Our methodology
Exactly how we audit your domain — engine by engine.
No black box. Below is every scanning engine we run, what it inspects, what it catches, and how each finding maps to recognised standards. Every check is 100% passive and public-only — the same reconnaissance a real attacker performs, run for you first.
Email authentication
Whether an attacker can send phishing mail that looks like it came from you.
Inspects: _dmarc TXT record
Catches: Missing DMARC, or a permissive p=none that enforces nothing
OWASP · DMARC (RFC 7489)
Inspects: SPF TXT record
Catches: Missing SPF, an over-permissive +all, or a too-soft policy
OWASP · SPF (RFC 7208)
Inspects: Common DKIM selectors
Catches: No published signing key for your mail
OWASP · DKIM (RFC 6376)
Inspects: MX records + mail host
Catches: Mail routing and host-level exposure
NIST SP 800-177
TLS, certificates & transport
Whether traffic to your site is properly encrypted end to end.
Inspects: Served certificate
Catches: Invalid, expired, or soon-to-expire certificates
PCI DSS 4.2
Inspects: Negotiable protocols
Catches: Deprecated TLS 1.0 / 1.1 still accepted
PCI DSS · NIST SP 800-52
Inspects: Ciphers, protocols, known TLS flaws
Catches: Weak ciphers and protocol-level vulnerabilities
OWASP TLS Cheat Sheet
Inspects: HTTP→HTTPS behaviour
Catches: Plain HTTP that can be silently downgraded
OWASP A02
Inspects: Certificate-authority authorization
Catches: No control over who can issue certs for you
CA/B Forum
Headers, cookies & CORS
Browser-side protections that keep your visitors' sessions safe.
Inspects: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Catches: Missing headers that enable clickjacking, XSS and leakage
OWASP Secure Headers
Inspects: Set-Cookie attributes
Catches: Cookies missing Secure / HttpOnly / SameSite
OWASP A05
Inspects: Access-Control-Allow-Origin
Catches: Over-permissive cross-origin sharing
OWASP A05
Inspects: Mail-transport policy records
Catches: No enforced transport security for mail
RFC 8461
Public services & attack surface
Everything reachable on your perimeter that an attacker would map first.
Inspects: Open TCP ports + service versions
Catches: Unexpected or deprecated exposed services
OWASP A05
Inspects: Public subdomains
Catches: Forgotten hosts and shadow infrastructure
OWASP ASVS
Inspects: Live web endpoints
Catches: Live services, status, titles, web servers
OWASP WSTG
Inspects: Frameworks, CMS, versions
Catches: Outdated or risky components in use
CVE / NVD
Inspects: Edge protection
Catches: Whether a web application firewall is present
OWASP WSTG
Vulnerability & exposure sweep
Targeted, non-destructive checks against what we found above.
Inspects: Detected services
Catches: Known CVEs, exposures and misconfigurations
CVE / NVD
Inspects: Web server
Catches: Server misconfigurations and risky defaults
OWASP WSTG
Inspects: ~30 common sensitive paths
Catches: Exposed .env, .git, backups, phpinfo, server-status
OWASP A01 / A05
Breached credentials & brand
Exposure that lives outside your own infrastructure.
Inspects: Common addresses at your domain
Catches: Credentials exposed in known breaches
NIST SP 800-63B
Inspects: Look-alike domains
Catches: Resolving impersonation / phishing domains
Brand protection
What we never do
- Install an agent, ask for credentials, or touch your private systems
- Run intrusive exploits, brute-force logins, or attempt to break in
- Generate meaningful load — checks are rate-limited and identify themselves
- Test any domain you have not purchased an audit for
Standards we align to
Findings are mapped to the frameworks your auditors and customers already recognise:
- OWASP Testing Guide & Top 10
- CVE / NVD vulnerability data
- NIST SP 800-series guidance
- PCI DSS external-scan expectations
- A published security.txt for researchers
Researchers can reach us via security.txt or abuse@exarlo.xyz.
See what these engines find on your domain.
One scan, every engine above, a ranked plain-English report — guaranteed within 48 hours or your money back.