Skip to content

Open Asset Model

The Amass Project's Open Asset Model redefines the understanding of an attack surface. Shifting the paradigm away from narrow, internet infrastructure-focused collection, the OAM broadens its scope to include both physical and digital assets. This approach delivers a realistic view of assets and their lesser-known associations, utilizing adversarial tactics to gain visibility into potential risks and attack vectors that might otherwise be overlooked.


// Overview

  • Deep Attack Surface Intelligence: Identifies both physical and digital assets, moving beyond IT infrastructure.
  • Standardized Asset Framework: Ensures consistency in asset classification, facilitating efficient data exchange and streamlined analysis.
  • Cyclic Discovery: Recursively approaches data exploration, leveraging each finding to dynamically expand the target scope.
  • Community-Driven: Developed and continuously refined by security experts within the OWASP Amass ecosystem.
  • Risk Mapping: Exposes hidden attack vectors by mapping asset relationships and tracking their changes over time.

Explore OAM Asset Types


  • Account


    Collect usernames, account types, and related attributes to track exposed user accounts

    Learn more

  • Domain Record


    Gather domain insights, including Whois and registrar details

    Learn more

  • Contact Record


    Link email addresses, phone numbers, and locations to discovered entities

    Learn more

  • FQDN


    Record domain resolutions, DNS records, and associated metadata

    Learn more

  • File


    Capture file names and hashes to analyze digital artifacts

    Learn more

  • Funds Transfer


    Identify bank accounts, payment systems, and transaction details

    Learn more

  • Identifier


    Track unique IDs, references, or numerical values

    Learn more

  • IP Address


    Discover IPs, subnets, and routing structures to uncover key infrastructure

    Learn more

  • Organization


    Uncover entity designations, locations, and operational details to expose connections

    Learn more

  • Person


    Collect names, locations, and attributes to build individual profiles

    Learn more

  • Product


    Identify online services, cloud providers, and software ecosystems

    Learn more

  • TLS Certificate


    Gather SSL/TLS certificate details, issuers, and expiration dates for asset verification

    Learn more

  • URL


    Log web addresses and associated content to track online presence

    Learn more