FREE ASSESSMENT

Get Your Free External Exposure Assessment

See what attackers see. We run a passive, outside-in scan of your domain and map every internet-facing asset we can find. Subdomains, exposed services, open ports, certificates, cloud resources, and remote access points that should not be public.


No Agents Required

Passive Scanning Only

Results in 24 Hours

How It Works

1

Submit Your Domain

Enter your primary domain and work email. That is all we need to start.

2

We Scan Your External Surface

Passive reconnaissance maps subdomains, exposed services, remote access points, cloud resources, and certificates. Nothing touches your internal network.

3

Review Your Report

Receive an exposure report with prioritized findings, risk ratings, and next steps for anything we find exposed.

What the Assessment Covers

A single domain submission triggers a multi-phase external scan.

Asset Discovery

Subdomain enumeration, DNS records, IP resolution, cloud provider detection, and certificate transparency log analysis to map your full external footprint.

Exposed Services

Open ports, remote access services (RDP, VNC, SSH), login panels, VPN endpoints, and databases reachable from the public internet.

Risk Analysis

CVE detection against known software versions, expired or misconfigured TLS certificates, security header gaps, and technology fingerprinting.

What Assessments Typically Find

Assessments commonly reveal forgotten subdomains and shadow IT not tracked in any asset inventory. Development servers, old marketing sites, and staging environments left running with default credentials.

Typical findings include unpatched VPN concentrators and remote access services exposed to the internet. These often carry known CVEs that are actively exploited but go unnoticed because they sit outside the internal vulnerability scan scope.

Free assessments frequently turn up expired TLS certificates, misconfigured security headers, and exposed admin panels that create easy footholds. Paid tiers add OT/ICS protocol scanning across 25+ industrial protocols. See plans.

Request Your Free Assessment

No credit card. No commitment. Just visibility.


10M+

OT assets mapped

500+

ICS device fingerprints

60+

OT protocols scanned

What You Get Back

24hr

Initial results
delivered

Zero

Agents or network
changes needed

Free

No commitment
no strings

Aligned with major OT compliance frameworks

NERC CIP
IEC 62443
NIST CSF 2.0
NIS2

Member of the IoT Security Foundation (IoTSF)

PREVIEW

See what you’ll receive

This sample shows a Pro-tier report with OT protocol scanning enabled. Free assessments cover asset discovery, exposed services, and vulnerability findings. Compare tiers.

SAMPLE REPORT

ShiftSix Security

External OT Exposure Assessment

Automated passive reconnaissance & risk analysis

TLP:AMBER

Recipient only

Organization

REDACTED — Regional Water Utility

Assessment Date

June 2026

Report ID

RPT-######

Executive Summary

72
/100

High Risk

Assessment identified 47 external assets, 12 findings across 3 severity levels, and 2 exposed industrial control system endpoints reachable from the public internet without authentication.

Immediate remediation recommended for critical OT exposures. Estimated remediation effort: 4–8 hours for critical findings.

Key Findings

Critical
Exposed Modbus TCP Endpoint on Port 502

IP: ███.███.██.██ — No authentication required. Function codes 1–6 accessible. Device responds to read holding registers. Direct PLC access from public internet.

Critical
BACnet/IP Service Exposed on Port 47808

IP: ███.██.███.██ — Building automation controller responding to Who-Is broadcasts. Vendor: REDACTED. Object count: 847.

High
Unpatched SonicWall SMA 100 (CVE-2024-40766)

Management interface at vpn.██████.com — CVSS 9.3, actively exploited in the wild. Improper access control allows unauthenticated remote access.

Medium
Expired TLS Certificate on SCADA Web Portal

scada.██████.com — Certificate expired 47 days ago. Users bypassing browser warnings. Subject CN does not match hostname.

Info
3 Subdomains Not in Asset Inventory

Discovered via passive DNS and certificate transparency logs. These hosts are not tracked in the organization’s known asset list and may represent shadow IT or decommissioned services.

Asset Summary

3

Root Domains

47

Subdomains

23

IP Addresses

89

Open Ports

2

OT Protocols

Compliance Mapping

N

NERC CIP

CIP-005, CIP-007, CIP-010

I

IEC 62443

SR 1.1, SR 2.1, SR 5.2

CSF

NIST CSF 2.0

ID.AM, PR.AC, DE.CM

Full compliance gap analysis with specific control references included in your report.

Confidential — Prepared by ShiftSix Security — shiftsixsecurity.com

Page 1 of 8

This is a sample. Your report will contain real findings specific to your organization,
delivered within 24 hours.

Get Your Free Exposure Report →

No commitment. No sales call required. Just your domain name.

Skip to content