Methodology

We test like attackers and report like engineers. For ongoing coverage, we pair Surface Monitor (agentless, read-only) with manual testing when you want more hand-holding. Everything is OWASP/NIST aligned, reproducible, and audit-ready.

Surface Monitor (agentless)

• Inventory — add a domain; auto-discover subdomains and live services.
• Assess — TLS/SSL (expiry, chain, weak ciphers, HSTS), DNS hygiene (NS/MX drift, CAA, expiry), email auth (SPF/DKIM/DMARC, MTA-STS/TLS-RPT), security headers (CSP/XFO/XCTO/Referrer-Policy), CT log watch, exposed services, mixed content.
• Prioritize — security-first scoring with evidence and copy-paste fixes.
• Watch — continuous checks with expiry & drift alerts; integrations for Slack/Teams/Email/Webhooks.

Safe by design: read-only checks, no agents, no credentials.

Manual testing (when you want more hand-holding)

1. Discover — scope, assets, threats, ROE & change windows.
2. Map — endpoints, APIs, tenants, auth paths, cloud exposure.
3. Test — manual-first exploitation & abuse cases, targeted automation for depth (not noise).
4. Analyze — validate impact, remove false positives; prioritize with CVSS + exploitability.
5. Report — exec summary + developer-ready guidance (evidence, repro, code/config snippets).
6. Verify — fast retest for critical/high and closure notes.

Standards & alignment

OWASP ASVS/MASVS, NIST SP 800-115, and CIS Benchmarks.

Evidence & deliverables

• Reproducible evidence (screenshots, PoCs, artifacts)
• Clear fix guidance with code/config diffs and references
• Severity mapped to impact and exploitability; executive-ready summaries
• Optional issue export to Jira/GitHub

Safety & controls

• Non-destructive by default; change windows for riskier checks
• Rate caps, traffic shaping, and source-IP allowlisting on request
• Data minimization and time-bound retention; encrypted in transit/at rest

Ready to get started? Explore services or request a proposal.