Skip to content

Open Asset Model

The Amass Project's Open Asset Model redefines the understanding of an attack surface. Shifting the paradigm away from narrow, internet infrastructure-focused collection, the OAM broadens its scope to include both physical and digital assets. This approach delivers a realistic view of assets and their lesser-known associations, utilizing adversarial tactics to gain visibility into potential risks and attack vectors that might otherwise be overlooked.

// Overview

  • Deep Attack Surface Intelligence: Identifies both physical and digital assets, moving beyond IT infrastructure.
  • Standardized Asset Framework: Ensures consistency in asset classification, facilitating efficient data exchange and streamlined analysis.
  • Cyclic Discovery: Recursively approaches data exploration, leveraging each finding to dynamically expand the target scope.
  • Community-Driven: Developed and continuously refined by security experts within the OWASP Amass ecosystem.
  • Risk Mapping: Exposes hidden attack vectors by mapping asset relationships and tracking their changes over time.

Graph Structure and Data Model

   - Account
   - Certificate
   - Contact
   - DNS
   - File
   - Financial
   - Identifier
   - Network
   - Organization
   - People
   - Platform
   - Registration
   - URL


    - Also referred to as edges.
    - Always have a direction to establish asset associations.
    - Able to store properties for enriched data analysis.
    - Explicit naming convention improves query performance.
    - Enable graph traversal to uncover asset associations.
    - Define structured links between discovered assets.
    - Facilitate discovery of infrastructure dependencies.
    - Support queries that reveal attack surface risks.
    - Allow efficient correlation of connected entities.


    - Store metadata for discovered assets and their relationships.  
    - Attach structured data to entities and relationships.  
    - Standardize attributes like timestamps and source IDs.  
    - Enable querying and filtering of asset metadata.  
    - Support enrichment with additional asset details.  
    - Provide a flexible structure across asset types.

Explore each asset type and their distinct relationships:

  • Account

    Collect usernames, account types, and related attributes to track exposed user accounts

    Learn more

  • Certificate

    Gather SSL/TLS certificate details, issuers, and expiration dates for asset verification

    Learn more

  • Contact

    Link email addresses, phone numbers, and locations to discovered entities

    Learn more

  • DNS

    Record domain resolutions, DNS records, and associated metadata

    Learn more

  • File

    Capture file names and hashes to analyze digital artifacts

    Learn more

  • Financial

    Identify bank accounts, payment systems, and transaction details

    Learn more

  • Identifier

    Track unique IDs, references, or numerical values

    Learn more

  • Network

    Discover IPs, subnets, and routing structures to uncover key infrastructure

    Learn more

  • Organization

    Uncover entity designations, locations, and operational details to expose connections

    Learn more

  • People

    Collect names, locations, and attributes to build individual profiles

    Learn more

  • Platform

    Identify online services, cloud providers, and software ecosystems

    Learn more

  • Registration

    Gather domain insights, including Whois and registrar details

    Learn more

  • URL

    Log web addresses and associated content to track online presence

    Learn more