Origin Exposure Detection
Origin Exposure Detection discovers when your origin server IPs are exposed despite being behind a WAF (Web Application Firewall) or CDN. If an attacker can bypass your WAF by connecting directly to your origin, your entire protection layer is effectively bypassed.
What Is Origin Exposure?
Most organizations protect their web applications with a WAF or CDN — services like Cloudflare, Akamai, CloudFront, or Fastly that sit in front of your origin server. These services filter malicious traffic before it reaches you.
Origin exposure occurs when your origin server's real IP address is discoverable, allowing attackers to:
- Bypass WAF rules entirely by connecting directly to the origin
- Launch DDoS attacks against your unprotected origin IP
- Exploit vulnerabilities that the WAF would normally block
- Fingerprint your actual infrastructure
BleedWatch detects these exposures by analyzing DNS records, certificate transparency logs, historical data, and other passive reconnaissance techniques — without ever probing your infrastructure directly.
Dashboard Overview
The Origin Exposure summary shows:
| Metric | Description |
|---|---|
| Total Domains | All domains monitored for origin exposure |
| Exposed Domains | Domains where origin IPs were discovered |
| Protected Domains | Domains with no detectable origin exposure |
| Critical / High | Count of high-severity exposures requiring immediate attention |
Results are filterable by domain, severity, and status.
WAF Providers Detected
BleedWatch identifies which WAF/CDN provider protects each domain:
- Cloudflare
- Akamai
- CloudFront (AWS)
- Fastly
- Imperva
- Sucuri
- DDoS-Guard
- StackPath
- Azure Front Door
- Google Cloud Armor
Understanding Results
Confidence Levels
Each discovered origin IP receives a confidence rating:
| Confidence | Meaning |
|---|---|
| Confirmed | Origin IP verified with high certainty — direct access confirmed |
| Probable | Strong indicators point to this being the origin IP |
| Possible | Some evidence suggests this may be the origin, but not conclusive |
| Unlikely | Weak signals — listed for completeness but likely a false lead |
WAF Bypass Proof
When BleedWatch confirms that the origin can be reached directly — bypassing the WAF — the finding is flagged with WAF Bypass Proved. This is the most critical type of origin exposure, as it means your WAF protection is fully circumventable.
Severity Levels
| Severity | Criteria |
|---|---|
| Critical | WAF bypass confirmed; origin directly accessible on standard ports |
| High | Origin IP confirmed with exposed non-standard ports or leaked headers |
| Medium | Probable origin IP, bypass not yet confirmed |
| Low | Possible origin exposure based on indirect evidence |
Additional Evidence
Each finding includes:
- Exposed Ports — Open ports discovered on the origin IP
- Leaked Headers — Server headers that reveal origin identity (e.g.,
X-Powered-By,Serverheaders not stripped by the CDN) - Verification Signals — The evidence chain used to identify the origin
- Remediation Steps — Specific actions to protect the exposed origin
Managing Findings
Finding Statuses
| Status | When to Use |
|---|---|
| Open | Unaddressed — the origin is still exposed |
| Remediated | You've restricted origin access (firewall rules, IP allowlisting) |
| Accepted Risk | You've reviewed the exposure and accepted the risk |
Update a finding's status from the finding detail view by clicking the status dropdown.
Timeline View
For each domain, the Timeline view shows the detection history — when exposures were first discovered, when they were re-verified, and when they were remediated. This is useful for compliance evidence showing your response times.
Remediation Guide
When BleedWatch detects an exposed origin:
- Verify the finding — Confirm the reported IP is indeed your origin server
- Restrict origin access — Configure your origin server's firewall to only accept traffic from your WAF/CDN's IP ranges
- Check DNS records — Remove any A/AAAA records that point directly to the origin (use CNAME to the CDN instead)
- Review certificate transparency — Ensure your origin's TLS certificate doesn't reveal the origin IP in SAN entries
- Strip origin headers — Configure your origin to remove identifying headers (
Server,X-Powered-By, etc.)
After remediation, keep the finding in BleedWatch to track whether the origin becomes re-exposed. Infrastructure changes, DNS updates, or certificate renewals can inadvertently re-expose origins.
Troubleshooting
Domain Not Appearing
If a domain you monitor doesn't appear in Origin Exposure results, verify that:
- The domain is added to your Assets in BleedWatch
- The domain uses a supported WAF/CDN provider
- A scan cycle has completed since the domain was added
False Positive
If BleedWatch reports an origin IP that isn't actually your server, mark the finding as Accepted Risk with a note explaining it's a false positive. This prevents re-alerting while keeping the record for audit purposes.
Related
- Hosts — IP and subdomain discovery
- Alerts Configuration — Get notified when new origin exposures are detected
- Reports — Include origin exposure findings in compliance reports