/Recon · Business Attack Surface Assessment

What’s still out there with your name on it?

Most founders haven’t looked since launch day. The ones who shipped with AI last month haven’t looked at all. Attack Surface is the mirror: a signed, evidence-grade snapshot of what attackers can already see about your business. Every finding cites the live scan that produced it. CISSP-credentialed. From $249.

Authorized, non-disruptive checks only. We never exploit, test credentials, or deliver payloads.
01 · The mirror

When did you last look?

Two ways to end up with the same problem: a public-facing surface you haven’t audited from the outside.

The site you forgot

Old sites accumulate exposure.

Plugins go out of date. The DMARC record never got finished. The 2019 event microsite is still serving traffic. A predecessor stood up a dev subdomain and moved on. A partner published your domain into a config file three years ago and never told you about it. Sites that stop being watched drift toward exposure.

The site you just shipped

AI ships fast. Hardening doesn’t keep up.

AI tools let one person ship a working site in a weekend. They don’t audit your .env, check your Supabase row-level security, or notice the API key your generator hardcoded into a public route. The build runs faster than the hardening does, and nobody else is going to look at it from the outside on your behalf.

02 · Why this, not the alternatives

Measured, not narrated.

There are three other ways to answer “what’s exposed about my business.” Each has a real use case. Here’s where each one stops being the right tool.

vs. an AI summary

AI guesses. We measure.

An AI tool can describe what a typical attack surface looks like. It cannot query your live DNS, scan your TLS, or search GitHub against your specific domain. Every CVE it cites is from training data. We run the actual checks and cite the source observation for each finding.

vs. a $99 one-day audit

Opinions don’t forward to your underwriter.

A one-day audit gives you a consultant’s narrative. We give you an evidence-grade PDF with enumerated findings, six independently-graded categories, and a coverage matrix showing what we did and didn’t check. It’s the same testing-matrix discipline you’d see in a SOC 2 examination, applied to your external surface.

vs. a $10,000 pentest

Different question. Smaller bill.

A pentest answers “is this exploitable?” That’s a real question, in scope, after you already know what’s there. We answer the question that comes before it: “what do they already know?” At about 2.5% of the price, it’s the right starting point.

03 · Four buyers

One underlying question lands on different desks.

What does an attacker already know about us, before they probe? Each scenario below is a real engagement Attack Surface is designed for.

Founder, builder, or new IT lead

You own a site whose external posture you can’t fully describe.

You built it in 2019 and stopped looking. You shipped it last week with Lovable, Bolt, or Cursor and haven’t looked from the outside. You inherited it from a predecessor. Every site accumulates exposure. Attack Surface inventories what’s there before someone else finds it first.

Agency

Validating every build you ship.

Web shops, design studios, MSPs: every build goes live with assumptions baked in. An independent assessment confirms the production posture before the client asks.

Pre-pentest

Before you spend $10,000 on a real pentest.

A pentest answers exploitability. Before that, you want to know what an adversary already has, and which findings are worth proving exploitable. $249 is the right price for that question.

Insurer · Board · Buyer

Someone needs evidence of an independent review.

Cyber insurance renewals want the full report. Board audits and due diligence packets usually do too. Vendor security questionnaires and procurement reviews accept the shorter Letter of Attestation. You get both, signed by name.

04 · What we surface

Six categories of exposure, each graded on its own terms.

Security posture and site quality aren’t the same thing. Most assessments conflate them. /Recon reports each on a separate scale so you don’t get a D for a slow homepage and a clean DMARC record at the same time.

Email

Spoofing posture

DMARC, SPF, DKIM. Whether anyone can send mail that appears to come from your domain.

DNS

Surface area

Every public subdomain you’ve ever exposed, including the ones you forgot you had.

Web

Tech stack and vulns

What your site is built with, including WordPress plugins and versions, cross-referenced against the CVE database.

TLS

Encryption posture

Certificate health, deprecated protocols, HSTS configuration. Browser-grade verification.

Site quality

Performance and accessibility

Google Lighthouse audit. Performance, Accessibility, SEO, Best Practices: graded directly.

Breach

Credential exposure

Corporate email addresses tied to your domain that have appeared in known breaches. With dates.

05 · What the deliverable looks like

An evidence-grade PDF plus five forwardable artifacts.

It’s a document, not a dashboard. Your board, IT team, broker, or insurer can read it without asking you for access. Page count scales to your surface. The sample below is from a larger engagement, 65 pages. Here’s what’s inside.

Posture-at-a-glance scorecard showing letter grades for External Security, Mobile Performance, and Desktop Performance, plus severity-distribution and where-findings-concentrate charts.
Page 4

Posture at a glance

Four letter-grade scores. Severity distribution. Where the findings concentrate. The 3-second board read.

Priority findings table showing severity badges, evidence reference IDs, prescribed fixes, and effort estimates.
Page 7

Priority findings

Every high-severity item with severity, evidence reference, prescribed fix, and effort estimate. Each row links to its detail.

Coverage matrix appendix listing every check the assessment can run, with status (executed, clean, not run) and result count for each.
Page 61

Coverage matrix

Every check we can run, executed or not, with the reason. SOC 2 testing-matrix discipline applied to your external surface.

Action plan workstream showing prioritized remediation items with assigned owners, deadlines, and verification methods.
Pages 9–11

Action plan

Findings clustered into remediation workstreams. Each item has an owner, a deadline, and a verification method.

Cover page showing report title, engagement reference, scope, classification, and the SignumCyber attestation.
Page 1

Cover and scope

Engagement reference, date, scope, classification. The first page of the report, dated and signed.

View full sample report (PDF, 65 pages) →

Real engagement. Client name and identifying details redacted. Scoring, findings, and coverage matrix intact.

06 · Who signs

A named human, accountable by signature.

Every Attack Surface engagement is performed and signed by one credentialed practitioner who is accountable to you by name. The brand on the cover page is not a stand-in for the analyst behind the work.

The signing standard
CISSP · M.S. Cybersecurity · Field experience: OSINT, forensics, infrastructure

The signature on the attestation is the same person who ran the scans, prioritized the findings, and will join your walkthrough. The work is not subcontracted or offshored. If a finding doesn’t match what you understood to be true, raise it directly. You’re raising it with the assessor, not with a support queue.

CISSP is the credential boards, brokers, and insurance underwriters recognize as the marker of independent third-party review. The walkthrough is the marker of a human you can call.

07 · What you get

What ships with every engagement.

The deliverable is one comprehensive PDF: graded findings, prioritized action plan, evidence-grade detail, coverage matrix, and glossary. The action plan lives inside the report and gets tracked in your client portal as you work it. No separate spreadsheet to manage.

You also get a one-page Letter of Attestation, CISSP-signed, confirming the assessment was performed against the agreed scope on a specific date. It’s the forwardable version for vendor security questionnaires and procurement reviews where the requester needs proof of independent testing without circulating the findings.

08 · Pricing

Priced as a deliverable, not a subscription.

$249 for the first domain plus $50 each additional for a single one-time assessment. $82.50/month billed annually for continuous monitoring (or $99/month month-to-month, save $198 by going annual). For agencies: $1,997 credit pack for ten assessments, or $499/month retainer for five client domains.

For context: continuous external-monitoring platforms charge as recurring subscriptions. Standard external penetration tests start in the thousands of dollars per engagement. Attack Surface is a one-time, signed deliverable.

See full pricing →

Stop guessing what’s exposed.

One signed PDF with every finding graded and prioritized. Forwardable to whoever needs to see it. From $249.