Surface Monitor — agentless external monitoring
Know your public attack surface and fix what matters—before attackers do. Read-only checks across TLS/SSL, DNS, email auth, security headers, exposed services, CT logs, and change detection. Built for SMBs and small healthcare.
- • Agentless • Read-only • No credentials
- • Security-first scoring with copy-paste fixes
- • Alerts: Email, Slack, Teams, Webhooks
At a glance
- → 2 min to first score
- → 25+ controls per asset
- → 0 agents (read-only)
Safe by design: we perform passive/standard protocol checks only—no intrusive traffic.
What we monitor
- TLS/Certificates: expiry, chain, weak ciphers/protocols, HSTS/preload, OCSP stapling
- DNS & domain hygiene: domain expiry, NS/MX drift, CAA, dangling DNS
- Email security: SPF/DKIM/DMARC alignment & policy, MTA-STS/TLS-RPT
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, HSTS
- Exposure: mixed content, open dirs, default/admin panels, cookie flags
- Tech & versions: fingerprint CMS/frameworks; flag risky versions
- CT log watch: alert on rogue/unexpected certificates
- Change detection: DNS changes & homepage drift
Note: No agents and no credentials required.
Inventory
Add a domain; we auto-discover subdomains and live services.
Assess
Parallel checks for TLS, DNS, email auth, headers, exposure, CT logs.
Prioritize
Security-first scoring with evidence and copy-paste fixes.
Watch
Continuous checks with expiry & drift alerts to Email/Slack/Teams.
Surface Monitor is in Beta
We're accepting a limited number of early adopters. Request beta access to secure your attack surface with agentless monitoring at exclusive founder pricing.
✓ No credit card required • ✓ Setup in 2 minutes • ✓ Cancel anytime
Safe by design
- • Read-only checks; no agents, no credentials
- • Non-intrusive network behavior (no destructive traffic)
- • Early expiry & drift alerts (certs, DNS, headers, policies)
- • Audit-ready reports for execs and customers