No credentials required · No setup · Under 60 seconds

Your external attack surface—
seen the way attackers see it.

Before attackers send email as you, trigger warnings for your users, or expose something you missed.

Before any attack, reconnaissance happens first. Attackers check your DNS, email config, TLS certs, and exposed services — all public, no access to your systems needed. SurfaceSentinel shows you that picture and tells you what to fix.

Get My Report → See a Sample Report First

Try it. No credentials. No setup. — from $29 · one-time · no subscription

Most first scans find something worth fixing.

Built by Patrick Donohue — 35 years in IT infrastructure and cybersecurity, most recently in the financial sector.

Most first scans identify at least one issue worth fixing

#1 finding: DMARC missing — your domain can be spoofed today

Under 60 seconds. Findings ranked. Fix steps included.

Nothing installed. Nothing accessed. Just your domain name.

Example Findings

This is what an attacker already sees about your domain.

Real output format — fictional domain. This is exactly what you receive.

HIGH SPF record missing — anyone can send email as your domain

HIGH TLS certificate expires in 21 days — timing attackers actively watch for

MEDIUM HTTP not redirected to HTTPS — traffic exposed before redirect fires

View full sample report with remediation steps

Before

Unknown exposure
Manual checks
Missed issues

→

After

Clear findings
Actionable fixes
Repeatable scans

The Problem

Attackers research your organization
before they do anything else.

Reconnaissance happens before anything else. Before phishing, before spoofing, before probing — attackers map what's publicly visible. Your DNS. Your mail config. Your cert expiry. Your open ports.

Most organizations have no idea what that picture looks like from the outside. SurfaceSentinel shows you. Fix it before they act on it.

📧

Email spoofing

No SPF or DMARC? Anyone can impersonate your domain in email. No system access needed — just the absence of two DNS records.

🔓

Weak encryption

Cert expiry is public. Attackers time their approach to the window when your trust signals are weakest.

🌐

Exposed services

Forgotten test servers. Old admin ports. Still visible to anyone who looks.

🛡️

Missing headers

Five lines of server config. Skip them and you expose users to SSL stripping and clickjacking.

What We Analyze

What attackers check first.

This isn't a generic checklist. The same external picture an attacker builds before deciding whether to proceed — translated into ranked findings with specific fix steps.

If these fail, attackers don't need to guess what to try next.

Email Security

SPF, DKIM, DMARC. Missing any one of them and your domain can be impersonated in email — no system access required.

DNS Configuration

The first thing attackers read. Nameservers, MX records, and hosting relationships map your infrastructure before a single request is made.

TLS & Certificate Health

Cert expiry, issuer, days remaining — fully public. Attackers use them to gauge timing. Your users get browser warnings when it lapses.

Web Security Headers

HSTS, CSP, X-Frame-Options. A few response headers. Missing them leaves users open to SSL stripping and clickjacking.

Internet-Exposed Services

Common ports scanned from the public internet. Services you've forgotten are still there. Reconnaissance finds them without touching your systems.

Domain Intelligence

Domains near expiry are actively targeted. Registrar and hosting data tells attackers where to look next.

What This Typically Finds

These are commonly identified in first scans — most teams don't notice until something breaks or gets abused.

It's common for first scans to surface multiple findings.

⚠️

Missing DMARC → your domain can be spoofed right now

Without a DMARC record, anyone can send email claiming to be from your domain. No system access required — just an absent DNS record.

🔒

TLS certificates nearing expiry → user warnings or outages

Certificate expiry is publicly readable. Browsers warn users; email delivery breaks. Attackers time attacks around visible windows of degraded trust.

🌐

Exposed services → unintended public access

Ports left open from past deployments remain visible to any scanner. Services you've forgotten are still discoverable.

🛡️

Missing security headers → silent browser-level risk

HSTS, X-Frame-Options, and CSP are a few response header lines. Missing them leaves users exposed to SSL stripping and clickjacking.

This Isn’t Theoretical

Real exposures. Real consequences.

These attacks started with reconnaissance anyone can do. The exposure was visible before the attack began.

🏢

MOVEit — 2023

Cl0p exploited internet-facing MOVEit Transfer servers. Over 2,700 organizations affected. Every vulnerable server was discoverable via public scanners before the attack began.

Source: CISA Advisory AA23-187A

📧

Exchange ProxyLogon — 2021

250,000+ Exchange servers were publicly reachable and vulnerable. CISA documented mass exploitation within hours of disclosure — attackers were scanning before most admins knew it existed.

Source: CISA Advisory AA21-062A

🔍

The Reconnaissance Step

In the 2023 Verizon DBIR, 74% of breaches involved a human element — and reconnaissance of publicly exposed infrastructure preceded the majority of targeted attacks.

Source: Verizon DBIR 2023

Why This Isn’t One-and-Done

Your attack surface changes. Constantly.

A scan shows you today’s exposure. But DNS records drift, new services get added, certs expire, and configurations change. What was clean last month may not be clean now.

🔀

Config drift

DNS records, headers, and redirects get changed during deployments. New misconfigurations appear without anyone noticing.

🌐

New services

A new subdomain, a test environment, an admin port — all become part of your visible attack surface the moment they go up.

🔒

Cert expiration

Certificate expiry windows are publicly readable. Attackers and scanners both watch them. Your users see browser warnings when they lapse.

📡

Changing exposure

Port configs, load balancer settings, and third-party services each contribute to what’s externally visible. None of this is static.

Run your first scan. Then decide how often you want to stay visible.

What this turns into

→ Spoofed emails sent as your organization
→ Browser warnings shown to your customers
→ Credential harvesting through exposed services
→ Public access to systems you didn't intend to expose

How It Works

Your report in four steps.
No installation required.

Choose your tier

Single scan or a pack for multiple domains or after-fix re-scans. Credits never expire — scan when you're ready.

Enter your domain

Enter the domain you want analyzed. No credentials, no access to your systems, no installation.

We run the scan

The scanner reads publicly visible signals — the same ones attackers use. Typically completes in under a minute.

Get your report

Instant report: risk score, every finding ranked by severity, plain-English explanation, and a specific fix step for each one. No interpretation needed.

Who It's For

No security background needed.

Technical findings, plain-English explanations. What's wrong, why it matters, what to fix. Readable by anyone in the room.

🏢

Business owners

Understand your external security posture without needing a dedicated security team.

⚖️

Legal & compliance

Evidence of security due diligence for audits, contracts, and client questionnaires.

🔧

IT teams

A fast external view to validate your hardening work and catch what slipped through.

🤝

Consultants & MSPs

Scan clients on intake, after remediation, or quarterly. Send report links directly — they don't need an account.

Exposure leads to targeting.

If your domain can be spoofed,
phishing emails are already landing.

Exposure is stage one. Contact is stage two. If Surface Sentinel flagged missing DMARC or soft-fail SPF, attackers can already send email as your domain. Your users are reporting those emails right now.

See what they’re sending next.

Learn about Ephemeral Sentinel

From the same builder. Same no-credentials philosophy.

Get Started

Know what attackers see before they use it.

One-time payment. No account. No setup. Under a minute. Findings include specific remediation steps — not just a warning.

You don't need access. You don't need installation. You just need to see what's already visible.

You only need to run it once to see your current exposure.