Frequently Asked Questions

Externalsight is an External Attack Surface Management (EASM) platform. It runs 48+ concurrent security scanners against internet-facing domains, scores results across 8 weighted categories on a 0–100 scale, and generates actionable remediation steps for every finding.

It supports continuous background monitoring via a built-in scheduler, email notifications, webhooks, and PDF report generation — all without installing any agents on your infrastructure.

No. Externalsight is entirely agentless. It operates as an outside-in scanner from the public internet — no endpoint agents, no firewall rule changes, no code deployments on your side.

It mimics the initial discovery phase of an external adversary, mapping publicly accessible records and misconfigured services exactly as an attacker would see them.

Create a free account, add your domain in the Dashboard, and click Scan. The scan pipeline runs immediately and results appear within a few minutes. Your dashboard shows the composite risk score, all findings grouped by severity, and remediation steps for each issue.

A full scan completes within 4 minutes (240-second total pipeline ceiling). Scanners run concurrently across 4 phases, and each individual scanner has a 90-second timeout. Scanners that hit their timeout are marked unavailable rather than error, so the score is still computed from all scanners that did respond.

Domain limits are enforced per subscription plan:

• Recon (free) — 1 domain
• Sentinel — 5 domains
• Fortress — 25 domains

Yes — you must own or have explicit authorization to test any domain you add. Externalsight operates identically to a benign internet crawler and does not exploit vulnerabilities, but you are solely responsible for ensuring you have the legal right to scan any domain you submit.

Externalsight runs 48+ concurrent security scanners organized into 4 sequential phases. Within each phase, all scanners run in parallel via a ThreadPoolExecutor, maximizing coverage while keeping the total scan time under 4 minutes.

• Phase 1 — DNS / SSL / HTTP: DNS resolution, SSL/TLS configuration, HTTP headers, redirect chains, zone transfers, DNSSEC, WHOIS, passive DNS, host header injection
• Phase 2 — Discovery: Subdomains, open ports, certificate transparency, technology fingerprinting, API endpoint discovery, JavaScript endpoint extraction, GraphQL detection, robots.txt / sitemap parsing
• Phase 3 — Secrets & Exposure: Credential breaches (HIBP), exposed secrets (GitHub, DockerHub), phishing / brand spoofing, cloud storage exposure (S3, GCP, Azure, Firebase), email spoofing, IP intelligence and reputation
• Phase 4 — Advanced Intel: ASN discovery, reverse WHOIS, subsidiary mapping, CVE enrichment, Shodan threat intelligence, WAF/CDN detection, CORS misconfigurations, CSP validation, cookie security, subdomain takeover, admin panel detection, open redirects, sensitive file exposure

Dynamic Application Security Testing (DAST) is an active scanning mode that probes running web applications for runtime vulnerabilities. Externalsight's DAST module checks for three specific categories:

• Error page information disclosure — detecting stack traces, framework version banners, or SQL error messages exposed in HTTP error responses
• XSS reflection — using safe, alphanumeric-only markers to test whether inputs are reflected unsanitized in responses
• SQL injection error detection — sending read-only payloads and pattern-matching the response for database error strings, without executing any destructive queries

DAST is available on Sentinel and Fortress plans only.

• Recon — DAST not available
• Sentinel — 3 DAST scans per calendar month
• Fortress — 10 DAST scans per calendar month

The quota resets on the 1st of each UTC month. Remaining quota is tracked in the database and checked before each DAST scan is initiated.

No. Externalsight is strictly a non-exploitation platform. It does not execute malicious payloads, attempt privilege escalation, perform brute-force attacks against authentication portals, or exploit any vulnerability it discovers.

Even the active DAST probes are non-destructive: XSS checks use safe alphanumeric markers, and SQL injection checks use read-only patterns that cannot modify data. The platform interacts with public-facing HTTP servers, queries DNS, and inspects TLS handshakes — nothing more.

No. Every finding is backed by concrete, reproducible network evidence. Externalsight does not use generative AI or heuristic guessing to produce findings.

If it flags a missing DMARC record, the DNS record physically does not exist. If it flags an exposed S3 bucket, the scanner received an unauthenticated HTTP response from that bucket. If it alerts on a misconfigured Content-Security-Policy header, that header was absent or malformed in the actual HTTP response.

Externalsight exclusively uses Google (8.8.8.8) and Cloudflare (1.1.1.1) as DNS resolvers. System DNS is never used.

This is a deliberate design choice: system DNS can be a split-horizon internal resolver that returns private IPs, which would make all external attack surface findings meaningless. Using public resolvers guarantees results reflect the public internet view of your domain — which is exactly what an external attacker sees.

The score engine computes a 0–100 composite risk score across 8 weighted security categories — TLS security, DNS security, HTTP headers, exposed services, secrets and credential exposure, cloud exposure, application security, and infrastructure posture. A higher score means lower risk.

After individual scanner scores are computed, the chain engine applies correlation rules across results. For example, if no WAF is detected and HTTP headers are simultaneously misconfigured, the combined risk is elevated beyond what each finding warrants independently, reducing false comfort from partial coverage.

• 0–49 (Critical/High risk): Significant exposure requiring immediate remediation. Shown in red in the dashboard.
• 50–74 (Medium risk): Notable findings that require attention and a remediation plan. Shown in amber.
• 75–100 (Low risk): Well-configured perimeter with minimal exposure. Shown in green.

