Use the External Exposure service to detect exposed resources

Security Command Center External Exposure is a Google Cloud service that helps you manage and reduce your external attack surface through automated discovery and risk validation.

Because automated scanners can target internet-exposed assets within minutes, External Exposure proactively uncovers accidental exposures and shadow resources before attackers can discover and exploit them.

By analyzing your environment from an external perspective, the service attempts to confirm what is truly reachable from the internet and identifies which exposures are actually exploitable.

External Exposure continually scans for external-facing IP addresses, hostnames, domain names, and URLs across your Google Cloud environment. This feature uses network scanning to confirm which resources and applications are reachable from the public internet.

For each confirmed exposure, External Exposure does the following:

• Traces and displays the Google Cloud network path for external load balancers, Google Cloud Armor policies, firewall rules, Private Service Connect, Cloud Interconnect, and backend services down to the exposed resource.

  This resource can be a Compute Engine instance or a Google Kubernetes Engine (GKE) Pod, including an exposed service or application.

  This deep integration with the Google networking fabric helps provide actionable context so you can immediately apply preventive mitigations, such as locking down a specific firewall rule or configuring Google Cloud Armor.

• Performs fingerprinting to attempt to identify the specific web application or server software that is running on each exposed asset.

• If it can identify the exposed service or software, identifies any vulnerabilities that are known to affect it.

• Uses advanced passive and active detectors to test for real-world exploitability by validating vulnerabilities, misconfigurations, and use of default or weak credentials.

Before you begin

This section describes how to prepare your environment to use External Exposure.

Enable the Security Center Management API

If you plan to use Security Command Center APIs, you must enable the Security Center Management API for your quota project and, if organization policies are in use that restrict API usage, ensure that the Security Center Management API is allowed. The Security Center Management API is used to control the enablement state of Security Command Center services like External Exposure.

1. In a terminal, enable the Security Center Management API for your quota project:

   gcloud services enable securitycentermanagement.googleapis.com \
       --project=QUOTA_PROJECT_ID
   

   Replace QUOTA_PROJECT_ID with the ID of the project that you use to manage quota.

2. If you have organization policies that restrict API usage, ensure that the Security Center Management API is allowed. For more information, see Review organization policies.

3. If you want to receive network exposure path insights in your findings, ensure that you activate External Exposure at the organization or folder level.

Required roles

To get the permissions that you need to configure External Exposure and view dashboard data, ask your administrator to grant you the following IAM roles on your organization, folder, or project:

• Configure External Exposure settings in Security Command Center and view dashboard data: Security Center Admin (roles/securitycenter.admin)
• Grant roles to service agents, like the externalexposure.serviceAgent role: Security Admin (roles/iam.securityAdmin)
• Create and manage service accounts: Service Account Admin (roles/iam.serviceAccountAdmin)
• View dashboard data only: Security Center Admin Viewer (roles/securitycenter.adminViewer)
• View the External Exposure dashboard and scan metrics in the console, CLI, or API: External Exposure Viewer (roles/externalexposure.viewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

The following Google Cloud CLI commands can be used to assign the preceding roles to a user:

Assign roles by using gcloud CLI

• To grant the Security Center Admin role to a user, run the following command:

  gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
      --member=user:USER_EMAIL_ID \
      --role=roles/securitycenter.admin
  

• To grant the Security Center Admin Viewer role to a user, run the following command:

  gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
      --member=user:USER_EMAIL_ID \
      --role=roles/securitycenter.adminViewer
  

• To grant the External Exposure Viewer role to a user for CLI or API metrics access, run the following command:

  gcloud projects add-iam-policy-binding PROJECT_ID \
      --member=user:USER_EMAIL_ID \
      --role=roles/externalexposure.viewer
  

  Replace the following:

  • ORGANIZATION_ID: the numeric organization ID
  • PROJECT_ID: the project ID
  • USER_EMAIL_ID: the email address of the user who requires access

Enable and configure the service

To enable and configure External Exposure, complete the tasks in the following sections.

You can enable and configure the service at the organization, folder, or project level. When using the API, if you want to configure settings at the folder or organization level rather than the project level, replace projects/PROJECT_ID with folders/FOLDER_ID or organizations/ORGANIZATION_ID in all the request URLs and the JSON data parameters.

Activate External Exposure

Activate External Exposure for your organization, folder, or project.

After you activate the service, make sure to grant the service agent the required permissions as described in Grant service agent permissions.

Grant service agent permissions

Depending on the resource level where you enable the service, Google Cloud generates a service agent:

• Organization or folder level: An organization-level or folder-level service agent is created.
• Project level: A project-level service agent is created.

To grant permissions at the organization level, in a terminal, run the following gcloud command:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="serviceAccount:service-org-ORGANIZATION_ID@gcp-sa-ee-hpsa.iam.gserviceaccount.com" \
    --role=roles/externalexposure.serviceAgent

Replace ORGANIZATION_ID with the numeric ID of your organization.

