Domain Monitor
Attack Surface Discovery
Try:
Typosquat Detection
Brand Abuse Detection
Comprehensive Domain Audit
Scanned Domains Portfolio
MSSP view — every domain you've scanned, sorted by risk. Local to this browser.
Side-by-Side Domain Comparison
Benchmark two domains' attack surface head-to-head — posture score, findings, TLS/headers grades, and exposure counts.
🕵 External Attack Surface Management
Continuous discovery + diff + close. We run our own Shodan/Censys/Amass/CT pipeline on our own brand, weekly, and shrink what the adversary will find.
Subdomains tracked
—
across 6 scanners
Net-new (7d)
—
triage queue
Takeover candidates
—
dangling CNAMEs
CT-lookalike certs
—
filed for takedown
Fix / close SLA
—
mean time
Surface trend
↓ 11%
vs prior 30d
📡 Subdomain Enumeration Pipeline (T001)
Daily run · amass + subfinder + crt.sh + merklemap + brute. Diff vs prior day. Net-new auto-opens a ticket with owner.
| Source | Subdomains found | New 7d | Last run | Health |
|---|---|---|---|---|
| amass (active+passive) | 347 | +8 | 04:12 today | OK |
| subfinder | 312 | +6 | 04:14 today | OK |
| crt.sh (CT logs) | 289 | +11 | streaming | LIVE |
| merklemap | 218 | +3 | 06:00 today | OK |
| puredns bruteforce | 94 | +2 | 02:00 today | OK |
| Shodan org-tag | 67 | +1 | 05:22 today | OK |
Net-new this week:
staging-v2.[your-org].com· eng · opened CR-2240invoice-portal-uat.[your-org].com· finance · opened CR-2241old-wiki.[your-org].com· stale? no owner · auto-escalateddemo-q2.[your-org].com· sales-eng · opened CR-2242
📜 Certificate Transparency Monitor (T002)
We subscribe to the CT log stream. Alerts on any new cert for our name or brand-adjacent — catches shadow-IT SaaS signups and adversary lookalikes.
Certs monitored
2,184
active issuers
Own-brand (7d)
12
all reconciled
Lookalike-brand
4
filed for takedown
Expiring < 14d
3
auto-renew set
| Issued | Domain / SAN | Issuer | Classification | Verdict |
|---|---|---|---|---|
| 2h ago | billing.[your-org].com | Let's Encrypt | own-brand · known SaaS | allow |
| 6h ago | [your-brand]-billing.app | Let's Encrypt | lookalike · registered 3h ago | takedown filed |
| yday | shopify-[your-brand].com | Google Trust | lookalike · phishing pattern | takedown + GSB |
| yday | hr.[your-org].com | DigiCert | own-brand · verified | allow |
| 2d ago | acmɇ-login.io (punycode) | Let's Encrypt | homoglyph | takedown filed |
| 3d ago | api.[your-org].com | AWS ACM | own · auto-renewal | allow |
🎯 Typosquat / Lookalike Detector (T003)
dnstwist + urlcrazy + CT feed. Score by Levenshtein × registrar-age × MX-presence. Auto-drafts the takedown request.
Variants monitored
4,218
permutations of brand
Registered (7d)
14
net-new
MX+web live
6
phishing-ready
Takedowns filed
5
this week
| Variant | Age | MX | Web | Score | Action |
|---|---|---|---|---|---|
acmɇ.io (punycode) | 2d | ✓ | ✓ login form | 94 | takedown + GSB |
acme-io.com | 3d | ✓ | ✓ login form | 88 | takedown |
acrne.io (r n → m) | 1d | ✓ | parking | 74 | watch |
acme.support | 12d | ✓ | ✓ fake helpdesk | 91 | takedown filed |
acnie.io | 8d | — | — | 32 | monitor |
acme.ltd | 60d | — | parking | 28 | monitor |
🔭 Internet-Scanner Self-Scan (T004)
Shodan + Censys + ZoomEye + BinaryEdge org-tag pull. Diff week-over-week. Anything not on the approved edge-inventory escalates.
Indexed services
218
across 4 scanners
Approved edge
204
on inventory
Unknown exposed
14
triage now
High-risk ports
3
RDP · Mongo · Jenkins
| Service | IP / Host | Port | Banner | First seen | Verdict |
|---|---|---|---|---|---|
| RDP | edge-old-01.[your-org].com | 3389 | Windows 2016 | 6d ago | close / move to IAP |
| MongoDB | 34.x.x.x | 27017 | no auth | 2d ago | P0 · auth + bind localhost |
| Jenkins | ci-old.[your-org].com | 8080 | Jenkins 2.319 | 11d ago | decommission |
| Elasticsearch | es-legacy.[your-org].com | 9200 | 7.10 · no auth | 4d ago | xpack + IP-allow |
| HTTPS | api.[your-org].com | 443 | nginx / prod | baseline | approved |
| SSH | jump.[your-org].com | 22 | OpenSSH 9 · keyauth | baseline | approved |
☠ Subdomain Takeover Sweep (T005)
Nuclei takeover templates on every CNAME we own. Targets S3 / GitHub Pages / Heroku / Azure / Shopify / Fastly / custom domains where the underlying asset was removed.
