Digital Infrastructure Exposure MCP Server

Digital infrastructure exposure reconnaissance delivered as an MCP server — query it from Claude, Cursor, or any AI agent to assess any domain's attack surface in seconds. This server orchestrates 8 passive data sources in parallel: WHOIS, DNS records, certificate transparency logs, IP geolocation, technology stack detection, Censys internet-wide scanning, NVD CVEs, and the CISA Known Exploited Vulnerabilities catalog.

No active scanning. No packets sent to target infrastructure. All data is gathered from public registries, internet-wide scan indexes, and certificate transparency logs. Connect once and your AI agents gain structured security intelligence on any domain — with a composite Digital Exposure Score (0-100) and specific remediation recommendations.

What data can you access?

MCP Tools

Why use Digital Infrastructure Exposure MCP?

Security teams manually gathering digital footprint data spend hours per target: running nmap, querying crt.sh, checking MX records, cross-referencing NVD — and they still miss the CISA KEV cross-reference. Platforms like SecurityScorecard charge $2,000+/year for comparable passive reconnaissance data.

This MCP server delivers the same intelligence pipeline to any AI agent in a single tool call. Your agent asks full_exposure_audit for a domain and receives a structured JSON report with a composite score, four dimensional sub-scores, and specific remediation steps — in under 90 seconds, for $0.045.

Benefits of running on the Apify platform:

• Scheduling — run exposure audits on a daily or weekly cadence to detect new subdomains or certificate changes automatically
• API access — trigger from Python, JavaScript, or any HTTP client for programmatic integration into security workflows
• Proxy rotation — data collection routes through Apify's proxy infrastructure for reliable access to all data sources
• Monitoring — get Slack or email alerts when runs fail or return unexpected results
• Integrations — connect results to Zapier, Make, Google Sheets, HubSpot, or outgoing webhooks for SIEM ingestion

Features

• 8 data sources in parallel — WHOIS, DNS, crt.sh, IP geolocation, tech stack detection, Censys, NVD CVE, and CISA KEV all queried simultaneously using Promise.all for sub-90-second response times
• Infrastructure Sprawl Index — scores 0-100 across four components: subdomain count (max 30 pts), unique IP and DNS diversity (max 25 pts), geographic distribution (max 25 pts), and Censys-exposed service count (max 20 pts)
• Misconfiguration Detection — independently scores email security gaps (SPF/DKIM/DMARC, max 30 pts), certificate issues (expired or expiring within 30 days, self-signed, max 30 pts), DNS/WHOIS hygiene (dangling CNAMEs pointing to S3, Heroku, GitHub, Azure; domain expiry within 60 days, max 25 pts)
• Technology-to-CVE pipeline — maps detected technologies from the tech stack detector against NVD CVE records, scoring CRITICAL CVEs at 8 pts each and HIGH CVEs at 4 pts each, with a 30-point CISA KEV bonus for actively exploited vulnerabilities confirmed in ransomware campaigns
• HHI-based geographic concentration scoring — applies the Herfindahl-Hirschman Index to both country and provider distributions, flagging HHI above 5,000 as highly concentrated (a single-country, single-provider setup scores 10,000)
• Composite Digital Exposure Score — weighted formula: Misconfiguration × 0.30 + Tech Vulnerability × 0.30 + Infra Sprawl × 0.20 + Geo Concentration × 0.20, inverted to a 0-100 security posture scale
• 5-level verdict labels — HARDENED, ACCEPTABLE, EXPOSED, HIGH_RISK, CRITICAL_EXPOSURE with automatic override: CRITICAL tech vulnerability + CRITICAL misconfiguration always returns CRITICAL_EXPOSURE regardless of other scores
• Specific remediation recommendations — each report includes a prioritized action list derived from which dimensions scored poorly (CISA KEV patches, DMARC/SPF/DKIM setup, subdomain audit, geo diversification, SSL renewal)
• Dangling CNAME detection — specifically checks for CNAMEs pointing to S3, Heroku, GitHub, Azure, and CloudFront endpoints that may be claimable by a third party
• NS redundancy check — flags single nameserver configurations as DNS single points of failure
• Passive-only data collection — all data sourced from public registries, certificate transparency logs, and pre-existing internet scan indexes; no packets sent to target infrastructure

Use cases for digital infrastructure exposure assessment

Vendor and third-party risk management

Security and procurement teams need quantified risk scores before onboarding new vendors and during ongoing monitoring. Run full_exposure_audit against each vendor domain to generate a Digital Exposure Score that feeds into your vendor risk register. A vendor with CISA KEV matches and missing DMARC gets flagged for remediation before contract signing, not after a breach.