To grant permissions at the folder level, in a terminal, run the following gcloud command:

gcloud resource-manager folders add-iam-policy-binding FOLDER_ID \
    --member="serviceAccount:service-folder-FOLDER_ID@gcp-sa-ee-hpsa.iam.gserviceaccount.com" \
    --role=roles/externalexposure.serviceAgent

Replace FOLDER_ID with the numeric ID of your folder.

Grant inbound access to service perimeters

If you use VPC Service Controls, grant the External Exposure service agent inbound access to any service perimeters that protect projects that you want to scan. If you don't grant inbound access, External Exposure can't perform scans or generate findings for projects that are protected by service perimeters.

Depending on the resource level where the service is enabled, the service account identifier uses one of the following email address formats:

• For organizations or folders:

  service-RESOURCE_KEYWORD-RESOURCE_ID@gcp-sa-ee-hpsa.iam.gserviceaccount.com
  

• For projects:

  service-project-PROJECT_NUMBER@gcp-sa-ee.iam.gserviceaccount.com
  

Replace the following:

• RESOURCE_KEYWORD: the keyword org or folder
• RESOURCE_ID: the organization ID or folder ID
• PROJECT_NUMBER: the project number

If you have both organization-level and project-level service accounts, apply the following steps to both of them.

To grant access, add an ingress rule to each blocking service perimeter:

1. In the Google Cloud console, go to the VPC Service Controls page:

   Go to VPC Service Controls

2. Select the blocking access policy and the service perimeter.

3. Click Edit and then Ingress policy.

4. Click Add ingress rule and configure the From block:

   1. For Identity, select Selected identities & groups.
   2. Enter the email address of the External Exposure service account.
   3. For Source, select All sources.

5. Configure the rule's To block:

   1. For Project, select All projects.
   2. For Operations or IAM roles, select All operations.

6. Click Save.

Configure custom ports

Configure up to 32 custom ports per project to be scanned in addition to the baseline ports:

curl --request PATCH \
  "https://securitycentermanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/securityCenterServices/external_exposure?updateMask=service_config" \
  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
  --header "X-Goog-User-Project: QUOTA_PROJECT_ID" \
  --header "Accept: application/json" \
  --header "Content-Type: application/json" \
  --data '{
    "serviceConfig": {
      "ports": [8081, 8188]
    },
    "name": "projects/PROJECT_ID/locations/global/securityCenterServices/external_exposure"
  }' \
  --compressed

Configure scanning modules

Configure specific scanning modules to be turned on or off:

curl --request PATCH \
  "https://securitycentermanagement.googleapis.com/v1/projects/PROJECT_ID/locations/global/securityCenterServices/external_exposure?updateMask=modules" \
  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
  --header "X-Goog-User-Project: QUOTA_PROJECT_ID" \
  --header "Accept: application/json" \
  --header "Content-Type: application/json" \
  --data '{
    "modules": {
      "EXTERNALLY_EXPOSED_RCE_VULNERABILITY": {
        "intendedEnablementState": "ENABLED"
      },
      "EXTERNALLY_EXPOSED_WEAK_CREDENTIALS": {
        "intendedEnablementState": "DISABLED"
      }
    },
    "name": "projects/PROJECT_ID/locations/global/securityCenterServices/external_exposure"
  }' \
  --compressed

After External Exposure is enabled, continuous batch scans run automatically to identify exposed external IP addresses, probe running services, and validate active vulnerabilities.

Investigate findings

After you enable External Exposure, you can view findings in the Google Cloud console. In Security Command Center, go to the Risk Overview page and view the External Exposure dashboard. This dashboard is available when your scope is set to an organization, folder, or project. For more information about this dashboard, see Assess risk at a glance.

To fetch active External Exposure findings using the CLI, run the following command:

gcloud alpha scc findings list projects/PROJECT_ID \
    --location=global \
    --filter="state=\"ACTIVE\" AND finding_class=\"EXTERNAL_EXPOSURE\""

Replace PROJECT_ID with the ID of the project where you want to view findings.

Understand findings details

Findings that belong to the EXTERNAL_EXPOSURE class identify the type of risk and how the resource is exposed.

For a list of the granular risk categories that are generated for these findings (such as EXTERNALLY_EXPOSED_VM_INSTANCE or EXTERNALLY_EXPOSED_SERVERLESS_WORKLOAD), see External Exposure findings.

All EXTERNAL_EXPOSURE class findings include the following details:

• Exposed service: The specific web application, server software, or protocol identified on the active port.
• Network path insights: The network path tracing connectivity from the public internet through load balancers, forwarding rules, and backend services down to the target asset.
• Exposed endpoint: The underlying target resource (for example, a Compute Engine instance or Google Kubernetes Engine (GKE) Pod).

If the exposed service or software version can be identified, the finding also lists any CVE vulnerabilities affecting it.

