Seedless discovery is a spectrum

Every EASM vendor's website uses the phrase. The claim is that the platform can start from a company name or a root domain and autonomously map all associated external infrastructure — no asset list required, no IP ranges to declare, no pre-populated inventory to work from.

That can be true, but it is not uniform across platforms. Seedless discovery is a spectrum. The underlying question is how a platform resolves organizational attribution, deciding that a discovered asset belongs to your organization and not someone else's. The techniques used for that attribution vary significantly, and the gaps in those techniques determine what gets missed.

The subsidiary problem

Most EASM platforms begin discovery from a root domain and expand outward using DNS relationships, certificate data, IP range ownership, and autonomous system number analysis. That approach works well for directly-owned infrastructure that shares clear technical relationships with the parent domain. It works poorly for subsidiaries that operate as independent brands.

A holding company with twelve operating subsidiaries under twelve different brand names, twelve different domains, and twelve different hosting arrangements will see its subsidiary infrastructure in discovery only if the platform's entity model explicitly connects those subsidiaries to the parent organization. The technical signals — DNS, certificates, IP ownership — may not establish that connection if the subsidiary's infrastructure was built independently before the acquisition and has not been integrated with the parent's technical footprint.

Platforms that build organizational entity models — mapping corporate relationships from public registry data, ownership filings, and known acquisition records — find subsidiary infrastructure that pure-technical-signal discovery misses. Platforms that rely on technical signals alone find what is technically connected, which is not the same as what is organizationally owned.

The acquisition lag

When a company acquires another, the acquired infrastructure does not automatically appear in the acquirer's discovery scope. Platforms that derive their organizational entity models from public corporate registry data — incorporation records, domain registration history, public filings — lag actual transactions by weeks or months. The time between acquisition close and when the acquirer's EASM platform begins covering the acquired company's external infrastructure is a real exposure window.

Acquired infrastructure carries the security posture of the previous owner, which may be significantly weaker than the acquirer's baseline. It may include internet-facing assets that were never inventoried, such as certificates that are expiring, cloud instances that were misconfigured under the previous IT regime, and domains that were abandoned rather than decommissioned. The acquirer's security team inherits all of it at close. Their EASM platform may not see any of it for months.

The seeded-in-disguise problem

Some platforms that market seedless discovery are effectively seeded once onboarding is complete. The initial run maps a reasonable external footprint from the provided domain or company name. The platform then monitors from that established baseline — tracking changes to known assets, alerting on new findings within the discovered scope. Assets that were not in the initial baseline may not be discovered unless something triggers a rescan of the broader organizational scope.

A subdomain spun up by a development team six months after onboarding. Infrastructure from a division that was not active at the time of the initial discovery run. A cloud environment provisioned under a subsidiary domain that the initial scan didn't reach. Whether these are found depends on how the platform handles ongoing scope expansion — whether it periodically reruns full organizational discovery or whether it monitors from the established baseline.

The platform's marketing describes the initial run as seedless. The buyer's experience after twelve months of monitoring may be something closer to seeded, because the effective scope is the baseline established at onboarding plus whatever the monitoring sweep happens to catch. These are not the same thing.

The test to run before you commit

The practical way to evaluate a seedless discovery claim is to make the platform demonstrate it under controlled conditions before you sign. Provide the platform with your parent company name only — no domain list, no IP ranges, no subsidiary names, no organizational chart. Ask it to show you what it finds. Then compare that output against your known infrastructure across all subsidiaries and recently acquired entities.

The gap between what the platform found and what you know exists is the measure of how seedless the discovery actually is. A platform that finds 60% of your known footprint from a company name alone is performing differently than one that finds 90%, and that difference matters for how you structure the program and whether you need to supplement the platform's discovery with manual scope management.