What We Check (All Plans)
No portals, no noise.
DNS Reliability & Integrity
Delegation drift & lame nameservers
Prevents outages and hijack windows caused by parent/child NS mismatches or NS that aren’t answering authoritatively.
Stale or wrong glue records
Avoids intermittent resolution failures and misrouting from outdated A/AAAA glue at the registry.
Open zone transfer (AXFR)
Stops full zone data leakage that gives attackers a map of your infrastructure.
Open recursion on authoritative NS
Blocks cache-poisoning and DDoS amplification abuse from misconfigured name servers.
DNSSEC breakage or absence
Reduces cache-poisoning/BGP hijack risk by validating a healthy signed chain (or flagging when it’s missing).
IPv6 reachability faults
Prevents dual-stack users from hitting unreachable or inconsistent authoritative servers.
Oversized UDP responses (amplification)
Lowers your participation in reflection attacks by catching bloated DNS replies without TCP fallback.
Wildcard misuse
Avoids masked typos and unexpected host activations that expand your attack surface.
Anycast/POP inconsistency
Prevents intermittent failures by spotting regions returning different answers or timeouts.
Zone walking via NSEC (privacy)
Highlights enumeration risk where DNSSEC configuration leaks your hostnames.
SRV/HTTPS/SVCB misconfiguration
Prevents service discovery from pointing users to non-TLS or non-existent endpoints.
TXT sprawl (old verifications/secrets)
Reduces metadata leakage and confusion by removing stale tokens and keys.
Email Authentication & Deliverability
SPF misconfig & overbroad includes
Reduces spoofing and deliverability issues by tightening sender authorization.
Missing/weak DMARC
Prevents domain impersonation by enforcing quarantine/reject and ensuring alignment.
Stale/weak DKIM selectors
Cuts signature failures and downgrade risk by pruning old keys and ensuring strong key lengths.
Missing MTA-STS / TLS-RPT
Prevents SMTP TLS downgrade/stripping and ensures you receive reports when mail security fails.
TLS & Edge Security
TLS certificate expiry & SAN gaps
Avoids “site not secure” outages and hostname mismatches before they impact users.
Weak TLS protocols/ciphers
Reduces MITM and downgrade risk by identifying legacy TLS and insecure suites.
Missing HSTS/CSP/security headers
Lowers SSL-strip and XSS risks on key apps with clear header baselines.
Origin exposure behind CDN/WAF
Stops direct-to-origin bypass where attackers skip edge protections and hit your servers.
Exposure, Inventory & Governance
Dangling CNAMEs / subdomain takeover
Eliminates claimable third-party targets that let attackers host phishing on your domain.
Public storage or static site exposure
Detects accidentally accessible bucket/blob endpoints reachable outside your CDN.
New risky open services (change-driven)
Flags unexpected ports like RDP/DB appearing on internet-facing IPs.
Rogue/unknown certificates in CT logs
Catches surprise subdomains or unauthorized cert issuance early.
Third-party dependency drift (CNAME chains)
Surfaces new CDNs/SaaS in your path so you can review trust and access controls.
Untracked asset growth (surface creep)
Keeps a living inventory so new hosts/IPs don’t silently expand your attack surface.
Process gaps (no audit trail)
Creates an evidence-backed weekly paper trail to satisfy audits and speed incident response.
Web App Exposure & Misconfiguration
Exposed admin panels (Jenkins/Kibana/Grafana/phpMyAdmin)
Detects unauthenticated or weakly protected consoles before attackers find them.
Default/login banners detected
Highlights apps that still show default creds or installer pages to prevent trivial compromise.
Directory listing enabled
Prevents unintended file browsing that leaks code, backups, and secrets.
Sensitive files exposed (.env/.git/.svn/.DS_Store/.htpasswd)
Catches configuration and credential artifacts left accessible on the web root.
Backup/temporary files exposed (.zip/.tar.gz/.bak/.old/.swp)
Finds forgotten archives that often contain source, keys, or database dumps.
API docs exposed (Swagger/OpenAPI)
Warns when full API definitions are public, enabling rapid attacker recon.
GraphQL introspection enabled (prod)
Reduces schema leakage by disabling introspection outside trusted environments.
Spring Boot Actuator endpoints exposed
Prevents info-disclosure and unsafe actions from misconfigured actuator paths.
phpinfo/server-status pages
Removes verbose environment dumps that aid targeted exploits. CORS misconfiguration ( with credentials):* Stops cross-site data theft by tightening overly permissive origins.
Insecure cookies (missing Secure/HttpOnly/SameSite)
Hardens session handling to resist theft and cross-site attacks.
Open redirects (parameter-based)
Prevents phishing and token hijacking caused by unchecked redirect parameters.
Verbose error/stack traces
Minimizes framework leakage by turning off detailed errors in production.
Version disclosure headers (Server/X-Powered-By)
Reduces targeted exploitability by suppressing unnecessary fingerprinting.
Unprotected upload endpoints (basic checks)
Flags common upload paths lacking file-type/size validation indicators.
Exposed CI/CD artifacts (logs/build manifests)
Removes pipeline outputs that reveal secrets, paths, or deploy keys.
Platform & Dependency Vulnerabilities
Outdated CMS core (WP/Drupal/Joomla)
Flags known-vulnerable versions so you can patch before they’re exploited.
Vulnerable plugins/themes
Surfaces plugins/themes with public CVEs so you can update or remove them.
Known CVEs in edge services (nginx/Apache/OpenSSL)
Identifies version/binary matches to high-impact CVEs for prioritized patching.