Each individual finding is classified into one of five severity levels: CRITICAL, HIGH, MEDIUM, LOW, and INFO. Severity is determined by the severity classification engine based on the scanner type, what was found, and any chain correlation adjustments applied.

Chain analysis applies cross-scanner correlation rules after all individual scans complete. Rather than scoring each finding in isolation, the chain engine identifies compound risk — situations where two co-existing weaknesses are more dangerous together than either is alone.

Example: a missing WAF combined with misconfigured HTTP security headers creates a compounded exposure that the chain engine escalates. This reduces alert fatigue by surfacing genuinely dangerous configurations rather than generating noise from individual low-severity findings.

After technology fingerprinting identifies specific software and version numbers on your attack surface, the enrichment engine cross-references a locally cached National Vulnerability Database (NVD) using CPE mappings. This surfaces known CVEs associated with the exact software versions discovered — without making repeated external API calls on every scan.

The local NVD cache is stored at data/nvd_cve_cache.json and is refreshed periodically. CPE mappings are cached in data/cpe_mapping.json.

Yes. Externalsight generates PDF reports via WeasyPrint using a purpose-built Jinja2 report template. Reports include the composite risk score, all findings organized by severity category, and the full remediation steps for every detected issue.

• Recon (free) — 1 domain, 3 scan records retained, passive EASM scanning, no monitoring
• Sentinel — 5 domains, 15 scan records, 24-hour background monitoring, email alerts for CRITICAL/HIGH, 3 DAST scans/month
• Fortress — 25 domains, 30 scan records, 12-hour or 24-hour monitoring interval, email alerts for all severities, webhooks, 10 DAST scans/month

• Recon — 3 scan records per domain
• Sentinel — 15 scan records per domain
• Fortress — 30 scan records per domain

Sentinel and Fortress plans include continuous background monitoring. The Recon free plan does not include any automated monitoring — scans must be triggered manually.

• Sentinel — 24-hour interval only
• Fortress — 12-hour or 24-hour interval

• Recon — No email notifications
• Sentinel — Email alerts for CRITICAL and HIGH severity findings only
• Fortress — Email alerts for all severities: CRITICAL, HIGH, MEDIUM, and LOW

Webhooks are available exclusively on the Fortress plan. They allow you to POST security findings to external endpoints — useful for Slack integrations, SIEM pipelines, ticketing systems, or any custom alerting workflow.

When a paid plan expires, your account reverts to the Recon free tier. Plan expiration is enforced on protected API routes — features gated to paid plans (monitoring, notifications, webhooks, DAST) become inaccessible until the plan is renewed. Your existing scan data is not deleted on expiration.

Externalsight uses APScheduler to run three background jobs continuously when monitoring is enabled:

• Every 5 minutes: Check domains due for re-scan, queue new scans with randomized jitter (0–600 seconds) to distribute load
• Every 30 minutes: Reap stale scans stuck in running status beyond the expected completion window
• Every 24 hours: Run the validation framework against ground-truth domains to verify scanner accuracy

To prevent alert fatigue, Externalsight enforces two layers of email throttling:

• Rate limit: A maximum of one email per 6 hours, regardless of how many findings are detected in that window
• Deduplication: Identical findings seen within the past 24 hours are suppressed and will not trigger a repeated alert

Quiet hours allow you to define a UTC time window during which email notifications are suppressed — even if a monitoring scan completes and new findings are detected. For example, configuring quiet hours from 22:00 to 08:00 prevents overnight alert emails. Scans still run; only the notification delivery is delayed until quiet hours end.

An alert fires when a background monitoring re-scan detects a new finding or a change in your attack surface posture. The notification is only sent if:

• The finding's severity matches your plan's allowed severity levels
• The same finding has not been seen within the 24-hour deduplication window
• No email has been sent within the past 6-hour rate limit window
• The current time is outside your configured quiet hours (if enabled)

Yes, via webhooks on the Fortress plan. Configure a webhook URL in your notification settings and Externalsight will POST findings as JSON to that endpoint whenever a new alert is triggered. This works with Slack incoming webhooks, any SIEM with an HTTP collector, or custom integrations.

No other user can access your data. Supabase Row-Level Security (RLS) policies are enforced at the database level — every query is automatically filtered by your user ID. No API endpoint or database query can return another user's scan reports, domain list, alert history, or findings.

Scan results (the full report JSON) are compressed with zlib + base64 encoding before being stored in Supabase PostgreSQL to reduce payload size. They are stored in the scans table alongside scan metadata (status, timestamps, domain reference).

• DNS resolution: Google (8.8.8.8) and Cloudflare (1.1.1.1)
• CVE data: National Vulnerability Database — cached locally in data/nvd_cve_cache.json
• Credential breaches: HaveIBeenPwned (HIBP) API — optional API key
• Secret scanning: GitHub API — optional API key; DockerHub public registry
• Certificate transparency: crt.sh for subdomain discovery
• Threat intelligence: Shodan — optional integration
• Auth & database: Supabase (PostgreSQL + JWT RS256/ES256)

All API requests are authenticated via Supabase JWT tokens (RS256 or ES256 algorithm). The JWT is passed in the Authorization: Bearer <token> header on every request. The auth middleware validates the token signature, expiry, and extracts the user ID before any protected route handler executes. There are no API keys or session cookies for API endpoints.