Your attack surface looks calm. Quiet. Glassy.
Do you know the gaps on your perimeter?
Forgotten subdomains. Expiring domains. Lookalikes registered last week with a mail server already attached. Credentials sitting in a public repo. You won't see any of it from the shore. SurfaceWatch runs the searchlight for you, on schedule, every day.
staging.yourco.com still points at a deprovisioned cloud app. Anyone can claim it, and a live check just confirmed it.
yourc0.com was registered 11 days ago. It has an MX record. Someone is preparing to mail your customers.
A public repo mentions your domain, and the cloud key inside it was just verified still active.
A production certificate expires in 19 days, and a legacy host still accepts TLS 1.0. Nobody was watching either.
Everything an attacker would enumerate about you, enumerated first: continuously, per client, with findings tracked across every re-scan.
Enumerate every subdomain, flag dangling CNAMEs, and validate takeover risk with live checks against the real target. Confirmed exposure, not pattern-match guesses. Dead and orphaned hosts stay tracked so ghosts never get lost.
enumeration · live validationRegistration expiry tracked for every client domain. Amber at 60 days out and red when it lapses, long before a competitor, squatter, or attacker picks it up.
whoisSPF and DMARC audited for every domain through Google and Cloudflare public resolvers, the same view the rest of the internet gets. Severity-graded so criticals surface first.
SPF · DMARCGenerates the typos, homoglyphs, and TLD-swaps of your brand, resolves what's live, and enriches hits with WHOIS age, cert org, and HTTP fingerprint. Fresh registrations with MX records get flagged as phishing-in-progress.
typosquats · homoglyphsSearch public code for mentions of your domains, then scan any discovered repo's full git history for leaked secrets. Verified-live secrets are separated from heuristic noise, masked at rest, and tracked active → resolved across scans.
code search · secret scanningEvery domain probed on 443: expiry windows, self-signed chains, weak signatures and undersized keys, legacy TLS 1.0/1.1, and insecure ciphers from RC4 to anonymous DH. Graded pass / warning / critical.
TLS 1.0–1.3 · ciphersQuickly identify potential gaps across your perimeter. Each finding is validated against the live target, so you spend your time fixing real exposures before they can be exploited.
Set an interval per scan type and the scheduler keeps circling: re-enumerating, re-checking, re-verifying. New findings alert once, when they first surface. Repeat findings stay quiet instead of drowning you.
Slack, Discord, Telegram, or Tines, with per-finding-type rules so the channel gets verified secrets and takeover hits, not every routine subdomain discovery.
We host the infrastructure for you. You get your own dedicated application, with no maintenance.
SurfaceWatch is a working proof of concept, and we're not putting a price on it yet. Instead, we're inviting a small group of early partners to run it against their real perimeter and shape what it becomes.
Join the PoC and find the gaps before something with teeth does. Watching for the gaps, so you don't have to.