Methodology

Exactly what we check, and exactly what we don't.

Transparency matters. Here is the full list of what an AttackEdge scan looks for, grouped by category, and the things we deliberately do not claim to do. If a check is on this page, we run it. If it is not, assume we don't, and ask us.

8 check families~10,000 CVE signatures24h delivery

Discovery

Mapping your externally visible estate

6 checks

Web application

Your public-facing websites and apps

11 checks

Platforms

Platform- and product-specific checks

6 checks

Email

Domain auth and deliverability hygiene

6 checks

TLS

Certificates and transport security

5 checks

Cloud & storage

Public buckets and leaked backups

4 checks

Supply chain

DNS hygiene and dangling assets

4 checks

Breach exposure

Credentials and identity leaks

3 checks

What every scan covers.

Eight check families, one report. Every scan runs the full list.

DiscoveryMapping your externally visible estate

Subdomains, hosts, ports, and the rest of your public footprint.

Before any scan, we enumerate what actually exists on the public internet under your domain. Passive sources first, then light active probing.

  • Subdomain enumeration (passive sources: CT logs, search engines, GitHub)
  • DNS records: A, AAAA, MX, NS, TXT, CAA, CNAME
  • Live host detection and HTTP/S probing
  • Port scanning across the top 1,000 TCP ports
  • CDN, cloud provider, and ASN detection
  • Web crawl and endpoint discovery
Web applicationYour public-facing websites and apps

Tech stack, known CVEs, misconfigurations, and exposed files.

We fingerprint every host, match it against ~10,000 CVE signatures, and look for the configuration details attackers probe first.

  • Tech stack fingerprinting (server, framework, CMS, CDN, analytics)
  • Known vulnerabilities across ~10,000 signatures, updated daily
  • Security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
  • Cookie flags: Secure, HttpOnly, SameSite
  • Source map exposure
  • Secrets and API keys leaked in public JavaScript
  • Exposed admin panels, phpMyAdmin, wp-admin
  • Exposed .git, .svn, .env, and backup files
  • robots.txt and sitemap.xml inspection
  • GraphQL introspection (if enabled)
  • Error page and stack trace disclosure
PlatformsPlatform- and product-specific checks

WordPress, Shopify, Magento, and the DevOps stack.

Version checks and known-issue detection for the platforms most small businesses actually run.

  • WordPress: plugin and theme version enumeration, known CVEs, xmlrpc exposure, wp-json abuse, user enumeration
  • WooCommerce: exposed REST API, payment endpoint misconfigurations, plugin CVEs
  • Shopify: exposed admin paths, API key leakage in public pages, third-party app fingerprinting
  • Magento, Drupal, Joomla, Ghost: version and known CVEs
  • Jenkins, GitLab, Jira, Confluence, Gitea: exposure and known CVEs
  • Grafana, Kibana, Elasticsearch: exposed instances
EmailDomain auth and deliverability hygiene

SPF, DKIM, DMARC, MTA-STS — is your domain spoofable?

If your DMARC policy is missing or set to `p=none`, attackers can impersonate your domain. We verify the full email-auth chain from public DNS.

  • SPF record presence and validity
  • DKIM selector discovery and validity
  • DMARC policy: none, quarantine, or reject
  • MTA-STS and TLS-RPT
  • BIMI
  • Email provider detection (Microsoft 365, Google Workspace, Zoho)
TLSCertificates and transport security

Ciphers, cert chains, expiry, and the classic TLS bugs.

The quiet stuff attackers love finding first: weak protocols still turned on, expiring certs, and legacy cipher suites.

  • TLS versions supported, weak ciphers, cert validity and chain
  • Certificate expiry and rotation hygiene
  • Known SSL/TLS vulnerabilities: Heartbleed, POODLE, BEAST, Sweet32
  • HTTP/2 and HTTP/3 support
  • Mixed-content detection
Cloud & storagePublic buckets and leaked backups

Open S3, Azure Blob, and GCS — discovered by convention.

A lot of leaks come from a forgotten bucket. We enumerate by domain guessing and common naming patterns.

  • Public S3 bucket enumeration (domain-guessing and common patterns)
  • Azure Blob public container discovery
  • Google Cloud Storage bucket discovery
  • Exposed backup files on public hosting
Supply chainDNS hygiene and dangling assets

Subdomain takeover, CAA records, third-party scripts.

One dangling CNAME on a retired Heroku app is enough to host a phishing page on your domain. We look for all of them.

  • Subdomain takeover detection (dangling CNAMEs: Heroku, S3, Azure, GitHub Pages)
  • CAA record checking
  • Third-party script inventory
  • Certificate-transparency monitoring for passive discovery
Breach exposureCredentials and identity leaks

Known breaches, paste-sites, and public GitHub leaks.

Where your employees’ emails, tokens, or internal docs show up in public dumps — so you can rotate before someone uses them.

  • Have-I-Been-Pwned domain check (which company emails appear in known breaches)
  • Leaked credentials in public GitHub code
  • Paste-site scraping for leaked credentials or internal docs

What we don't do.

We would rather be the tool you trust on the things we genuinely cover than overclaim and disappoint. If any of the below matters to you, tell us and we can recommend who does handle it well.

We do not run penetration tests

A pentest requires scope, methodology, and CREST-like rigour. Our Scan is external and unauthenticated. If you need a full pentest, we refer to SilentGrid (silentgrid.com) — the founder sits on their team.

We do not access internal networks or endpoints

We look at what is externally visible. We do not touch your internal network, servers, workstations, or your EDR/MDR environment.

We do not log into your cloud tenants

No Microsoft 365, Google Workspace, AWS, Azure, or GCP tenant access. Anything that requires credentials is out of scope. Email authentication (SPF/DKIM/DMARC/MTA-STS) is detected from public DNS, without tenant access.

We do not brute-force or stress-test

No credential stuffing, no login brute-force, no denial-of-service testing. All scanning is passive and rate-limited so it cannot affect your operations.

We do not exploit vulnerabilities

When we find a known vulnerability we observe its presence and version. We do not attempt to exploit it. If you want validated exploit depth, that is pentest territory.

We are not a PCI DSS approved scanning vendor

We are not ASV-certified. If your merchant bank requires a PCI ASV quarterly scan, you need an approved vendor. We can complement that engagement, not replace it.

We do not replace SIEM, EDR, or MDR services

We give you a snapshot of your external exposure. Runtime detection and response is a different category and a different service.

We do not automate your compliance paperwork

Vanta, Drata, and Secureframe automate policy and control evidence. We give you the external attack-surface evidence that sits next to their output, not instead of it.

Know what attackers can see, in 24 hours.

One-off Scan at launch price $49 (standard $79). If the report is not useful, full refund within 14 days.

Start a scan for $79$49Back to home