Overview
Discovery Target Exclusions allow you to proactively prevent specific assets or patterns from being discovered during asset enumeration. When exclusions are configured, these targets are actively filtered out of the discovery process, helping you focus on relevant assets and reduce noise in your asset inventory. This feature also supports inclusion patterns (prefixed with+) that restrict discovery to only matching targets, functioning as an allowlist. See Inclusion Patterns for details.
This feature is particularly useful for excluding internal staging environments, test domains, government domains, or any other assets that should not be included in your attack surface monitoring.
Quick Access: Discovery Target Exclusions are managed in Settings → Discovery Target Exclusions.
How It Works
The exclusion system operates at the discovery layer, filtering out targets before they are added to your asset inventory. This ensures that excluded patterns are never discovered, scanned, or monitored by the platform.Supported Exclusion Types
Subdomains
Exclude specific subdomains from discovery
IP Addresses
Exclude individual IP addresses or ranges
Wildcard Patterns
Use wildcard patterns to exclude multiple targets
Configuration
Adding Exclusions
- Navigate to Settings → Discovery Target Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
- Click + Add Exclusion to open the exclusion configuration panel
- Enter your exclusion patterns in the text area (one pattern per line)
- Click Add to save your exclusions
Exclusion Pattern Examples
Basic Subdomain Exclusions
Wildcard Patterns
IP Address Exclusions
Government and Restricted Domains
Inclusion Patterns
Overview
In addition to excluding targets, you can use inclusion patterns to create an allowlist — restricting discovery to only the targets that match your specified patterns. This is done by prefixing patterns with+ in the exclusions field when creating an enumeration via the API.
How Inclusion Works
When inclusion patterns are configured:- Inclusion check first: Each discovered target is checked against all
+patterns. If the target does not match any inclusion pattern, it is filtered out. - Exclusion check second: Targets that pass the inclusion check are then checked against exclusion patterns (without
+prefix). If a target matches an exclusion, it is still filtered out.
API-Only Feature: Inclusion patterns are configured through the API’s
exclusions field when creating an enumeration (POST /enumerate). They use the same field as exclusion patterns — the + prefix distinguishes inclusions from exclusions.Inclusion Pattern Examples
Include Only Production Targets
Restrict discovery to production subdomains only:Include Specific IP Range
Restrict discovery to a specific network segment:Combined Inclusion and Exclusion
Include production systems but exclude a specific staging subdomain that matches the pattern:prod-web.company.com→ discovered (matches inclusion+prod-*.company.com)api.company.com→ discovered (matches inclusion+api.company.com)prod-web.staging.company.com→ filtered out (matches inclusion, but also matches exclusion*.staging.company.com)other.company.com→ filtered out (does not match any inclusion pattern)
Inclusion Use Cases
Scoping to Production Only
Scoping to Production Only
Restrict discovery to production infrastructure:
Network Segment Discovery
Network Segment Discovery
Discover assets only in specific network segments:
Combined Scoping
Combined Scoping
Include a broad set of targets but exclude specific subsets:This discovers all
company.com subdomains except internal and dev environments.Pattern Syntax
Wildcard Support
The exclusion system supports wildcard patterns using the asterisk (*) character:
- Prefix wildcards:
*.staging.company.com- Excludes any subdomain ending with.staging.company.com - Suffix wildcards:
test.*.company.com- Excludes any subdomain starting withtest.and ending with.company.com - Multiple wildcards:
*.staging.*.company.com- Supports multiple wildcards in a single pattern
Inclusion Prefix
Inclusion patterns use the same syntax as exclusions, prefixed with+:
- Exact match:
+api.company.com - Wildcard:
+prod-*.company.com - CIDR range:
+10.0.0.0/24 - IP address:
+192.168.1.100
Inclusion and exclusion patterns can be mixed in the same
exclusions field. The + prefix is what distinguishes an inclusion from an exclusion.Pattern Matching Rules
- Patterns are case-insensitive
- Each line represents a separate pattern
- Inclusion patterns use the
+prefix with the same wildcard and CIDR support as exclusions - When inclusion patterns are present, targets must match at least one inclusion pattern and not match any exclusion pattern
- Patterns are matched during the discovery phase
- Once excluded, targets will not appear in any subsequent discovery results
Best Practices
Environment Separation
Environment Separation
Use wildcard patterns to exclude entire environment categories:
Internal Infrastructure
Internal Infrastructure
Exclude internal-only domains and IP ranges:
Third-Party Restrictions
Third-Party Restrictions
Respect organizational policies by excluding restricted domains:
Pattern Optimization
Pattern Optimization
Use broader patterns when possible to reduce configuration complexity:
- Instead of listing individual staging subdomains, use
*.staging.company.com - Group similar patterns together for better organization
- Regularly review and update exclusion patterns as your infrastructure evolves
Inclusion Pattern Strategy
Inclusion Pattern Strategy
Use inclusion patterns when you want to restrict discovery scope rather than exclude individual targets:
- Prefer inclusions over large exclusion lists when you want to discover a small subset of a broad target list
- Combine inclusions with exclusions to create precise scoping (e.g., include all production but exclude a specific staging subdomain)
- Start with broader inclusion patterns and add exclusions for specific exceptions
Important Considerations
Discovery Impact: Exclusions only affect the discovery process. If an asset was already discovered before adding an exclusion, it will remain in your inventory until manually removed.
Managing Exclusions
Viewing Current Exclusions
All active exclusions are displayed in the Discovery Target Exclusions interface as individual items in a list format. Each exclusion shows:- The exact pattern configured
- A remove button (X icon) for easy deletion
Removing Exclusions
To remove individual exclusions:- Navigate to Settings → Discovery Target Exclusions or visit cloud.projectdiscovery.io/settings/exclusions
- Locate the exclusion you want to remove in the list
- Click the X icon next to the exclusion pattern
- The exclusion will be immediately removed from your configuration
Removing exclusions will allow those targets to be discovered in future enumerations.
Integration with Discovery Workflows
Target exclusions integrate seamlessly with all discovery methods and are applied globally across the platform:- Automatic Discovery: Exclusions apply to all automated asset discovery processes
- Manual Enumeration: Manually triggered discoveries respect exclusion patterns
- Cloud Integration: Cloud-discovered assets are filtered against exclusion patterns
Global Application: All exclusion patterns apply to every discovery operation across your organization, ensuring consistent filtering regardless of the discovery method or who initiates it.
By implementing target exclusions, you can ensure that your asset discovery process focuses on the assets that matter most to your security posture while automatically filtering out noise and irrelevant targets.