The compounding-interest of external security.
Hygiene checks rarely fire as one critical alert. They sit at low or medium severity. But across an attack surface they accumulate — each one shaving margin off the next time something goes wrong. Strong DMARC blocks spoofing; an HSTS header prevents downgrade; an unexpired certificate is one less chance for a man-in-the-middle. Hygiene is what your auditor actually checks.
What we detect
- Expiring or expired SSL/TLS certificates — every monitored asset, with configurable lead time alerts.
- Weak SSL/TLS configurations — TLS 1.0/1.1 still enabled, weak cipher suites, missing OCSP stapling, certificate-chain issues.
- Missing security headers — Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
- Weak email authentication — missing or permissive SPF, weak DMARC policy (p=none in production), missing DKIM selectors.
- End-of-life software stacks — server, framework, language runtime, or library versions whose vendor no longer ships security patches.
- Outdated content management systems — WordPress, Drupal, Joomla versions running plugins/themes with known issues.
- Cookie security misconfigurations — missing Secure, HttpOnly, or SameSite attributes on session cookies.
Why it matters
An expired certificate is a 30-second incident that takes the whole service offline. A weak DMARC policy lets phishers send authoritative-looking email as your domain. Missing HSTS makes every public-WiFi user at every airport in the world vulnerable to session hijacking. End-of-life software is exploited the moment a CVE drops because there's no patch coming. None of these is a single-event disaster — but compound them across a year and they're the difference between an audit pass and a remediation project.
How Nano EASM detects it
The SSL engine connects to every TLS endpoint, captures the certificate chain, and analyses it for expiry, signature algorithm, key strength, protocol versions, and cipher suites. The DNS engine fetches and parses SPF/DKIM/DMARC records, flagging weak policies. The HTTP engine walks each asset's response headers and reports anything missing or misconfigured. The technology detector identifies CMS/framework/runtime versions and cross-references against an EOL database. Continuous monitoring re-runs all of this on the cadence you choose, so expiring certificates get caught with lead time.
Common scenarios
Cert expires Saturday morning
Continuous monitoring runs daily on the monitored assets. The SSL engine reports a 7-day expiry warning on Wednesday morning. Slack alert fires. You renew on Thursday. No outage on the weekend.
DMARC at p=none for two years
Marketing complains about phishers spoofing your domain to customers. The DNS engine reports your DMARC policy as p=none — meaning every phishing attempt is being delivered, just with a 'not aligned' note in your aggregate reports nobody reads. Finding includes a remediation walkthrough for the p=none → quarantine → reject ramp.
Quarterly audit needs evidence of TLS posture
Compliance report aggregates every SSL finding across every monitored asset, by severity. Export to PDF. Auditor's evidence requirement closed in 30 seconds.
Try it free against your domain
Quick Scan runs the engines that surface security hygiene findings, plus the rest of the platform's coverage. No signup, no credit card, real results in under a minute.