A focused look at your website and web applications from an attacker's perspective — scanning for OWASP vulnerabilities, misconfigurations, and publicly exposed weaknesses that could be exploited without ever touching your internal network.
Your website, booking form, customer portal, or e-commerce checkout is often the first thing an attacker examines. These public-facing applications can contain vulnerabilities that give an attacker a foothold into your business — without a password, without phishing anyone, and without you ever knowing.
The Attack Surface Assessment scans your web presence using the OWASP (Open Web Application Security Project) framework — the industry-standard checklist for web application security — and looks for the most common and dangerous classes of vulnerability.
Up to 3 domains included. This covers your primary domain plus up to 2 additional domains or web applications. Each domain can include its associated subdomains and web pages — the surface area adds up quickly, which is why scope is set at 3 domains rather than an arbitrary page count.
Attackers don't manually target small businesses — automated scanners look for known weaknesses across millions of sites simultaneously. If your website has a vulnerability, it will be found. The question is whether you find it first.
A basic WordPress site with a contact form, a WooCommerce store, or an online scheduling system can have serious vulnerabilities. Plugin versions, form handling, and login pages are common weak points — and they're exactly what we check.
Our assessment is non-destructive. We scan and probe — we don't exploit. We will never cause downtime, delete data, or disrupt your site.
| OWASP Top 10 | Injection, broken authentication, sensitive data exposure, access control issues, security misconfigurations, XSS, and the full OWASP Top 10 (2021) framework. |
| SSL/TLS configuration | Certificate validity and expiry, protocol versions (TLS 1.0/1.1 flagged), cipher strength, HSTS enforcement. |
| Security headers | Full analysis of Content Security Policy, X-Frame-Options, HSTS, referrer policy, and other protective HTTP headers. |
| Exposed admin interfaces | Login pages, admin panels, and management interfaces that are publicly accessible without additional protection. |
| CMS & plugin vulnerabilities | WordPress, Joomla, Drupal core versions and all installed plugins checked against known CVE databases via WPScan. |
| Information disclosure | Server banners, verbose error messages, directory listings, and exposed files that provide useful intelligence to attackers. |
| Domain & DNS | Subdomain enumeration and validation, dangling DNS records, domain hijacking risks. |
| Domain scope | Up to 3 domains, each including associated subdomains and web pages in scope. |
| Plain-language report | Every finding explained clearly, rated by severity, with a concrete remediation step and the specific OWASP category referenced. |
| Results walkthrough | A video call to walk through every finding and discuss which issues to prioritize. |
Non-destructive, passive scanning that doesn't interrupt your site or applications.
We confirm which domains and applications are in scope, and you provide written authorization. We never scan anything outside of what's agreed.
We run automated scanning tools against your web properties and manually review findings to eliminate false positives and add business context.
Plain-language report delivered within 48 hours, followed by a video call to walk through every finding and prioritize next steps.
Need more than 3 domains? Contact us for a custom quote.
Find out what your website and web applications are exposing before someone exploits it.
Get started →