Skip to content
Infilux AppSec Logo
Free attack-surface check

See what an attacker sees when they recon your domain

A 10-second passive scan that pulls every subdomain a CA has ever issued a certificate for, inspects your TLS posture, and surfaces the exposure signals that matter. No signup. No active testing. No agent.

Passive scan only — Certificate Transparency + DNS + TLS handshake on the apex. 3 scans per hour per IP.

What we check

Subdomain footprint

Every host with a CA-issued cert ever logged to Certificate Transparency. Finds forgotten dev, staging, marketing, and acquired-company assets.

TLS certificate health

Issuer, expiry date, days remaining, alternative names on the cert. Flags expired certs and ones expiring within 30 days.

Exposure score

0–95 composite score from subdomain count, cert posture, and CT-archive signals. Higher = more visible to an attacker.

What this lite scan can't do

A 10-second passive snapshot is a starting point. Real external attack surface management runs continuously and covers signals that aren't safe or legal to probe without authorisation.

Dark-web credential leaks tied to your employees
Brand impersonation + lookalike domain registrations
Live port / service fingerprinting (active scan)
DMARC / DKIM / SPF email posture
CVE matching on detected services + versions
Continuous monitoring with real-time alerts
AI-based risk scoring per asset
Supply-chain & third-party exposure tracking

GuardEon by Infilux AppSec runs all of these continuously, with real-time alerting.

See GuardEon

Frequently asked

Is the attack-surface check free?+
Yes. The lite scanner is free and requires no signup. It runs in your browser by calling our server, which queries the public Certificate Transparency archive and performs a TLS handshake on the apex. Limited to 3 scans per hour per IP.
How does the scan find subdomains?+
Every TLS certificate issued by a public CA is logged to Certificate Transparency, a public append-only ledger. We query crt.sh for any cert mentioning your domain, then extract the unique hostnames. This finds subdomains that have ever been issued a public cert — including ones that may have been forgotten.
What's the difference between this and GuardEon EASM?+
This is a 10-second snapshot of two signals (subdomains + TLS cert). GuardEon is a continuous EASM platform that adds dark-web credential monitoring, brand-impersonation detection, port and service fingerprinting, DMARC/DKIM/SPF posture, CVE matching, AI risk scoring, and supply-chain tracking — running 24/7 with alerting.
Do you store the domain I scan?+
We log scan events to our internal audit table (domain, IP, timestamp, finding count) for abuse prevention. We don't sell, share, or use this data for anything other than rate-limiting. No personal data is collected by the scan itself.
Why don't you scan ports or vulnerabilities directly?+
Active port scanning and vulnerability testing require explicit authorization from the asset owner — running them against arbitrary domains would be unauthorized testing. This free tool only uses passive, publicly-available sources (CT logs, DNS, TLS handshake on the apex). For active testing, see our VAPT services.