See your company
the way hackers do.
A passive, non-intrusive analysis of your external attack surface. No exploitation. No agents. No service disruption. Signal only.
Six deliverables. An honest picture of your exposure.
All passive. Nothing that will show up in your logs.
OSINT and digital footprint
We map everything indexed, exposed or published about your company and infrastructure. Domains, ASNs, emails, documents, technical profiles.
Subdomain and service enumeration
Active subdomains, running services, open ports, identified technologies. Everything visible from the internet.
Known CVEs on the exposed surface
Software and framework versions matched against known vulnerability databases (CVE, NVD). No exploitation — exposure only.
Credential leaks and public data
We check public databases of compromised credentials, pastebins, repositories, and other non-technical exposure vectors.
Technical report + executive summary
Two documents: one for the technical team (with evidence, sources and reproduction steps) and one for management (risk, impact and next steps).
45-minute readout
Call with the responsible operator to present findings, answer questions and discuss remediation prioritization.
What we found in recent assessments.
Anonymized examples. All verified.
All 65,535 ports open on a server under active exploitation
During an active Recon Assessment, we identified a server with all 65k ports open — exposed on an IP block classified as a bad neighborhood, with evidence of ongoing exploitation by external actors. The client had no visibility over the asset and no monitoring process covered it.
Application vulnerability led to internet-exposed MikroTik on the network
In a Recon Assessment for a large ERP company, a vulnerability in the application layer opened a path to identifying a MikroTik router on the internal network with its management interface directly exposed to the internet — no segmentation, no strong authentication. A direct entry point into the environment.
From contract to delivery in 5 business days.
Scoping call (30 min)
You provide the assets: primary domains, IP ranges, brands. We sign the contract and authorize the engagement.
Passive execution (days 1–3)
Our operator runs the full recon using open-source tools and data. None of your assets are directly touched.
Analysis and correlation (days 3–4)
We validate each finding, remove false positives and classify by criticality and exploitability.
Report delivery (day 5)
Technical report and executive summary delivered as PDF with evidence, sources and remediation recommendations.
Readout (post-delivery)
45-minute call to present findings, answer questions and discuss response paths.
Ideal for. And who it's not for.
Companies that have never done a formal security assessment
Teams who want to evaluate our methodology before a full pentest
Startups going through due diligence or fundraising
Companies that suffered an incident and want to understand current exposure
CTOs and security heads who need to convince the board to invest
Not recommended for
Those who need a full penetration test (we have specific products for that)
Those who want a compliance report without real exposure understanding
Those who won't act on the findings
Frequently asked questions.
What's the difference between Recon Assessment and a pentest?
The Recon Assessment is 100% passive — no requests are made directly to your systems. It's an analysis of everything publicly visible. A pentest is active: our operators attempt to exploit vulnerabilities with documented authorization. The Recon is a natural prerequisite for any well-executed pentest.
Do I need to grant access or install anything?
No. All work is done from open sources. You only need to tell us the in-scope assets: domains, brands, IP ranges.
How do I know it's safe? What if you find something critical?
We sign an NDA before any engagement. If we find a critical active vulnerability during recon, you'll be notified immediately — before the formal report delivery.
Can I use the report for compliance (SOC 2, ISO 27001)?
The report serves as evidence of due diligence and can be included in compliance processes. For specific certifications, we recommend supplementing with a pentest with an attestation letter.
What happens after the assessment?
You get a real map of your exposure. Most clients use the assessment to prioritize remediation and then commission a pentest on the most critical identified assets.
Start seeing what hackers see.
Fixed-price assessment. $2,000. Delivered in 5 business days. No surprises.