Same passive recon a thorough SMB pentester runs by hand — executed in under 60 seconds, cross-referenced against nine public data sources, and condensed into a single 0–100 score with a written brief.
Not "12 scanners". Real recon — the same playbook a SMB pentester runs by hand, executed in 60 seconds and folded into one report your CFO and your sysadmin can both read.
The Wayback Machine is a public archive of every URL the internet has indexed — including admin panels you took offline three years ago. We replay them and flag the ones leaking config files, .env, or staging endpoints.
22 secret patterns scanned across public repos linked to your team: AWS keys, Stripe tokens, JWTs, database URIs. We tell you which file leaked it — before it is exploited.
Your CDN hides your real servers. Sometimes. We compute favicon fingerprints and pivot through Shodan's free InternetDB (a public index of exposed services) to surface the real IPs — the ones attackers will target to bypass your WAF.
34-word wordlists are why your last auditor missed half your subdomains. We probe 10,000 entries from SecLists (the de-facto open-source pentester dictionary) in parallel — staging, dev, vpn, git, jenkins, the works.
On top of the four passive recon angles above, every paid scan triggers six deep-scan modules. All read-only, all non-destructive — no payload exploit ever sent. The modules below catch what a generic ASM scanner misses.
Swagger / OpenAPI live spec parsing → real endpoint enumeration (not 14 guesses). GraphQL introspection detection (OWASP API3:2023). BOLA probing on object-level endpoints. Reflective CORS misconfiguration. Weak-JWT alg=none acceptance test.
For every public S3 / Azure Blob / GCS bucket the Shadow IT pass discovers, we probe the actual ACL: anonymous listing, public-read, missing Block-Public-Access. We confirm exposure with real HTTP responses, never fabricate findings.
Probes 16 common login paths (/login, /signin, /auth, /admin, /wp-admin, etc.) until we find a real password form. Detects MFA visibility, CAPTCHA / Turnstile / hCaptcha gating, password-reset workflow (token-in-URL leaks), default-credentials hints. Never submits the form.
Crawler now goes 3 levels deep with up to 60 URLs (vs 1 / 15 before). Per-page CORS misconfiguration probe (reflective origin + credentials = critical). Set-Cookie audit on every observed cookie: missing Secure / HttpOnly / SameSite flags flagged, session-grade cookies given high severity.
Wappalyzer-grade fingerprinting database (MIT-licensed signatures, snapshotted locally — zero recurring cost). Captures the EXACT version on jQuery, Bootstrap, Lodash, Moment, AngularJS, nginx, Apache, WordPress, PHP, etc. Critical for the CVE-matching step below.
For every JS lib detected with a captured version, we match against a curated CVE database (jQuery, Bootstrap, Lodash, Moment, axios, AngularJS, Underscore, D3, Swiper). Surfaces specific CVE IDs with detected version, fixed version, and one-line remediation. Pure metadata comparison — zero extra fetch.
Five major pillars feed the 0–100 score, each scored independently and combined by criticality. A sixth pillar — compliance posture — is tracked separately in the Compliance Tracker tab and does not move the headline number. The per-pillar grading rubrics are documented in the technical glossary of every report PDF.
| Pillar | Role | What it covers |
|---|---|---|
| Attack Surface | Major | Subdomains, exposed services, open ports, cloud buckets discovered via Shadow IT (73 providers), container endpoints, archived URLs, and the full tech-stack fingerprint with version capture (190 signatures, used downstream for CVE matching). |
| Vulnerabilities | Major | CVE matching against detected software versions, TLS / SSL configuration grade, header hardening (HSTS, CSP, X-Frame-Options), web-app vulnerability classes (SQLi, XSS, CSRF, command injection, path traversal, insecure cookies, reflective CORS), API vulnerabilities (Swagger spec parse, GraphQL introspection, BOLA, CORS), and JS dependency CVEs (jQuery, Bootstrap, Lodash, Moment, AngularJS, etc.). |
| Email Security | Major | SPF, DKIM (45 selectors probed), DMARC policy strictness, MTA-STS, TLS-RPT, BIMI, DANE, MX hygiene. Roughly "can someone spoof your domain in an inbox". Modern-email coverage (MTA-STS / TLS-RPT / BIMI / DANE) goes beyond what most competitors check. |
| OSINT & Secrets | Major | Public GitHub leak scan (22 secret patterns × every public repo your team touches), HIBP breach lookup on official emails, threat-intel correlation across 7 public sources (VirusTotal, OTX, AbuseIPDB, GSB, DNSBL, crt.sh, NVD), Wayback Machine archived URL hunt for forgotten admin / staging endpoints. |
| Auth & Cloud IAM | Major | Login surface detection (presence of public login pages on 16 common paths, MFA visibility, CAPTCHA / Turnstile / hCaptcha gating, password-reset workflow audit, default credentials hints). Cloud IAM: ACL audit of every public bucket discovered by the Shadow IT pass (S3, GCS, Azure Blob — anonymous listing, public-read, missing Block-Public-Access). |
| Compliance posture | Supporting | Privacy policy reachable, cookie-banner present, terms of service, security.txt, evidence of an incident response plan. Tracked separately on the Compliance Tracker tab — does NOT move the headline 0–100 score, because a domain can be fully compliant on paper and still have a public S3 bucket leaking customer data. Compliance is a workflow surface, not a security surface. |
Severity grading inside each major pillar follows the Critical / High / Medium / Low / Info convention. A single Critical finding caps the pillar at ≤50; a single High caps it at ≤75. Full grading rubric — and the exact aggregation maths — are shipped in every report PDF and on the dashboard.
We don't reinvent threat intelligence — we aggregate it. Each source has a precise role; nothing here is paid or behind a private API.
A short list because security buyers shouldn't have to read a 20-page DPA to know the boundaries.
Methodology only matters when applied. ~60 seconds, no agent, no card required for the sample.