

    11 8

  5. config config Public

    Configuration file parsing and convenience routines

    Go 2 5

  6. oam-tools oam-tools Public

    Analysis and management tools for an Open Asset Model database

    Go 33 6


Showing 10 of 11 repositories

Top languages

Go Shell Ruby

Most used topics