> ## Documentation Index
> Fetch the complete documentation index at: https://docs.projectdiscovery.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Discovery Target Exclusions
> Configure patterns to exclude specific targets from asset discovery
## Overview
Discovery Target Exclusions allow you to proactively prevent specific assets or patterns from being discovered during asset enumeration. When exclusions are configured, these targets are actively filtered out of the discovery process, helping you focus on relevant assets and reduce noise in your asset inventory.
This feature also supports **inclusion patterns** (prefixed with `+`) that restrict discovery to only matching targets, functioning as an allowlist. See [Inclusion Patterns](#inclusion-patterns) for details.
This feature is particularly useful for excluding internal staging environments, test domains, government domains, or any other assets that should not be included in your attack surface monitoring.
**Quick Access**: Discovery Target Exclusions are managed in [Settings → Discovery Target Exclusions](https://cloud.projectdiscovery.io/settings/exclusions).
## How It Works
The exclusion system operates at the discovery layer, filtering out targets before they are added to your asset inventory. This ensures that excluded patterns are never discovered, scanned, or monitored by the platform.
**Global Exclusions**: Target exclusions are applied globally across all discovery operations. Once configured, exclusions affect all current and future asset discoveries, not just individual discovery sessions.
### Supported Exclusion Types
Exclude specific subdomains from discovery
Exclude individual IP addresses or ranges
Use wildcard patterns to exclude multiple targets
## Configuration
### Adding Exclusions
1. Navigate to **Settings → Discovery Target Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions)
2. Click **+ Add Exclusion** to open the exclusion configuration panel
3. Enter your exclusion patterns in the text area (one pattern per line)
4. Click **Add** to save your exclusions
### Exclusion Pattern Examples
#### Basic Subdomain Exclusions
```
staging.company.com
dev.company.com
test.company.com
internal-tools.company.com
```
#### Wildcard Patterns
```
*.staging.company.com
test.*.company.com
dev-*.internal.company.com
```
#### IP Address Exclusions
```
192.168.1.100
10.0.0.0/8
172.16.0.0/12
```
#### Government and Restricted Domains
```
*.gov
*.mil
*.edu
```
## Inclusion Patterns
### Overview
In addition to excluding targets, you can use **inclusion patterns** to create an allowlist — restricting discovery to only the targets that match your specified patterns. This is done by prefixing patterns with `+` in the `exclusions` field when creating an enumeration via the API.
**Allowlist Behavior**: When any inclusion pattern (prefixed with `+`) is present, the system switches to allowlist mode. Targets that do **not** match at least one inclusion pattern are automatically filtered out — even if they aren't matched by any exclusion pattern.
### How Inclusion Works
When inclusion patterns are configured:
1. **Inclusion check first**: Each discovered target is checked against all `+` patterns. If the target does not match any inclusion pattern, it is filtered out.
2. **Exclusion check second**: Targets that pass the inclusion check are then checked against exclusion patterns (without `+` prefix). If a target matches an exclusion, it is still filtered out.
**API-Only Feature**: Inclusion patterns are configured through the API's `exclusions` field when creating an enumeration (POST /enumerate). They use the same field as exclusion patterns — the `+` prefix distinguishes inclusions from exclusions.
### Inclusion Pattern Examples
#### Include Only Production Targets
Restrict discovery to production subdomains only:
```
+prod-*.company.com
+api.company.com
+*.production.company.com
```
#### Include Specific IP Range
Restrict discovery to a specific network segment:
```
+10.0.1.0/24
+192.168.100.0/24
```
#### Combined Inclusion and Exclusion
Include production systems but exclude a specific staging subdomain that matches the pattern:
```
+prod-*.company.com
+api.company.com
*.staging.company.com
```
In this example:
* `prod-web.company.com` → **discovered** (matches inclusion `+prod-*.company.com`)
* `api.company.com` → **discovered** (matches inclusion `+api.company.com`)
* `prod-web.staging.company.com` → **filtered out** (matches inclusion, but also matches exclusion `*.staging.company.com`)
* `other.company.com` → **filtered out** (does not match any inclusion pattern)
### Inclusion Use Cases
Restrict discovery to production infrastructure:
```
+*.prod.company.com
+api.company.com
+payments.company.com
```
Discover assets only in specific network segments:
```
+10.0.1.0/24
+10.0.2.0/24
```
Include a broad set of targets but exclude specific subsets:
```
+*.company.com
*.internal.company.com
*.dev.company.com
```
This discovers all `company.com` subdomains except internal and dev environments.
