What's Actually in Your External Attack Surface (And How to Find Out)
Most companies underestimate the size of their external footprint. Here's a framework for enumerating what's exposed and deciding what actually needs attention.
How We Score Credential Leak Severity: Age, Source, and Account Type
Not all credential leaks are equal. A fresh dump from a business email domain is a different risk than a three-year-old consumer account breach. Here's how we weight them.
Typosquat Detection: Why Simple Edit Distance Misses Half the Lookalikes
Character substitution, homoglyphs, and brand keyword variations produce domains that evade basic similarity checks. Here's a more complete detection approach.
Subdomain Enumeration: DNS Brute Force, Certificate Transparency, and What Each Finds
No single method finds everything. Certificate transparency logs catch what DNS brute force misses. Passive DNS catches what cert logs miss. Here's how to combine them.
Cloud Bucket Exposure: How Public Storage Ends Up in Your Attack Surface
S3 buckets, GCS buckets, and Azure Blob storage with public ACLs are still found in the wild regularly. Most were set that way intentionally once and never reviewed again.
Dark Web Monitoring: What We Watch, What We Miss, and How We Know the Difference
Coverage in dark web monitoring is uneven. Some forums index well; others don't. Here's an honest breakdown of where leaked credentials are most likely to surface and where gaps exist.
How We Calculate Exposure Score: What Goes In, What Comes Out
An exposure score is only useful if you know what it's measuring. We explain the inputs, the weighting logic, and why we treat finding age as a factor.
Spotting Phishing Infrastructure Before It Goes Live: MX Records and Registration Patterns
A phishing domain without an active mail exchanger is still being set up. The window between registration and first send is often measurable. Here's how to use it.
False Positives in Attack Surface Monitoring: Where They Come From and How We Reduce Them
Over-alerting on legitimate CDN subdomains or known-good third-party services erodes trust in the platform. We track false positive rates and here's what's driving them.
Certificate Transparency Logs as an Attack Surface Tool: What They Reveal and What They Don't
CT logs are a free, real-time feed of newly issued certificates. For external monitoring, they're one of the most reliable ways to catch new subdomains. Here's how to work with them.
Adding External Exposure Monitoring to an MSSP Service Stack: Architecture Considerations
Multi-tenant external monitoring has different isolation requirements than endpoint or SIEM services. Here's what to think through before deploying it across client environments.
Exposed API Endpoints: How They Get Left Open and How External Scanning Finds Them
Misconfigured API gateways and forgotten debug endpoints regularly turn up in external scans. Most were exposed during development and never removed. Here's what we find and how.