EASM Scanner - continuous external surface coverage.
The core scanner watches the surfaces an attacker can enumerate without credentials: containers, packages, Git metadata, DNS, certificates, live web exposure, and dark-web context. It turns scattered observations into one finding graph.
Coverage with explainable detection technique.
Docker and container registries
Layer-by-layer artifact scanning catches secrets, build args, labels, exposed endpoints, forgotten config, and registry drift. Detections combine regex, entropy scoring, semantic AI triage, and multi-LLM cross-validation before a finding is promoted.
Package registries
NPM, PyPI, and package metadata are reviewed for suspicious publish changes, typosquat candidates, dependency-confusion exposure, leaked sourcemaps, maintainer transitions, and artifact-level evidence that in-repo scanners miss.
Git hosting and CI metadata
GitHub and GitLab surfaces are mapped for public repos, workflow files, deployment hints, exposed build artifacts, release attachments, and cross-surface references that tie a secret or endpoint to a production path.
DNS, certificates, and live web
External hostnames, CT logs, web fingerprints, public services, and dark-web credential hints are normalized into the same asset graph so the scanner can correlate exposed systems with artifact evidence.
A finding built for remediation, not screenshots.
Each module produces a structured evidence pack with severity, business impact, and a runbook excerpt that can be routed to Slack, Jira, Linear, ServiceNow, GitHub, webhook, or SIEM depending on tier.
PDF FINDING PREVIEW
Docker layer credential correlates to production AWS role
Evidence pack
- Layer 4 of acme/api:prod-2026-05-01 contains AWS_ACCESS_KEY_ID with high entropy and live prefix.
- .github/workflows/deploy.yml references the same key through a production deploy role.
- DNS and CT-log context confirm the affected API host is publicly reachable.
- Multi-LLM cross-validation agrees the finding is exploitable, not a benign sample.
Business impact
The key can plausibly bridge build artifact access into production cloud metadata. The finding is routed as a Proof of Threat because the artifact, workflow, and live host share the same deployment path.
Remediation runbook
1. Disable the exposed key. 2. Rotate the deploy role and rebuild the image. 3. Remove secret material from Docker history. 4. Add pre-publish artifact scanning to CI. 5. Confirm no public registry tag still contains the layer.
Included where the workflow needs it.
| Tier | Included | Asset limits |
|---|---|---|
| Community | Included | 3 assets, core external surface scan |
| Pulse | Included | 25 assets, scheduled monitoring, CI/CD context |
| Shield | Included | 150 assets, AgentGuard and WSCS modules available |
| Fortress | Included | 500 assets, SaintScan validation available |
| Sentinel | Included | Unlimited by engagement, managed operating plan |
Ships findings into the systems that already own remediation.
READY FOR REVIEW
Run this module against authorized scope.
Start with a free scan or route an enterprise module review to sales.