Penetration testing OSINT phase

Pentesters and red teams spend the first phase of an engagement mapping the target's attack surface. Run subdomain_discovery and internet_service_enumeration to enumerate certificate-issued subdomains, open ports, and service banners before active testing begins. The passive approach leaves no footprint and covers ground that manual crt.sh querying misses.

Cyber insurance underwriting and renewal

Underwriters and brokers assessing cyber insurance applications need structured evidence of security posture. Run full_exposure_audit and tech_stack_vulnerability_match to produce a quantified exposure profile. Exploitable CVEs and infrastructure sprawl metrics inform premium calculation and policy conditions.

Internal IT asset discovery and shadow IT

IT and security operations teams often have incomplete CMDBs. Certificate transparency logs reveal every SSL certificate ever issued for a domain — including subdomains standing up shadow IT projects. Run subdomain_discovery monthly to detect assets that do not appear in your asset inventory.

DNS and email security compliance auditing

Organizations implementing DMARC enforcement or preparing for email authentication compliance (e.g., Google/Yahoo bulk sender requirements) need a baseline audit. Run dns_security_audit to check SPF, DKIM, and DMARC record presence, detect dangling CNAMEs, and flag domain registration lapse risk.

Mergers, acquisitions, and investment due diligence

M&A analysts and investors assessing technology companies need to understand the target's digital hygiene. Run compare_org_exposure to generate a structured exposure profile covering all four risk dimensions. Known exploited vulnerabilities in the tech stack materially affect valuation and post-acquisition remediation budget.

How to query digital infrastructure exposure data

1. Connect the MCP server to your AI client — Add the server URL https://digital-infrastructure-exposure-mcp.apify.actor/mcp to Claude Desktop, Cursor, Windsurf, or any MCP-compatible client (see the connection section below). You need an Apify account and API token.

2. Ask your agent to audit a domain — Provide the target domain name (e.g., acmecorp.com) and specify what you need. Your agent selects the appropriate tool automatically, or you can request a specific tool by name.

3. Wait 30-90 seconds — The server queries up to 8 data sources in parallel. Most single-tool calls complete in under 45 seconds. The full_exposure_audit orchestrates all 8 sources and typically returns in 60-90 seconds.

4. Review the structured report — The agent presents the composite score, dimensional sub-scores, and prioritized recommendations in natural language. Raw JSON is available for programmatic integration.

MCP tool parameters

Output example

A full_exposure_audit call for acmecorp.com returns:

{
  "domain": "acmecorp.com",
  "compositeScore": 38,
  "verdict": "HIGH_RISK",
  "infraSprawl": {
    "score": 62,
    "subdomainCount": 34,
    "uniqueIPs": 11,
    "geoRegions": 4,
    "sprawlLevel": "SPRAWLING",
    "signals": [
      "34 subdomains discovered — large attack surface",
      "Infrastructure spans 4 countries — geographic sprawl",
      "12 exposed services found via Censys — large service footprint"
    ]
  },
  "misconfiguration": {
    "score": 58,
    "emailSecurityGaps": 2,
    "certIssues": 3,
    "dnsIssues": 2,
    "misconfigLevel": "SIGNIFICANT",
    "signals": [
      "Missing SPF record — email spoofing risk",
      "Missing DMARC record — no email authentication enforcement",
      "3 certificate issues — expired or soon-expiring certs",
      "Domain expiring within 60 days — registration lapse risk"
    ]
  },
  "techVuln": {
    "score": 74,
    "techsDetected": 9,
    "cveMatches": 7,
    "kevMatches": 2,
    "vulnLevel": "HIGH",
    "signals": [
      "2 CRITICAL CVEs found — immediate patching required",
      "4 HIGH severity CVEs — significant vulnerability exposure",
      "2 CISA Known Exploited Vulnerabilities — actively targeted"
    ]
  },
  "geoConcentration": {
    "score": 71,
    "countries": 1,
    "providers": 1,
    "concentrationLevel": "HIGHLY_CONCENTRATED",
    "signals": [
      "Country HHI 8,450 — highly concentrated hosting geography",
      "Provider HHI 9,100 — single provider dependency",
      "Single NS server — DNS single point of failure"
    ]
  },
  "allSignals": [
    "34 subdomains discovered — large attack surface",
    "Infrastructure spans 4 countries — geographic sprawl",
    "Missing SPF record — email spoofing risk",
    "Missing DMARC record — no email authentication enforcement",
    "3 certificate issues — expired or soon-expiring certs",
    "Domain expiring within 60 days — registration lapse risk",
    "2 CRITICAL CVEs found — immediate patching required",
    "2 CISA Known Exploited Vulnerabilities — actively targeted",
    "Single NS server — DNS single point of failure"
  ],
  "recommendations": [
    "Implement SPF/DKIM/DMARC — email security gaps detected",
    "Patch CISA KEV vulnerabilities immediately — actively exploited",
    "Run vulnerability scan and patch critical/high CVEs",
    "Audit subdomain inventory — reduce attack surface",
    "Diversify hosting geography — single point of failure",
    "Renew or replace expired/expiring SSL certificates",
    "Engage external penetration testing — high digital exposure risk"
  ]
}