Prioritize findings with attack exposure scores

External Exposure findings integrate with Attack path simulations to help provide confirmed, real-world entry points into your environment. When a confirmed exposure connects to a potential lateral movement path (for example, an exposed service account that can reach a sensitive BigQuery database or Cloud Storage bucket), the finding receives an attack exposure score. You can use this score to prioritize remediating exposures that pose the greatest risk to your high-value resources.

Monitor scan metrics

To help you confirm that External Exposure is operating successfully across your environment, the console displays continuous batch scan metrics:

• Last scan: The timestamp of the most recently completed scan cycle, confirming that findings reflect a current view of your resources.
• Next scan: The scheduled start time of the subsequent scan cycle.
• Successful projects: The total count of projects that are successfully analyzed during the latest scan cycle.
• Projects excluded: The total count of projects that were skipped because organization policies or VPC Service Controls constraints restrict the scanner from accessing the resources. When a project is skipped, Security Command Center generates one or more findings of the SCC_ERROR class.
• Exposed resources: The total count of unique resource targets identified as publicly reachable.
• Exposed public ports: The total count of distinct active external ports detected across your exposed resources.

Identify scanner traffic in your logs

When External Exposure actively scans your external-facing resources, you might observe incoming scan requests in your service logs, such as Cloud Run request logs in Cloud Logging.

To verify that incoming requests originate from External Exposure rather than unauthorized third parties, inspect the log entry for the userAgent field under httpRequest. All active requests from the service identify themselves with the user agent TsunamiSecurityScanner.

The following example shows a Cloud Logging request log entry that is generated when External Exposure scans an exposed Cloud Run service:

{
  "httpRequest": {
    "latency": "0.004745622s",
    "protocol": "HTTP/1.1",
    "remoteIp": "2600:1900:4180:5b2:0:1ae::",
    "requestMethod": "POST",
    "requestSize": "441",
    "requestUrl": "https://SERVICE_URL/mcp",
    "responseSize": "131",
    "serverIp": "2600:1900:4244:200::",
    "status": 405,
    "userAgent": "TsunamiSecurityScanner"
  },
  "insertId": "6a16af86000c7e0d0fdc1c58",
  "labels": {
    "goog-managed-by": "cloudfunctions",
    "goog-serve-source": "user-container"
  },
  "logName": "projects/PROJECT_ID/logs/run.googleapis.com%2Frequests",
  "receiveTimestamp": "2026-05-27T08:47:03.025492782Z",
  "resource": {
    "labels": {
      "configuration_name": "SERVICE_NAME",
      "location": "us-central1",
      "project_id": "PROJECT_ID",
      "revision_name": "REVISION_NAME",
      "service_name": "SERVICE_NAME"
    },
    "type": "cloud_run_revision"
  },
  "severity": "WARNING",
  "timestamp": "2026-05-27T08:47:02.811254Z"
}

Performance and limitations

• Supported resources: Compute Engine instances, Google Kubernetes Engine (GKE) services and Ingress controllers, databases including Cloud SQL and AlloyDB for PostgreSQL, Managed Service for Apache Spark clusters, Cloud Run, Cloud Storage, and Gemini Enterprise Agent Platform Workbench.
• Refresh interval: For information about the scan frequency of External Exposure, see When to expect findings in Security Command Center.
• Ports scanned: External Exposure automatically scans for services running on a predefined baseline of common ports, grouped primarily by service type or protocol:
  • Administrative / shell: 22 (SSH), 23 (Telnet), 3389 (RDP)
  • Web / HTTP(S): 80, 443, 8000, 8080, 8081, 8443, 8800, 9000, 9443
  • Databases: 1433, 1521, 3306, 5432, 9200, 11211, 27017, 6379
  • Kubernetes and service gateways: 6443, 10250, 10255, 15020, 15021
  • Other common developer tools and services: 1099, 1880, 2323, 2375, 2376, 2379, 2746, 3000, 3100, 4040, 5000, 5173, 5678, 6006, 6274, 7001, 7002, 7077, 7860, 8001, 8042, 8083, 8088, 8090, 8111, 8123, 8153, 8154, 8188, 8265, 8500, 8501, 8787, 8888, 8890, 8983, 9001, 9010, 9090, 9091, 9092, 9100, 9870, 9876, 11434, 15672, 18080, 54321, and 61616.
• Custom ports: In addition to the standard ports, you can configure up to 32 custom ports per project for scanning. For more information, see Configure custom ports.
• Network path insights: Findings report one network path for an exposed resource.
• Load balanced VMs: If multiple VM instances are connected to a load balancer, findings are reported for only one of the VM instances.
• Cloud Run finding prioritization: Because every Cloud Run deployment receives a public URL by default, findings are evaluated against IAM and Identity-Aware Proxy (IAP) policies. If a workload is protected by IAM or IAP (returning an HTTP 403 unauthorized response), the finding severity is downgraded to LOW to reduce informational noise.
• Network exposure path insights: Findings do not include network exposure path insights when External Exposure is activated at the project level. To receive network exposure path insights, activate the service at the organization or folder level.