How the score works

Attack Surface Score is a passive external assessment. Everything we check is visible to anyone on the public internet — we never log in, send exploit traffic, or touch your internal systems.

The five categories

Each category starts at 100 points and loses points for every issue found, weighted by severity. Your overall score blends them:

CategoryWeightWhat we look at
TLS / HTTPS25%HTTPS availability, HTTP→HTTPS redirect, downgrade protection
Exposure25%Open ports, known CVEs, and public subdomain sprawl
Email auth20%SPF and DMARC records that prevent spoofing
Security headers20%HSTS, CSP, X-Frame-Options, and related hardening headers
DNS hygiene10%Resolvability and CAA records

Where the data comes from

DNS resolvers for records and email authentication; live HTTPS requests for TLS and header checks; certificate transparency logs (crt.sh) to enumerate public subdomains; and — where configured — Shodan and Censys for exposed ports, services, and known vulnerabilities.

Grades

A (90–100), B (80–89), C (70–79), D (60–69), F (below 60). A grade is a signal, not a guarantee — it reflects what's externally observable, not your full internal security posture.