Output fields

How much does it cost to audit digital infrastructure exposure?

This MCP server uses pay-per-event pricing — each tool call costs $0.045. Platform compute costs are included. All 8 tools are priced identically. There is no monthly subscription.

You can set a maximum spending limit per run to control costs. The actor stops when your budget is reached.

Compare this to SecurityScorecard at $2,000+/year or BitSight at similar tiers — with this MCP, a 500-vendor monitoring program costs $22.50/month with no subscription commitment and no annual contract. The free Apify tier includes $5 of monthly credits, covering over 100 tool calls with no payment method required.

How to connect this MCP server

Claude Desktop

Add the following to your claude_desktop_config.json:

{
  "mcpServers": {
    "digital-infrastructure-exposure": {
      "url": "https://digital-infrastructure-exposure-mcp.apify.actor/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_APIFY_TOKEN"
      }
    }
  }
}

Cursor / Windsurf / Cline

Add the MCP server URL in your client's MCP configuration panel:

https://digital-infrastructure-exposure-mcp.apify.actor/mcp

Include your Apify API token as a Bearer token in the Authorization header.

Python (direct HTTP)

import requests
import json

response = requests.post(
    "https://digital-infrastructure-exposure-mcp.apify.actor/mcp",
    headers={
        "Content-Type": "application/json",
        "Authorization": "Bearer YOUR_APIFY_TOKEN"
    },
    json={
        "jsonrpc": "2.0",
        "method": "tools/call",
        "params": {
            "name": "full_exposure_audit",
            "arguments": {"domain": "acmecorp.com"}
        },
        "id": 1
    }
)

result = response.json()
report = json.loads(result["result"]["content"][0]["text"])
print(f"Domain: {report['domain']}")
print(f"Composite Score: {report['compositeScore']}/100")
print(f"Verdict: {report['verdict']}")
for rec in report["recommendations"]:
    print(f"  - {rec}")

JavaScript / TypeScript

const response = await fetch(
  "https://digital-infrastructure-exposure-mcp.apify.actor/mcp",
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: "Bearer YOUR_APIFY_TOKEN",
    },
    body: JSON.stringify({
      jsonrpc: "2.0",
      method: "tools/call",
      params: {
        name: "dns_security_audit",
        arguments: { domain: "acmecorp.com" },
      },
      id: 1,
    }),
  }
);

const data = await response.json();
const result = JSON.parse(data.result.content[0].text);
console.log(`Misconfig Level: ${result.misconfiguration.misconfigLevel}`);
console.log(`Email Security Gaps: ${result.misconfiguration.emailSecurityGaps}`);
result.misconfiguration.signals.forEach(s => console.log(`  - ${s}`));

cURL

# Full exposure audit
curl -X POST "https://digital-infrastructure-exposure-mcp.apify.actor/mcp" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -d '{
    "jsonrpc": "2.0",
    "method": "tools/call",
    "params": {
      "name": "full_exposure_audit",
      "arguments": {"domain": "acmecorp.com"}
    },
    "id": 1
  }'

# DNS security audit only
curl -X POST "https://digital-infrastructure-exposure-mcp.apify.actor/mcp" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -d '{
    "jsonrpc": "2.0",
    "method": "tools/call",
    "params": {
      "name": "dns_security_audit",
      "arguments": {"domain": "acmecorp.com"}
    },
    "id": 2
  }'

