Our methodology

Exactly how we audit your domain — engine by engine.

No black box. Below is every scanning engine we run, what it inspects, what it catches, and how each finding maps to recognised standards. Every check is 100% passive and public-only — the same reconnaissance a real attacker performs, run for you first.

Public-only checks. Your report is emailed to you, guaranteed within 48 hours. One-time payment, no subscription.

Email authentication

Whether an attacker can send phishing mail that looks like it came from you.

DMARC policyDNS resolver

Inspects: _dmarc TXT record

Catches: Missing DMARC, or a permissive p=none that enforces nothing

OWASP · DMARC (RFC 7489)

SPF recordDNS resolver

Inspects: SPF TXT record

Catches: Missing SPF, an over-permissive +all, or a too-soft policy

OWASP · SPF (RFC 7208)

DKIMDNS resolver

Inspects: Common DKIM selectors

Catches: No published signing key for your mail

OWASP · DKIM (RFC 6376)

MX & mail postureDNS resolver

Inspects: MX records + mail host

Catches: Mail routing and host-level exposure

NIST SP 800-177

TLS, certificates & transport

Whether traffic to your site is properly encrypted end to end.

Certificate checkNode tls

Inspects: Served certificate

Catches: Invalid, expired, or soon-to-expire certificates

PCI DSS 4.2

TLS-version enumerationrecon (Node)

Inspects: Negotiable protocols

Catches: Deprecated TLS 1.0 / 1.1 still accepted

PCI DSS · NIST SP 800-52

Deep TLS analysistestssl.sh

Inspects: Ciphers, protocols, known TLS flaws

Catches: Weak ciphers and protocol-level vulnerabilities

OWASP TLS Cheat Sheet

HTTPS enforcementrecon (Node)

Inspects: HTTP→HTTPS behaviour

Catches: Plain HTTP that can be silently downgraded

OWASP A02

CAA recordsDNS resolver

Inspects: Certificate-authority authorization

Catches: No control over who can issue certs for you

CA/B Forum

Headers, cookies & CORS

Browser-side protections that keep your visitors' sessions safe.

Security headersheaders (Node)

Inspects: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy

Catches: Missing headers that enable clickjacking, XSS and leakage

OWASP Secure Headers

Cookie flagsrecon (Node)

Inspects: Set-Cookie attributes

Catches: Cookies missing Secure / HttpOnly / SameSite

OWASP A05

CORS policyrecon (Node)

Inspects: Access-Control-Allow-Origin

Catches: Over-permissive cross-origin sharing

OWASP A05

MTA-STS / TLS-RPT / BIMIrecon (Node)

Inspects: Mail-transport policy records

Catches: No enforced transport security for mail

RFC 8461

Public services & attack surface

Everything reachable on your perimeter that an attacker would map first.

Port & service scannmap

Inspects: Open TCP ports + service versions

Catches: Unexpected or deprecated exposed services

OWASP A05

Subdomain discoverysubfinder

Inspects: Public subdomains

Catches: Forgotten hosts and shadow infrastructure

OWASP ASVS

HTTP probinghttpx

Inspects: Live web endpoints

Catches: Live services, status, titles, web servers

OWASP WSTG

Tech fingerprintingwhatweb

Inspects: Frameworks, CMS, versions

Catches: Outdated or risky components in use

CVE / NVD

WAF detectionwafw00f

Inspects: Edge protection

Catches: Whether a web application firewall is present

OWASP WSTG

Vulnerability & exposure sweep

Targeted, non-destructive checks against what we found above.

CVE / misconfig templatesnuclei

Inspects: Detected services

Catches: Known CVEs, exposures and misconfigurations

CVE / NVD

Web-server scannikto

Inspects: Web server

Catches: Server misconfigurations and risky defaults

OWASP WSTG

Sensitive-file checkffuf (HEAD)

Inspects: ~30 common sensitive paths

Catches: Exposed .env, .git, backups, phpinfo, server-status

OWASP A01 / A05

Breached credentials & brand

Exposure that lives outside your own infrastructure.

Breach lookupXposedOrNot

Inspects: Common addresses at your domain

Catches: Credentials exposed in known breaches

NIST SP 800-63B

Typosquat sweepDNS resolver

Inspects: Look-alike domains

Catches: Resolving impersonation / phishing domains

Brand protection

What we never do

  • Install an agent, ask for credentials, or touch your private systems
  • Run intrusive exploits, brute-force logins, or attempt to break in
  • Generate meaningful load — checks are rate-limited and identify themselves
  • Test any domain you have not purchased an audit for

Standards we align to

Findings are mapped to the frameworks your auditors and customers already recognise:

  • OWASP Testing Guide & Top 10
  • CVE / NVD vulnerability data
  • NIST SP 800-series guidance
  • PCI DSS external-scan expectations
  • A published security.txt for researchers

Researchers can reach us via security.txt or abuse@exarlo.xyz.

See what these engines find on your domain.

One scan, every engine above, a ranked plain-English report — guaranteed within 48 hours or your money back.

Public-only checks. Your report is emailed to you, guaranteed within 48 hours. One-time payment, no subscription.