External attack surface management
Dhara runs a passive, evidence-first external scan and returns a report your auditor accepts. No agents. No credentials. No sales call before you see the findings.
The hero asset
One page per finding. Evidence on the left, framework control on the right. Redacted sample below; click through for the full facsimile.
View the full sample reportCertificate Transparency logs show a wildcard leaf issued 2025-09-12 that still covers subdomains resolving to parked IPs. Past pre-production hosts re-resolved to attacker-controllable CNAMEs.
Anonymous GET returns CapabilityStatement including implementation version, resource list, and OAuth endpoints. Used to enumerate unsupported resources and identify outdated FHIR server builds.
No _dmarc TXT record published. Permits spoofed sender addresses; downstream impact on phishing-based PHI exfiltration. SPF present but not aligned.
Methodology
Zero packets to your servers. Public signals only — DNS, certificate transparency, historical URLs, tech fingerprints.
No credentials, no agents, no firewall rules. You do not owe us access to see your external posture.
Every finding carries the control ID a non-security buyer can hand to their auditor or GRC.
Free report in your inbox the next business day. One page an executive will actually read.
Free. Passive. In your inbox tomorrow.