How Digital Infrastructure Exposure MCP works

Phase 1 — Parallel data collection across 8 sources

When a tool is called, the server constructs an array of actor calls mapped to pre-registered Apify actor IDs (actor-client.ts). All calls execute simultaneously via Promise.all with a 120-second timeout and 512 MB memory cap per sub-actor. The actor map resolves actor names to IDs: WHOIS (M7WwJi9RsIxqCtxsh), DNS (k1EsC3laNunPVzudh), crt.sh (4Y2KiVoSkeyjPfhPS), IP geolocation (04JaB1rtCNabRa2tf), tech stack detector (mBdMOhOMY7XtwX99T), Censys (2jY2b2r4VG46zxsC6), NVD CVE (36Kmjy7TucAUVh4SN), and CISA KEV (baoJ9EQl0Rb3hWYMv). Failed sub-actor calls return empty arrays and do not abort the report — the composite score degrades gracefully.

Phase 2 — Dimensional scoring across four models

scoring.ts runs four independent scoring functions against the collected data:

Infrastructure Sprawl (scoreInfraSprawl): Extracts unique subdomain names from crt.sh common_name and name_value fields into a deduplicated Set. Scores subdomain count on a stepped scale (≥50 = 30 pts, ≥20 = 22 pts, ≥10 = 15 pts). Adds unique IP/AAAA addresses from DNS A/AAAA records and scores DNS record volume. Geographic distribution scores country count at 3 pts each. Exposed Censys services score at 2 pts each.

Misconfiguration (scoreMisconfiguration): Iterates DNS TXT records checking for v=spf1, v=dkim, and v=dmarc substrings. Each missing email security record adds 10 pts to the email score (max 30). Certificate expiry is checked by parsing not_after / expiry / notAfter fields from crt.sh results — expired certs score 3 pts each, expiring within 30 days score 1 pt each. CNAME values are pattern-matched against s3, herokuapp, github, and azure strings to detect dangling subdomain takeover candidates. WHOIS expiry dates within 60 days add a domain lapse signal.

Technology Vulnerability (scoreTechVulnerability): Collects unique technology names from the tech stack detector into a Set. CRITICAL CVEs from NVD score 8 pts each; HIGH CVEs score 4 pts. CISA KEV entries confirmed with knownRansomwareCampaignUse === "known" score 3 pts each (others score 1 pt). A compound score of up to 15 pts activates when both critical CVEs and CISA KEV matches exist simultaneously.

Geographic Concentration (scoreGeoConcentration): Computes Herfindahl-Hirschman Index (HHI) separately for country distribution and provider/ASN distribution across all geolocated IPs. HHI for single-country or single-provider infrastructure reaches 10,000 (maximum concentration). NS record count from DNS determines nameserver redundancy — a single NS server scores 15 pts.

Phase 3 — Composite scoring and report assembly

The composite exposure score is computed as a weighted sum: Misconfiguration × 0.30 + TechVuln × 0.30 + InfraSprawl × 0.20 + GeoConcentration × 0.20, then inverted: compositeScore = 100 - riskScore. This means a higher composite score indicates better security posture (closer to a traditional security rating). A critical override rule applies: if both techVuln.vulnLevel === 'CRITICAL' and misconfiguration.misconfigLevel === 'CRITICAL', the verdict is forced to CRITICAL_EXPOSURE regardless of the numeric score. Recommendations are generated deterministically from which thresholds were breached.

Tips for best results

1. Start with full_exposure_audit for unknown targets. It runs all 8 sources in parallel and gives you the complete picture in one call. Use focused tools (dns_security_audit, ssl_certificate_health) only when you already know which dimension you want to explore.

2. Use tech_stack_vulnerability_match with the technology parameter when you know the exact product. Providing technology: "Apache 2.4.49" gives more precise CVE results than domain-based inference. This is especially useful when you already have a known tech stack and want to scope vulnerability exposure quickly.

3. Pair subdomain_discovery with internet_service_enumeration for OSINT phases. Run subdomain discovery first to get the inventory, then pipe interesting subdomains into internet_service_enumeration individually for port and banner detail.

4. Schedule dns_security_audit weekly for domains you control. DMARC and SPF records are frequently broken by DNS changes. Automated weekly monitoring catches regressions before attackers do. Use Apify Schedules with a webhook to Slack for alerts.

5. Use compare_org_exposure for portfolio monitoring. The tool's structured JSON output (with dimensional scores as separate fields) is easy to insert into a spreadsheet or database for trend tracking across a portfolio of vendor domains.

6. Interpret composite scores with both the number and the verdict. A score of 39 (HIGH_RISK) and a score of 41 (EXPOSED) are numerically close but represent different verdict bands. Always report the verdict label alongside the numeric score to avoid threshold-gaming when monitoring over time.

