Add-on or standalone

Attack Surface Assessment

A focused look at your website and web applications from an attacker's perspective — scanning for OWASP vulnerabilities, misconfigurations, and publicly exposed weaknesses that could be exploited without ever touching your internal network.

What it is

What attackers see when they look at your business online.

Your website, online booking form, customer portal, or e-commerce checkout is often the first thing an attacker examines. These public-facing applications can contain vulnerabilities that give an attacker a foothold into your business — without a password, without phishing anyone, and without you ever knowing.

The Attack Surface Assessment scans your web presence using the OWASP (Open Web Application Security Project) framework — the industry-standard checklist for web application security — and looks for the most common and most dangerous classes of vulnerability.

OWASP Top 10 is the most widely recognized framework for web application security risks. It covers everything from injection attacks and broken authentication to security misconfigurations and exposed sensitive data. Our assessment checks your applications against this framework and more.

Why this matters for small businesses

Attackers don't manually target small businesses — they use automated scanners that look for known weaknesses across millions of sites simultaneously. If your website has a vulnerability, it will be found. The question is whether you find it first.

You don't need a complex web app

Even a simple WordPress site with a contact form, a WooCommerce store, or an online scheduling system can have serious vulnerabilities. Plugin versions, form handling, and login pages are common weak points we check.

Passive scanning only

Our assessment is non-destructive. We scan and probe — we don't exploit. We will never cause downtime, delete data, or disrupt your site in the process of the assessment.

What's included

What we check.

  • OWASP Top 10 scanning — Injection (SQL, command), broken auth, sensitive data exposure, XML flaws, access control, misconfigurations, XSS, insecure deserialization, and more
  • SSL/TLS configuration — Certificate validity, protocol versions, cipher strength, HSTS enforcement
  • Security headers — Content Security Policy, X-Frame-Options, referrer policy, and other protective HTTP headers
  • Exposed admin interfaces — Login pages, admin panels, and management interfaces that are publicly accessible
  • CMS & plugin vulnerabilities — Outdated WordPress, Joomla, Drupal installations and known-vulnerable plugins
  • Information disclosure — Server banners, error messages, and exposed files that give attackers useful intelligence
  • Domain & DNS review — Subdomain enumeration, dangling DNS records, domain hijacking risks
  • Plain-language report — Every finding explained clearly, rated by severity, with a concrete remediation step
What's not included

Scope boundaries.

  • Active exploitation of discovered vulnerabilities
  • Manual code review or source code analysis
  • Internal network or device scanning (see Vulnerability Scan)
  • Fixing or patching identified vulnerabilities
  • More than 3 web applications or domains (contact us for larger scope)
The process

How the assessment works.

Non-destructive, passive scanning that doesn't interrupt your site or applications.

01

Scope & authorization

We confirm which websites and applications are in scope, and you provide written authorization. We never scan anything outside of what's agreed.

02

Scanning & analysis

We run automated scanning tools against your web properties and manually review findings to eliminate false positives and add context.

03

Report & review

You receive a plain-language report within 48 hours, followed by a call to walk through every finding and discuss which issues to prioritize.

Related services

Often paired with.

Security Assessment

The broader review covering your full security posture — email, network, data practices, staff habits, and more.

Learn more →

Vulnerability Scan

Pairs with the attack surface assessment to cover your internal devices and network alongside your public web presence.

Learn more →

Security Policy Writing

Translate findings into policies for your team — update schedules, access controls, and web security standards.

Learn more →
Pricing

Simple, transparent pricing.

Priced per engagement. No subscription, no retainer. Add-on pricing applies when bundled with a Security Assessment.

Standalone
$447
up to 3 domains
  • Up to 3 websites or web apps
  • OWASP Top 10 + configuration checks
  • Plain-language report
  • Results walkthrough call
Add-on
$297
when added to an assessment
  • Same scope as standalone
  • Findings integrated into main report
  • No separate walkthrough call needed

Need more than 3 domains? Contact us for a custom quote.

See what attackers see.

Find out what your website and web applications are exposing before someone exploits it.

Get started →