Complete inventory of public assets
Starting from the root domain, CSURFACE maps portals, services, and APIs exposed on the internet — including those of autonomous bodies, foundations, and affiliated entities that escape central control.
GOVERNMENT AND PUBLIC SECTOR
Public agencies provide essential services and custody citizen data. CSURFACE discovers, classifies, and continuously monitors the external attack surface of the public sector — from portals to citizens to forgotten assets that no official inventory registers.
THE SECTOR CONTEXT
The digitalization of public services has multiplied exposure points: citizen service portals, integrations with gov.br, transparency applications, protocol systems, APIs between agencies, and cloud environments provisioned by different teams. Each service custodies citizen data under LGPD and operates according to the Gabinete de Segurança Institucional (GSI) information security instructions in a context often classified as critical infrastructure. Each new service expands the attack surface, and the security structure rarely keeps up with this pace at the same rate.
The result is a recurring gap: legacy systems maintained for years, pilot projects that remain live, and domains of affiliated autonomous bodies and foundations that are not consolidated into a single inventory. It is in this unmapped territory — and not in what the team already knows and protects — where incidents typically begin.
HOW CSURFACE HELPS
The platform treats the attack surface of the public sector from the perspective of an outside observer — without agents and without access to the internal network.
Starting from the root domain, CSURFACE maps portals, services, and APIs exposed on the internet — including those of autonomous bodies, foundations, and affiliated entities that escape central control.
The order crosses observed exploitation with the sensitivity of the service — systems handling citizen data and essential services receive first attention.
Administrative dashboards, homologation environments, and internet-accessible legacy systems are identified before they become entry points for an incident.
Each finding and each change in the attack surface generates an auditable trail, with history — objective material to demonstrate compliance with LGPD, GSI guidelines, and reporting to oversight and regulatory bodies.
| Asset | Type | Exposure |
|---|---|---|
| servico.exemplo.gov.br | Citizen portal | citizen data |
| autarquia.exemplo.gov.braffiliated entity | Affiliated entity | high |
| hml-legado.exemplo.gov.brlegacy | Forgotten environment | critical |
| api-integra.exemplo.gov.br | Gov.br integration | public |
Citizen portals and affiliated entities scattered, gathered in a single inventory — basis for compliance with LGPD and GSI guidelines.
FREQUENTLY ASKED QUESTIONS
No. Discovery is entirely external and only involves the root domain. We do not install agents nor require credentials or access to internal infrastructure, which simplifies adoption in public sector environments.
Yes. Assets of autonomous agencies, foundations, and other affiliated entities are included in the same inventory as the central agency — precisely the exposure that security programs often fail to consolidate.
Yes. The platform maintains an auditable trail of each asset, finding, and change on the surface, with history — material that supports demonstrating compliance with LGPD, GSI information security instructions, and reporting to control agencies.
Enter your institution's domain and receive a preliminary analysis of external exposure. No card, no meeting required.
Receive preliminary analysis