7. The free Apify tier covers over 100 tool calls. Each call costs $0.045. Apify's free $5/month credit runs approximately 111 calls — enough for a full vendor risk assessment of 15-20 organizations using full_exposure_audit.

Combine with other Apify actors and MCP servers

Limitations

• Passive data only — This server queries existing scan indexes and public registries. It does not actively probe target infrastructure. Some recent changes (new subdomains, patched services) may not be reflected in Censys or crt.sh indexes for up to 48-72 hours after they occur.
• Certificate transparency coverage requires SSL — Subdomains without SSL/TLS certificates will not appear in crt.sh results. Internal-only subdomains and private IP infrastructure are not discoverable.
• Tech-to-CVE matching is heuristic — CVE matching uses the domain as the NVD search term and the technology parameter when provided. It does not parse version strings directly from Wappalyzer output to produce exact CPE matches. False positives and false negatives are possible. Use the raw CVE list for manual validation.
• CISA KEV results are catalog-wide — The KEV search returns vulnerabilities matching the query term from the full CISA catalog. If the query matches multiple products, the returned KEV count may include entries not directly relevant to the target. Review individual CVE IDs before escalating.
• Censys data reflects pre-existing scans — Censys scans IPv4 space periodically (not real-time). Services that were recently opened or closed may not be reflected accurately.
• No authentication or session testing — This is purely a passive reconnaissance tool. It cannot test login forms, API authentication, or web application vulnerability classes (SQLi, XSS, etc.). For active web application testing, use a dedicated DAST tool.
• Domain registration privacy shields WHOIS — If the registrant uses WHOIS privacy (Domains By Proxy, WhoisGuard, etc.), ownership and expiry data may be partially masked.
• Sub-actor failures degrade gracefully — If a data source is temporarily unavailable, the corresponding scoring dimension returns 0 data and the composite score is computed from available dimensions. Check allSignals for coverage gaps.

Integrations

• Zapier — trigger dns_security_audit on a schedule and post findings to a Slack channel when misconfiguration level reaches SIGNIFICANT or above
• Make — orchestrate full_exposure_audit as part of a vendor onboarding workflow that creates a risk record in Airtable or Notion
• Google Sheets — export exposure score data for a portfolio of vendor domains into a spreadsheet for trend analysis
• Apify API — call any tool directly via HTTP POST for integration into existing security platforms, SIEMs, or GRC systems
• Webhooks — receive a webhook payload when an audit completes, enabling integration into incident response workflows
• LangChain / LlamaIndex — use this MCP server as a tool in a LangChain agent that combines exposure data with news retrieval and corporate intelligence for automated security briefings

Troubleshooting

• Composite score returns 0 or unexpectedly low — This typically means all sub-actors returned empty results. Check that the domain you provided is a valid, publicly accessible internet domain (e.g., acmecorp.com, not acmecorp or https://acmecorp.com). Internal domains, .local hostnames, and IP addresses are not supported.

• Tech vulnerability score is 0 despite visible technology on the site — The tech stack detector discovers technologies from HTTP headers and HTML content. Sites behind strict WAFs, or single-page applications with no server-side rendering, may return minimal tech signals. The CVE search also requires a matching query term — try providing the technology parameter explicitly (e.g., technology: "WordPress").

• Certificate issues are not being detected — crt.sh may return no results for newly registered domains or domains that have never issued SSL certificates through a browser-trusted CA. Self-hosted internal CAs are not logged to public certificate transparency logs.

• compare_org_exposure and full_exposure_audit return the same data — Both tools run the full exposure report pipeline. compare_org_exposure returns a more compact JSON structure optimized for comparison workflows, while full_exposure_audit returns the complete nested report with all raw source data slices.

• Run times exceed 90 seconds — Under high Apify platform load, sub-actor queuing can add latency. This is uncommon. If runs consistently exceed 120 seconds, the sub-actors are hitting their timeout limit — this typically means Censys or NVD returned no results quickly but another source is slow. The actor handles this gracefully and returns whatever data was collected.

Responsible use

• All data accessed by this server is publicly available through open registries, certificate transparency logs, and published internet scan datasets.
• This tool performs passive reconnaissance only. No active port scanning, authentication testing, or vulnerability exploitation is performed.
• Use exposure data in compliance with your jurisdiction's computer fraud and abuse statutes. Assessing your own infrastructure or performing authorized vendor assessments are standard acceptable uses.
• Do not use this tool to target organizations without authorization as part of preparation for unauthorized access.
• For guidance on web scraping and data collection legality, see Apify's legal guide.

