How the score works
Attack Surface Score is a passive external assessment. Everything we check is visible to anyone on the public internet — we never log in, send exploit traffic, or touch your internal systems.
The five categories
Each category starts at 100 points and loses points for every issue found, weighted by severity. Your overall score blends them:
| Category | Weight | What we look at |
|---|---|---|
| TLS / HTTPS | 25% | HTTPS availability, HTTP→HTTPS redirect, downgrade protection |
| Exposure | 25% | Open ports, known CVEs, and public subdomain sprawl |
| Email auth | 20% | SPF and DMARC records that prevent spoofing |
| Security headers | 20% | HSTS, CSP, X-Frame-Options, and related hardening headers |
| DNS hygiene | 10% | Resolvability and CAA records |
Where the data comes from
DNS resolvers for records and email authentication; live HTTPS requests for TLS and header checks; certificate transparency logs (crt.sh) to enumerate public subdomains; and — where configured — Shodan and Censys for exposed ports, services, and known vulnerabilities.
Grades
A (90–100), B (80–89), C (70–79), D (60–69), F (below 60). A grade is a signal, not a guarantee — it reflects what's externally observable, not your full internal security posture.