Your team ships changes every day. Marketing spins up a microsite. A vendor adds an integration. A developer opens a port for a quick test and forgets. You can't watch all of it. Nobody can.
We do that watching for you. Every day we map what's exposed to the open internet under your name, surface anything new or unexpected, and quietly test whether the new thing is something an attacker could use. You hear from us only when there's something worth your attention.
Just your domain and your work email. We'll handle the rest.
What it does
Subdomain enumeration via passive DNS, certificate-transparency logs, search-engine indexing, archive crawling, and zone-transfer probing. Every host scored by reachability, technology, and the attack classes it's most exposed to.
Open ports, running services, version fingerprints, technology stacks, certificate state. We don't just enumerate — we identify which services would draw an attacker's attention first and prioritise validation against them.
Daily diffs of your perimeter. New subdomain appeared? New port opened? Cert changed? The dashboard surfaces every change, ranked by exposure, with a one-click test against the affected asset's most-likely attack classes.
The vendor SaaS your team subscribed to last month. The OAuth integration with the SSO they connected. The marketing tracking pixel that loads from a domain you don't own. Each third-party trust relationship surfaces as part of your attack surface, not separate from it.
Forgotten dev environments. Unattended preview deployments. Domains registered for an old marketing campaign. We surface what the security team didn't know existed — before someone hostile finds it instead.
Every newly-discovered exposure routes automatically to the right validation capability: API for new endpoints, web for new applications, cloud for new IaC-provisioned assets. The discovery and validation loops are one platform, not two.
What you get
Find. Prove. Fix. Verify. — applied to attack surface
Subdomain, service, certificate, technology, third-party trust. Daily refresh; drift surfaced as it happens.
Newly-discovered asset auto-routes to the right validation capability. Each confirmed exploit ships a Proof Capsule.
Each surfaced drift comes with three explicit options: take the asset offline, remediate the underlying control, or accept and document the exposure.
The asset disappears from the inventory or the validation re-runs and confirms remediation. Either way, the perimeter state is verifiable.
Where it fits in CTEM
Gartner's CTEM framework places Discovery as the second of five stages — the work of building a complete picture of what's actually exposed to attackers. Continuous external reconnaissance is the engine that does the work; drift detection is what makes Discovery continuous instead of point-in-time. Together with the Validation hand-off, Discovery becomes the front door of the loop, not a separate workflow.
Start where it costs you nothing
Drop your domain. We'll quietly look at your external footprint and send a short, plain-language report — with at least one real finding your team can verify themselves. No sales pressure. No surprise calls.
Just your domain and your work email. We'll handle the rest.
CELVEX Group