Trust & Transparency - Externalsight
Externalsight Back to home

Trust & Transparency

Last Updated: April 3, 2026 | Core Principles

Our Philosophy: Security Through Determinism

At Externalsight, we believe that security teams cannot remediate what they cannot verify. The modern attack surface is vast, and alert fatigue is a critical threat to enterprise operations. We built Externalsight on a foundation of strict determinism, verifiable evidence, and transparent operations.

How Externalsight Works

Externalsight operates as an outside-in, non-intrusive External Attack Surface Management (EASM) platform. We mimic the initial discovery phases of an external adversary, mapping publicly accessible records, misconfigured web servers, exposed cloud storage buckets, and inadvertently leaked organizational secrets.

Strictly Deterministic Findings

We do not use Generative AI to "guess" vulnerabilities. In an industry plagued by AI hallucinations and false positives, every finding generated by Externalsight is backed by concrete, reproducible network evidence.

If we flag an unauthenticated API endpoint, it is because our scanner received an unauthenticated API response. If we alert on a missing DMARC policy, it is because the DNS record physically does not exist.

No Intrusive or Destructive Scanning

Externalsight operates identically to a benign internet crawler and adheres to a strict non-exploitation protocol. We are exclusively an analysis and discovery platform. We do not exploit the vulnerabilities we discover.

Our infrastructure does not execute malicious payloads, perform penetration testing actions, attempt SQL injections, or conduct brute-force attacks against your authentication portals. We merely interact with public-facing HTTP servers, query DNS servers, and inspect TLS handshakes to observe your external perimeter exactly as it appears to the public internet, ensuring absolute safety for your production environments.

Evidence-Based Intelligence

To detect complex exposures rapidly without intruding on your systems, we leverage reputable third-party intelligence:

  • Credential Exposure: Safely querying the HaveIBeenPwned (HIBP) API by matching domain patterns to known historic breaches.
  • Secret Leaks: Actively parsing public code repositories (GitHub, GitLab, DockerHub) for regex-validated authentication tokens and keys.
  • Certificate Mapping: Interrogating Certificate Transparency (CT) logs via crt.sh to uncover hidden or unlinked subdomains securely and legally.

Data Handling & Logical Isolation

Scan outputs are your intellectual property. Our backend is engineered specifically to ensure absolute tenant isolation. All infrastructure maps and scanner outputs are compressed, validated, and stored within strict Row Level Security (RLS) policies. Only you can view the shape of your attack surface.

Why Security Teams Trust Us

Trust is earned through predictability. Because our scanning engine prioritizes non-destructive network polling and avoids heuristic guesswork, you can rely on the baseline it establishes.

When Externalsight's cryptographic hashing algorithms detect a change in your infrastructure—an open port, a revoked certificate, a new dangling DNS record—you can trust it isn't a false anomaly. It's an actionable reality demanding your attention, complete with the raw network evidence attached right to the alert.