What Category Are We In?
Continuous, non-intrusive recon. DNS, headers, certificates, exposure — all without sending a single attack payload.
Enterprise-grade external asset discovery, risk scoring across the full IP and subdomain range. Priced for Fortune 500.
On-demand scanners and manual pentest platforms. They actively probe, exploit, and authenticate into your app to find vulnerabilities.
The security tooling market breaks into three distinct categories. At the enterprise end you have Attack Surface Management platforms — SecurityScorecard, Bitsight, and similar — that score organisations across thousands of signals but charge $20k–$100k/year and require procurement cycles. At the other end are Active Penetration Testing platforms that fire real attack payloads at your app to find exploitable vulnerabilities.
SecurityStatus sits squarely in Passive Security Monitoring — category one. We run continuous, automated, non-intrusive reconnaissance against your domain. Every check we perform is something a legitimate external observer could do: querying DNS records, inspecting HTTP response headers, looking up certificate transparency logs, and checking structured threat intelligence feeds. We never probe or attack.
This distinction matters. Because we never send attack traffic, we can monitor any domain continuously, without permission gates, without legal risk, and without the overhead of a formal pentest engagement. It also means we are not a replacement for a pentest — we're the always-on layer that tells you what's visible before a real attacker looks.
Side-by-Side Feature Matrix
We're comparing against two anonymised vendor types, not specific companies. Every organisation in that category behaves roughly the same way.
| Feature | | | |
|---|---|---|---|
| Email Security (SPF/DKIM/DMARC) | Full | Basic | Not Focus |
| MTA-STS / TLS-RPT / BIMI | Full | Rarely | Not Focus |
| Email Spoofing Verdict | Yes | Partial | Not Focus |
| SSL/TLS Certificate Analysis | Full | Full | Full |
| Subdomain Takeover Detection | Yes | Some | Yes |
| Technology Fingerprinting | Yes | Basic | Full |
| CVE Mapping to Detected Tech | Yes | Yes | Yes |
| WAF Detection | Yes | Basic | Yes |
| Open Port Scanning | Surface | Full | Full |
| Dark Web / Breach Exposure | Yes | Yes | Rare |
| Admin Panel Exposure Check | Yes | No | Yes |
| Cloud Storage Exposure (S3/GCS) | Yes | Some | Yes |
| API Documentation Exposure | Yes | No | Some |
| Security Badge (shareable) | Yes | Enterprise | No |
| Continuous 24/7 Monitoring | Yes | Yes | No (on-demand) |
| Automated Alerts | Yes | Yes | No |
| SQL Injection / XSS Testing | Not in scope | No | Full |
| Authenticated App Scanning | Not in scope | No | Full |
| Manual Penetration Testing | Not in scope | No | Full |
| Price Point | Affordable | Enterprise $$$$ | Mid-range |
What We Don't Do (And Why)
These aren't gaps — they're deliberate design decisions. A focused tool does its job exceptionally well.
Start Monitoring Your Domain
Continuous passive monitoring, 25 security checks, free to start. Know what attackers see before they do.