FAQ

How does digital infrastructure exposure scoring differ from SecurityScorecard or BitSight? This MCP server applies four independent scoring models (infra sprawl, misconfiguration, tech vulnerability, geographic concentration) against the same underlying passive data sources. SecurityScorecard and BitSight are SaaS platforms with annual contracts starting at $2,000+. This server is pay-per-query at $0.045 per call — no contract, no minimum, and the raw data is returned alongside scores so you can audit the methodology.

Is digital infrastructure exposure scanning legal? Yes. All data comes from publicly available sources: WHOIS registries, DNS resolution, certificate transparency logs (which are public by design), and Censys pre-scanned internet data. No packets are sent to target infrastructure. This is equivalent in legal character to reading publicly published information. See Apify's guide on scraping legality.

Does this tool perform active scanning or send probes to target domains? No. All data is sourced from existing indexes and public registries. Censys data reflects their own periodic IPv4 scanning, not real-time probing by this server. No connection is initiated to the target infrastructure.

How accurate is the Digital Exposure Score? The composite score reflects the quality and completeness of data returned by each sub-actor. Domains with rich public footprints (many certificates, Censys-indexed services, detectable tech stacks) produce well-grounded scores. Domains with minimal internet presence may score misleadingly low on sprawl dimensions simply because there is less to discover — interpret low sprawl scores alongside the raw signal data.

How many domains can I audit in one session? Each tool call audits one domain. For multi-domain workflows, call the tool multiple times in sequence from your AI agent or use the Apify API in a loop. There is no hard limit on the number of calls — only your spending limit controls volume.

Can I use digital infrastructure exposure data for automated vendor monitoring? Yes. Use Apify Schedules to run full_exposure_audit against a list of vendor domains on a weekly cadence. Combine with webhooks to push score changes to a SIEM or Slack channel. This is one of the most common enterprise use cases.

What is the difference between dns_security_audit and full_exposure_audit? dns_security_audit queries only DNS records and WHOIS, producing a focused misconfiguration score covering email security (SPF/DKIM/DMARC), dangling CNAMEs, and registration expiry. It runs faster and costs the same ($0.045). Use it when you only need DNS hygiene data. full_exposure_audit adds six more data sources and produces the full composite report with tech vulnerability and geographic concentration dimensions.

How does tech-to-CVE matching work? The server calls the tech stack detector to identify technologies on the target domain, then queries the NVD CVE database with the domain or technology name. CRITICAL CVEs score 8 points each, HIGH CVEs score 4 points each. The CISA KEV catalog is cross-referenced to identify which CVEs are confirmed as actively exploited in the wild — these carry additional weight in the scoring model and trigger immediate-action recommendations.

Can I assess my own company's digital exposure? Yes, and this is one of the most common use cases. Run full_exposure_audit against your own domains to identify unknown subdomains, missing DNS security records, and tech stack vulnerabilities before external parties discover them. This is equivalent to a low-cost continuous attack surface management program.

Does the server support wildcard domains or IP ranges? The server accepts standard domain names (e.g., acmecorp.com). IP ranges are accepted by the internet_service_enumeration tool for Censys queries. Wildcard domains (e.g., *.acmecorp.com) are not currently supported as inputs — the base domain is sufficient for subdomain discovery via certificate transparency.

How long do results remain accurate? Certificate transparency results are current within 24-48 hours of certificate issuance. DNS records are queried live and reflect current zone data. Censys data reflects their most recent internet-wide scan, which can be 1-7 days old for any given IP. WHOIS data is live. For monitoring programs, weekly re-auditing is recommended.

Can I integrate the exposure score into my GRC or SIEM platform? Yes. Each tool returns structured JSON. The composite score and dimensional sub-scores are top-level numeric fields designed for database insertion. Use the Apify API or webhooks to pipe results into Splunk, Elastic, ServiceNow, or any GRC platform that accepts JSON via API or webhook.

Help us improve

If you encounter issues, you can help us debug faster by enabling run sharing in your Apify account:

1. Go to Account Settings > Privacy
2. Enable Share runs with public Actor creators

This lets us see your run details when something goes wrong, so we can fix issues faster. Your data is only visible to the actor developer, not publicly.

Support

Found a bug or have a feature request? Open an issue in the Issues tab on this actor's page. For custom solutions or enterprise integrations, reach out through the Apify platform.