Scuto is launching soon — book a demo to get early access Book demo →
Scuto Scuto
Domain Scanning

Know your entire
attack surface

Discover every domain, subdomain, and exposed service. Validate TLS certificates, fingerprint tech stacks, and find vulnerabilities before attackers do.

Book a Demo Contact Us
Domains
Subdomains
TLS / SSL
Tech Stack
01

Attack surface discovery

Enter your root domain and Scuto maps everything — subdomains, DNS records, exposed services, and IP addresses. Continuously monitored so new assets never slip through.

  • Subdomain enumeration via DNS, certificate transparency, and brute force
  • Dangling CNAME detection to prevent subdomain takeover
  • Continuous monitoring — get alerted when new subdomains appear
Attack Surface
acme.io
6 domains
8 subdomains
2 issues
app.acme.io A
HTTPSWSS
api.acme.io A
HTTPSREST
staging.acme.io CNAME
HTTPS
legacy.acme.io A
HTTPFTP
mail.acme.io MX
SMTPIMAP
dev.acme.io CNAME
HTTPS
2 dangling CNAME records detected — subdomain takeover risk
TLS Certificates
app.acme.io
Let's Encrypt R3 · TLS 1.3
Valid
A+
101d remaining
ECDHE-RSA-AES256-GCM
api.acme.io
Let's Encrypt R3 · TLS 1.3
Valid
A+
101d remaining
ECDHE-RSA-AES256-GCM
staging.acme.io
DigiCert G2 · TLS 1.2
Expiring
B
24d remaining
ECDHE-RSA-AES128-SHA
legacy.acme.io
Self-signed · TLS 1.0
Expired
F
Expired 153d ago
DES-CBC3-SHA
02

TLS certificate validation

Validate every certificate across your domains — check expiry dates, cipher strength, protocol versions, and certificate chain integrity. Get alerted before certificates expire.

  • Grade every certificate from A+ to F based on configuration strength
  • Expiry alerts at 30, 14, and 7 days — never get caught off guard
  • Flag weak ciphers, deprecated TLS versions, and self-signed certificates
03

Tech stack fingerprinting

Automatically detect what's running on each domain — web servers, frameworks, CDNs, and WAFs. Know exactly what's exposed and where your gaps are.

  • Detect web servers, frameworks, CMS platforms, and JavaScript libraries
  • Identify CDN and WAF presence — flag unprotected endpoints
  • Match detected versions against CVE databases for known vulnerabilities
Tech Stack
app.acme.io
Server
Nginx 1.25
Framework
Next.js 14
CDN
CloudFront
WAF
AWS WAF
api.acme.io
Server
Node.js 20
Framework
Express 4.x
CDN
CloudFront
WAF
AWS WAF
staging.acme.io
Server
Nginx 1.22
Framework
Next.js 13
CDN
None
WAF
None
legacy.acme.io
Server
Apache 2.4
Framework
PHP 7.4
CDN
None
WAF
None
Subdomain Enumeration
acme.io
DNS enumerationCertificate transparencyBrute forceMX record
Subdomain Source Ports Status
app DNS enumeration 443 active
api DNS enumeration 443, 8443 active
staging Certificate transparency 443 active
legacy Brute force 80, 21 active
mail MX record 25, 993 active
dev Certificate transparency 443 active
test Brute force dangling
old-api Certificate transparency dangling
8 subdomains found 2 dangling records
04

Deep subdomain enumeration

Combine multiple discovery techniques — DNS enumeration, certificate transparency logs, and smart brute force — to find every subdomain, including ones you forgot about.

  • Multi-source discovery combining passive and active techniques
  • Port scanning on discovered subdomains to map exposed services
  • Diff between scans — see what's new, changed, or disappeared

More capabilities

Everything you need to map, monitor, and secure your external attack surface.

Scheduled Scanning

Continuous monitoring on a schedule. Get alerted when new subdomains appear or certificates are about to expire.

Dangling DNS Detection

Find CNAME records pointing to deprovisioned services — preventing subdomain takeover attacks before they happen.

Port Scanning

Discover exposed ports and services across your entire attack surface. Flag unexpected listeners and shadow IT.

Header Analysis

Check for missing security headers — HSTS, CSP, X-Frame-Options, and more. Get remediation guidance for each.

WHOIS & DNS Intelligence

Track domain registration, nameserver changes, and DNS record modifications. Get alerted on unauthorized changes.

Compliance Mapping

Map TLS configuration and exposed services to SOC 2, ISO 27001, and PCI DSS controls automatically.

Ready to map your attack surface?

Enter your domain and discover everything that's exposed — in minutes.

Book a Demo Contact Us