External Attack Surface Management
Know your attack surface
before attackers do
Forgotten subdomains, open ports, expiring certificates, spoofable email — SurfaceLoop continuously finds what your business exposes to the internet and tells you, in plain English, what to fix first.
Full product on your own domains. No card details, no sales call — or book a demo if you'd like a walkthrough first.
Live scan output
What SurfaceLoop finds on a typical domain
Real findings from an example scan. Switch categories. Filter by severity. This is what your report looks like.
Open Ports — example.com
Want this for your own domains? Start your free trial →
Seven categories
Every scan checks all of these
Open Ports & Services
Discover and monitor open TCP ports and exposed services across your external attack surface.
OpenSSH 8.9 — password authentication enabled
→Exposed Web Panels
Detect admin panels, management interfaces, and login pages exposed to the public internet.
Jenkins dashboard accessible without authentication
→TLS & Certificates
Monitor TLS configuration, certificate expiry, weak ciphers, and chain-of-trust issues.
Certificate expires in 3 days — CN=*.example.com, issuer Let's Encrypt
→Security Headers
Check HTTP security headers including CSP, HSTS, X-Frame-Options, and Permissions-Policy.
Missing Content-Security-Policy — no XSS protection
→Known Vulnerabilities (CVEs)
Scan for known CVEs and exploitable vulnerabilities using thousands of detection templates.
FortiOS out-of-bounds write — remote code execution, actively exploited
→DNS & Email Spoofing
Validate SPF, DKIM, and DMARC configuration to prevent domain spoofing and phishing.
DMARC policy set to p=none — domain can be spoofed freely
→Subdomain Enumeration
Discover subdomains, shadow IT, forgotten services, and development environments exposed to the internet.
Subdomain points to decommissioned S3 bucket — takeover possible
→Why this exists
The gap between audits is where breaches happen
SurfaceLoop is built for SME IT teams, MSPs, and business owners who know external exposure matters — without the complexity or price of an enterprise security platform.
Without continuous scanning
Quarterly pen test finds 12 issues. You fix them. Next quarter: 15 new ones.
With SurfaceLoop
Continuous scanning finds issues the day they appear. You fix them before attackers arrive.
Without continuous scanning
Spreadsheet of domains maintained by someone who left 6 months ago.
With SurfaceLoop
Automated discovery finds every subdomain, every port, every forgotten staging server.
Without continuous scanning
Five different tools, five dashboards, five sets of credentials.
With SurfaceLoop
Seven scan categories, one platform, one view of your entire attack surface.
Getting started
Add domains. See what's exposed. Fix it.
Enter your root domains — SurfaceLoop discovers every subdomain and internet-facing asset automatically. Scans run across all seven categories simultaneously. Findings are prioritised by severity and tracked over time. When something new appears on your attack surface, you get an alert.
Add your domains. Discovery runs automatically.
Scan across 7 categories. Ports, panels, TLS, headers, CVEs, DNS, subdomains.
See what's exposed. Prioritised by severity. Alerts on new findings.
Your attack surface is already visible to attackers
Start a 14-day free trial and see the findings on your own domains — no card, no sales call, nothing to install.
If you continue after the trial, it's £149/month, everything included — invoiced by AMVIA, the company behind SurfaceLoop. Prefer a walkthrough? Book a demo.