Four situations that lead to this conversation
"A board director asked whether we have any internet-exposed vulnerabilities. The CEO said they'd find out. It's been three weeks."
The question was asked. Now you need an answer you can actually give.
"Our insurer asked for evidence of external vulnerability scanning before they would quote a renewal."
Insurance renewals are the most common first trigger for this engagement.
"A client's security questionnaire asked about our external attack surface. We guessed the answer."
If you're guessing, you're exposed — and that answer won't hold up.
"A business in our industry was breached through an exposed remote desktop port. We don't know if we have the same issue."
You shouldn't have to wait for your own incident to find out.
If you've been told your MSP keeps everything secure — that's probably true for the technology they manage. But external attack surface assessment isn't what MSPs are engaged to do. This is a different question, and it requires an independent eye.
What gets scored
A–F rating across five risk areas
Each area is scored independently. You see where you stand and what's pulling the score down — not a single overall mark that hides the detail.
Illustrative example — not an actual score. Your result reflects your specific environment.
Passive asset discovery: what an attacker already sees about you
Before we scan what you know about, we enumerate what's publicly visible — certificate transparency logs, Shodan, DNS records, ASN lookups. We find internet-facing assets your business may not have known were public. These are listed in your report, without scoring or analysis.
dev-portal.yourdomain.com · legacy-vpn.yourdomain.com · 3 IP ranges registered to your ASN with open ports 22 and 3389 · 2 expired certificates on subdomains not in your managed scope
These assets are listed, not analysed. The natural next question is: what's actually running on those? That becomes the follow-on engagement if you want to go deeper.
What you receive
Concrete deliverables — not a methodology description
Security Health Check Report
A–F scoring across five risk areas with a plain-language explanation of each finding, the evidence used to arrive at it, and the specific configuration or exposure driving the score.
Passive Discovery Summary
A list of internet-facing assets found via public sources that were not in your stated scope. These are assets an attacker can already find. Listed without scoring — analysing them is the scope of a follow-on engagement.
Prioritised remediation actions
The top five actions ranked by risk, each with a one-sentence explanation of the consequence if left unaddressed. No 200-page report. No list of 47 findings of varying severity.
One-page executive summary
A plain-language summary of the overall risk picture — designed to be handed to whoever asked the original question. Board director, insurer, client. It answers the question they actually asked.
How it works
30-minute kickoff to delivered report — five business days
Book and pay — no call required
Use the pricing configurator below to get your fixed price. Book directly. No proposal, no scoping call, no back-and-forth.
30-minute kickoff call
We confirm scope — your known internet-facing assets, domains, and any IP ranges you're aware of. If you don't have a list, we enumerate from scratch. Add one business day.
Passive enumeration and external scan
We run passive discovery and external scanning in parallel. No system access, no agent installation, no contact with your internal network. Same information an attacker would gather from the outside.
Report delivered
Report, passive discovery summary, and executive brief delivered within five business days of kickoff. If we find anything critical, you hear from us before the report lands.
Get your price
Fixed fee — no quote required
Three questions. Instant price. No consultation needed.
Security Health Check — Pricing Configurator
Answer three questions to get your fixed price and estimated delivery date.
Where to next