CNAMEs tracked
412
in our zones
Dangling detected
3
P0 · claim now
Auto-claimed / DNS-removed
8
this quarter
Mean time-to-fix
46m
detection → closed
| Subdomain | Points to | Vendor | Fingerprint | Action |
|---|---|---|---|---|
blog-old.[your-org].com | → acme.github.io | GitHub Pages | "There isn't a GitHub Pages site here" | CREATE REPO or REMOVE CNAME |
try.[your-org].com | → acme-demo.s3.amazonaws.com | AWS S3 | NoSuchBucket | CREATE BUCKET or REMOVE |
status.[your-org].com | → acme-old.statuspage.io | Statuspage | 404 + page-not-found | CLAIM ON STATUSPAGE |
ship.[your-org].com | → acme-live.herokuapp.com | Heroku | active · app exists | OK |
🗝 HIBP Breach-Credential Gate (T006)
Continuous h8mail / dehashed / HIBP cross-ref for all
@[your-org].com addresses. Any hit forces session-kill + password/passkey reset in aegis ITDR.Addresses monitored
4,218
all corp + contractor
Hits (30d)
12
all rotated
Plaintext-pw hits
3
priority 0
Reuse rate (sampled)
18%
target < 5%
| When | Address | Source breach | Data classes | Response |
|---|---|---|---|---|
| 3h ago | [user.name]@[your-org].com | ParkMobile 2021 | email + hashed pw | reset pending · notified |
| yday | rohan.das@[your-org].com | Twitter 2022 | email + phone | user aware · rotate MFA |
| 2d ago | contractor-jr@3pa.io | DailyQuiz 2020 | email + PLAIN pw | session killed + force FIDO2 |
| 5d ago | ap@[your-org].com | LinkedIn 2012 + Dropbox 2012 | email + multi | rotated |
🐙 Public-Code Secret Dorking (T007)
gitleaks + trufflehog + grep.app searches for our org domain across GitHub / GitLab / gists / postbin — including forks and consented personal accounts.
Repos monitored
12,480
mentioning brand
Verified secrets (30d)
4
all rotated
False positives
86%
auto-filtered
Rotation SLA
3h 12m
leak → rotated
| Where | Kind | Preview | First seen | Action |
|---|---|---|---|---|
github.com/ex-intern-42/dotfiles | AWS Access Key | AKIA…XOYM | 8h ago | rotated + revoked |
gist/anonymous/a2f… | Datadog API key | dd_xx…c3 | 2d ago | rotated |
postbin.com/b/d19… | Slack webhook | hooks.slack.com/services/T… | 5d ago | webhook deleted |
github.com/acme-corp/demo | JWT · test-env | eyJh… | 14d ago | false-pos · test-signed |
🪣 Public-Bucket Enumeration (T008)
s3scanner + cloud_enum permutations of brand across S3, GCS, Azure Blob. Any reachable bucket not explicitly tagged
public:yes goes to the triage queue.Permutations tried
8,142
brand + numbers
Reachable buckets
32
need review
With listing enabled
2
CLOSE TODAY
Confirmed public-intended
28
tagged + baselined
| Bucket | Provider | Contents | Listing | Verdict |
|---|---|---|---|---|
acme-devops-scratch | AWS S3 | ~41 files · logs, envs | ENABLED | BPA + remove public |
acme-old-backups | AWS S3 | tarballs 2021-22 | ENABLED | migrate + lock |
acme-marketing-assets | AWS S3 | logos + videos | disabled | intended · baselined |
acme-prod-static | GCS | CDN origin | disabled | intended |
🕰 Wayback & Archive Mining (T009)
gau + waybackurls → extract API paths, keys, and JS bundles from archive snapshots. Rotate anything still live. Source-map any dead endpoint.
URLs harvested
4.2M
all-time snapshots
Live (still reachable)
312
old but alive
Exposed keys found
7
all rotated
Undocumented APIs
11
filed in devsec
| Kind | Example | Finding | Action |
|---|---|---|---|
| Old JS bundle | /static/v1.4.2/app.min.js | hardcoded Sentry DSN · still in traffic | rotated |
| API path | /api/v1/internal/debug?key= | archived 2022; endpoint removed | confirmed removed |
| Admin UI | /old-admin/login.php | reachable · PHP deprecated | decommission |
| Leaked API key | SendGrid token in archived footer JS | still active 6 months ago | rotated + alerted |
📧 Email Auth Posture — SPF · DKIM · DMARC · BIMI (T011)
DMARC at
p=reject, DKIM 2048-bit, BIMI record published. Continuous monitor for drift or weakening. Inbound strict-alignment enforced on receive side.DMARC policy
p=reject
at 100% · rua + ruf
DKIM strength
2048-bit
rotated 62d ago
BIMI published
✓ VMC
verified trademark
Aggregate reports (7d)
4,218
spoofing attempts
| Domain | SPF | DKIM | DMARC | BIMI | Status |
|---|---|---|---|---|---|
[your-org].com | ✓ hard-fail | ✓ 2048 | p=reject | ✓ VMC | COMPLIANT |
mail.[your-org].com | ✓ hard-fail | ✓ 2048 | p=reject | ✓ | COMPLIANT |
acme-events.com | ✓ soft-fail | ✗ | p=none | — | PARKED · tighten |
acme-careers.com | ✓ reject-all | n/a | p=reject | — | NULL-MX · no send |
🛰 ASN / BGP Prefix Inventory (T013)
asnmap + ipinfo bulk. Reconcile every prefix claiming the brand vs CMDB. Flag any unknown ASN asserting ownership — classic BGP-hijack early signal.
ASNs we own
3
approved
Prefixes announced
18
all ROA-signed
Unknown brand-claims
2
in whois → investigating
RPKI invalid
0
target 0
| ASN / prefix | Claim | Source | ROA | Verdict |
|---|---|---|---|---|
| AS64500 · 198.51.100.0/24 | [your-org] | ARIN | ✓ | approved edge |
| AS64500 · 203.0.113.0/24 | [your-org] | ARIN | ✓ | approved edge |
| AS64501 · 192.0.2.0/24 | [your-org] (old DC) | ARIN | ✓ | decom Q3 |
| AS64999 · whois match | Unrelated company Ltd | RIPE | — | different co · verify |