## Pattern Syntax
### Wildcard Support
The exclusion system supports wildcard patterns using the asterisk (`*`) character:
* **Prefix wildcards**: `*.staging.company.com` - Excludes any subdomain ending with `.staging.company.com`
* **Suffix wildcards**: `test.*.company.com` - Excludes any subdomain starting with `test.` and ending with `.company.com`
* **Multiple wildcards**: `*.staging.*.company.com` - Supports multiple wildcards in a single pattern
### Inclusion Prefix
Inclusion patterns use the same syntax as exclusions, prefixed with `+`:
* **Exact match**: `+api.company.com`
* **Wildcard**: `+prod-*.company.com`
* **CIDR range**: `+10.0.0.0/24`
* **IP address**: `+192.168.1.100`
Inclusion and exclusion patterns can be mixed in the same `exclusions` field. The `+` prefix is what distinguishes an inclusion from an exclusion.
### Pattern Matching Rules
* Patterns are **case-insensitive**
* Each line represents a separate pattern
* Inclusion patterns use the `+` prefix with the same wildcard and CIDR support as exclusions
* When inclusion patterns are present, targets must match at least one inclusion pattern **and** not match any exclusion pattern
* Patterns are matched during the discovery phase
* Once excluded, targets will not appear in any subsequent discovery results
## Best Practices
Use wildcard patterns to exclude entire environment categories:
```
*.staging.company.com
*.dev.company.com
*.test.company.com
```
Exclude internal-only domains and IP ranges:
```
*.internal.company.com
10.0.0.0/8
192.168.0.0/16
172.16.0.0/12
```
Respect organizational policies by excluding restricted domains:
```
*.gov
*.mil
*.edu
client-*.company.com
```
Use broader patterns when possible to reduce configuration complexity:
* Instead of listing individual staging subdomains, use `*.staging.company.com`
* Group similar patterns together for better organization
* Regularly review and update exclusion patterns as your infrastructure evolves
Use inclusion patterns when you want to restrict discovery scope rather than exclude individual targets:
* Prefer inclusions over large exclusion lists when you want to discover a small subset of a broad target list
* Combine inclusions with exclusions to create precise scoping (e.g., include all production but exclude a specific staging subdomain)
* Start with broader inclusion patterns and add exclusions for specific exceptions
## Important Considerations
**Exclusions are Permanent**: Once a target is excluded, it will not be discovered in future enumerations. Make sure your exclusion patterns are accurate to avoid missing important assets.
**Discovery Impact**: Exclusions only affect the discovery process. If an asset was already discovered before adding an exclusion, it will remain in your inventory until manually removed.
**Testing Patterns**: Start with specific exclusions and gradually expand to broader patterns. This helps ensure you don't accidentally exclude important assets.
## Managing Exclusions
### Viewing Current Exclusions
All active exclusions are displayed in the [Discovery Target Exclusions](https://cloud.projectdiscovery.io/settings/exclusions) interface as individual items in a list format. Each exclusion shows:
* The exact pattern configured
* A remove button (X icon) for easy deletion
### Removing Exclusions
To remove individual exclusions:
1. Navigate to **Settings → Discovery Target Exclusions** or visit [cloud.projectdiscovery.io/settings/exclusions](https://cloud.projectdiscovery.io/settings/exclusions)
2. Locate the exclusion you want to remove in the list
3. Click the **X** icon next to the exclusion pattern
4. The exclusion will be immediately removed from your configuration
Removing exclusions will allow those targets to be discovered in future enumerations.
## Integration with Discovery Workflows
Target exclusions integrate seamlessly with all discovery methods and are applied globally across the platform:
* **Automatic Discovery**: Exclusions apply to all automated asset discovery processes
* **Manual Enumeration**: Manually triggered discoveries respect exclusion patterns
* **Cloud Integration**: Cloud-discovered assets are filtered against exclusion patterns
**Global Application**: All exclusion patterns apply to every discovery operation across your organization, ensuring consistent filtering regardless of the discovery method or who initiates it.
***
By implementing target exclusions, you can ensure that your asset discovery process focuses on the assets that matter most to your security posture while automatically filtering out noise and irrelevant targets.