Trust & Transparency

1. Our Philosophy: Security Through Determinism

At Externalsight, we believe that security teams cannot remediate what they cannot verify. The modern attack surface is vast, and alert fatigue is a critical threat to enterprise operations. We built Externalsight on a foundation of strict determinism, verifiable evidence, and transparent operations.

Every platform decision — from how we store findings to how we calculate risk scores — prioritizes auditability and reproducibility over speed or convenience.

2. How Externalsight Works

Externalsight operates as an outside-in, non-intrusive External Attack Surface Management (EASM) platform. We mimic the initial discovery phases of an external adversary, mapping publicly accessible records, misconfigured web servers, exposed cloud storage buckets, and inadvertently leaked organizational secrets.

Our 48 full-scan scanner suite runs in discrete phases -- DNS and TLS first, then subdomains and port exposure, then credential and secret leaks -- so that findings are structured, phase-aware, and reproducible.

3. Strictly Deterministic Findings

If we flag an unauthenticated API endpoint, it is because our scanner received an unauthenticated API response. If we alert on a missing DMARC policy, it is because the DNS record physically does not exist. Our confidence levels (Confirmed, Probable, Possible) are calibrated against actual scanner evidence — not heuristic likelihood scores.

4. No Intrusive or Destructive Scanning

Externalsight operates identically to a benign internet crawler and adheres to a strict non-exploitation protocol. We are exclusively an analysis and discovery platform. We do not exploit the vulnerabilities we discover.

• We do not execute malicious payloads against your infrastructure.
• We do not perform penetration testing actions or attempt unauthorized access.
• We do not conduct brute-force attacks against authentication portals.
• Active DAST probes (plan-gated) use safe, alphanumeric markers with zero malicious intent — designed to detect reflection only, never to exploit.

We merely interact with public-facing HTTP servers, query DNS servers, and inspect TLS handshakes to observe your external perimeter exactly as it appears to the public internet — ensuring absolute safety for your production environments.

5. Evidence-Based Intelligence

To detect complex exposures rapidly without intruding on your systems, we leverage reputable third-party intelligence and public data sources:

• Credential Exposure: Passive credential exposure signals derived from internal scanner evidence and public breach intelligence.
• Secret Leaks: Actively parsing public code repositories (GitHub, GitLab, DockerHub) for regex-validated authentication tokens and keys using verifiable pattern matching.
• Certificate Mapping: Interrogating Certificate Transparency (CT) logs via crt.sh to uncover hidden or unlinked subdomains securely and legally.
• CVE Enrichment: Cross-referencing discovered technologies against the National Vulnerability Database (NVD) using a locally cached CPE mapping — no live queries during scan execution.

6. Data Handling & Logical Isolation

Scan outputs are your intellectual property. Our backend is engineered specifically to ensure absolute tenant isolation at every layer:

• Row Level Security (RLS): Enforced at the Supabase PostgreSQL layer — every query is automatically scoped to the authenticated user's workspace. Cross-tenant data access is architecturally impossible, not just policy-blocked.
• Compressed Storage: All infrastructure maps and scanner outputs are compressed with zlib+base64 encoding before storage, reducing payload size and preventing incidental data exposure.
• JWT Validation: Every API request validates the Supabase-issued JWT (RS256/ES256) at the middleware layer before any data is touched.

7. Why Security Teams Trust Us

Trust is earned through predictability. Because our scanning engine prioritizes non-destructive network polling and avoids heuristic guesswork, you can rely on the baseline it establishes.

When Externalsight's cryptographic hashing algorithms detect a change in your infrastructure — an open port, a revoked certificate, a new dangling DNS record — you can trust it isn't a false anomaly. It's an actionable reality demanding your attention, complete with the raw network evidence attached right to the alert.