FAQ

An agentless, read-only external monitoring tool for SMBs. It checks TLS/SSL, DNS, email auth (SPF/DKIM/DMARC), security headers, exposed services, Certificate Transparency (CT) logs, and change/expiry drift—then scores issues with copy-paste fixes.

No agents to install and no credentials required. We perform safe, standards-based checks (e.g., TLS handshake, DNS lookups, header inspection) and avoid intrusive traffic or payloads. It’s designed to be lightweight and non-disruptive.

Only what’s needed to run checks and show results: domain and subdomain names, IPs, open ports/services as observed, TLS certificate metadata and expiry, DNS records and changes, email auth policies, HTTP response headers, basic tech fingerprints, and CT log entries.

• We do not collect PII from your users or application data.
• Evidence (headers/records) is stored to power alerts, trending, and reports.

We store results in secure cloud storage with encryption in transit and at rest. Residency options (e.g., US/EU) are available on Pro+/Enterprise.

No. Checks are lightweight and non-intrusive. We do not run exploit payloads or disruptive probes. Request rate is modest and tuned for stability.

Enter a domain to build an inventory and run initial checks (typically ~2 minutes to first score). You’ll see prioritized findings with evidence. On paid plans, enable continuous checks and alerts (Email, Slack, Teams, Webhooks).

Yes. You can limit scopes (domains/subdomains), disable specific checks, and request blocklisting of assets or IP ranges at any time.

SMB-friendly subscriptions: Starter, Growth, Pro, and MSP/Enterprise tiers by asset count and check frequency. See /pricing or contact us for a proposal.

A scan is automated and broad. A pentest adds human analysis and safe exploitation to prove impact, reduce false positives, and provide developer-ready remediation.

Yes. We’re SMB-first but support enterprises. We map findings to business impact, protect sensitive data, and support SOC 2/ISO 27001 evidence and procurement reviews.

Typical projects run 1–3 weeks depending on scope and environments. Smaller, well-defined scopes move faster; we include a rapid retest window.

We scope by assets and complexity (apps/APIs/mobile, auth roles, environments) and price fixed-fee per target with clear deliverables and an included retest.

Executive summary; prioritized findings with severity and business impact; reproducible steps and evidence; developer-ready fixes with references. Optional control mapping to SOC 2/ISO 27001.

Yes. We prefer staging but regularly test production with off-peak windows, rate caps, allowlists, and change controls to minimize risk.

At least annually and after major releases/architectural changes. Many SMBs choose quarterly PTaaS for continuous coverage.

Targets, test accounts/roles, environment details, exclusions, and a primary contact.

• Architecture or sequence diagrams (if available)
• Whitelisting/VPN if required
• Read-only logs/monitoring helps triage faster

We minimize collection, encrypt in transit/at rest, restrict access on a need-to-know basis, and purge artifacts per contract. BAAs/DPAs available on request.

Credential theft/misuse, leaked secrets, cloud/IaC misconfig, insecure APIs, third-party compromise, and ransomware-driven extortion.

• Phishing/BEC; weak or reused passwords; missing MFA
• Publicly exposed buckets/keys/admin consoles
• Supply-chain risk (vendors, dependencies, CI/CD)
• Unpatched internet-facing services
• Flat networks and over-privileged IAM

Pair strong email/auth controls with training and out-of-band verification—especially for payments or access changes.

• SSO with phishing-resistant MFA (FIDO2/passkeys); disable legacy auth
• SPF, DKIM, DMARC (p=reject) + monitor DMARC reports
• Verify bank changes via phone/Slack; never via email alone
• Use a password manager; it won’t auto-fill on lookalike domains

Yes. Design for blast-radius reduction and recovery.

• Immutable/offline backups + restore drills
• Patch exposed services; lock down RDP/remote admin
• Least-privilege IAM; segment networks/service accounts
• EDR + hardening; monitor for exfil/encryption behavior

A strategy that assumes breach: always verify, limit privileges, segment, and monitor continuously.

• SSO + phishing-resistant MFA; device posture checks
• JIT/JEA admin, short-lived scoped tokens
• Deny-by-default and micro-segmentation
• Centralized logging/UEBA and rapid response

Start with identity, access, and visibility; then segment crown-jewel assets.

• Roll out SSO + MFA; disable IMAP/POP/basic auth
• Remove standing global admins; adopt PAM/JIT
• Inventory service accounts/keys; rotate
• Gate access with device compliance (MDM/EDR)

Strong authZ/authN, input validation, and abuse protections.

• Token-based auth with scoped permissions
• Object-level authZ on the server; validate IDs
• Rate limiting and anomaly detection
• Avoid verbose errors; protect metadata endpoints

Attackers spam prompts after stealing a password; users approve by mistake. Use phishing-resistant MFA and prompt guardrails.

• Adopt passkeys/FIDO2 where possible
• Enable number-matching/challenge in push apps
• Throttle MFA attempts; alert on repeated prompts
• Block legacy/basic auth; enforce SSO + conditional access