DEV Community

ComplianceLayer
ComplianceLayer

Posted on

Show HN Post — ComplianceLayer

Show HN Post — ComplianceLayer

Target: news.ycombinator.com
Timing: Tuesday-Thursday, 9-11 AM EST (peak HN traffic)
Goal: Early adopters, API developers, security-minded engineers who will try it and share it


Post

Title: Show HN: ComplianceLayer – External security scoring API for any domain (DNS, SSL, ports, headers)


Hey HN,

I built ComplianceLayer after getting frustrated with two things:

  1. Enterprise security scoring tools (SecurityScorecard, BitSight) that cost $20K+/year and are built for procurement teams, not engineers
  2. Security audits that live in PDFs nobody reads

ComplianceLayer is an API that scans any domain and returns a structured security score across four categories:

  • DNS/Email — SPF, DMARC, DKIM, CAA, DNSSEC
  • SSL/TLS — cert validity, chain issues, expiry, protocol versions
  • Open ports — TCP scan for exposed services (RDP, SSH, SMB, common web ports)
  • HTTP headers — HSTS, CSP, X-Frame-Options, CORS, referrer policy

Each check returns a score (0-100), grade (A-F), and specific findings with remediation steps.

Use cases so far:

  • MSPs running automated security checks across their client base
  • SaaS companies checking vendor/supplier posture before onboarding
  • Security consultants generating client-facing reports programmatically
  • Developers building security dashboards

Quick example:

curl -H "Authorization: Bearer sk_..." \
  https://api.compliancelayer.net/v1/scan \
  -d '{"domain": "example.com"}'
Enter fullscreen mode Exit fullscreen mode

Returns:

{
  "domain": "example.com",
  "overall_score": 74,
  "grade": "C",
  "categories": {
    "dns_email": {"score": 65, "grade": "D", "issues": ["No DMARC policy", "No DKIM"]},
    "ssl_tls": {"score": 98, "grade": "A", "issues": []},
    "open_ports": {"score": 80, "grade": "B", "issues": ["Port 22 open"]},
    "http_headers": {"score": 55, "grade": "F", "issues": ["No HSTS", "No CSP", "No X-Frame-Options"]}
  }
}
Enter fullscreen mode Exit fullscreen mode

What I found scanning 200 random SMB domains:

  • 59% have no DMARC policy (fully spoofable)
  • 29% serve HTTP without redirect
  • 18% have SSH exposed directly to internet
  • 7% have RDP exposed to internet (the scariest one)
  • Only 23% have HSTS enabled

Pricing: Free tier (10 scans/day), then $99/mo for 250 scans. API key in 30 seconds, no sales call.

Happy to answer questions about the tech stack, scanning methodology, or how I handle rate limiting / false positives on the port scanning side.

compliancelayer.net


Anticipated HN Questions & Answers

"How do you handle false positives on port scanning?"

TCP SYN scan with 3-attempt verification before flagging. We also check against common CDN/proxy IP ranges and flag those differently. Still imperfect — external port scanning has inherent limitations. We're clear about that in the docs.

"What's the legal situation with scanning domains you don't own?"

We scan only publicly accessible services — same as what any internet-connected system can observe. No exploitation, no intrusion. We follow responsible disclosure norms and have a clear AUP. Scanning a domain you don't own for malicious purposes violates our ToS.

"How does this compare to Shodan?"

Shodan is a search engine for internet-connected devices — it indexes what it finds. ComplianceLayer is a scoring/reporting layer that combines multiple data sources (DNS lookups, SSL checks, port scans, header analysis) and gives you a structured grade optimized for reporting and monitoring, not raw discovery.

"What's the tech stack?"

Python/FastAPI backend, PostgreSQL, Redis for rate limiting and caching. Port scanning via asyncio with custom TCP implementation (not nmap — too heavy for API use). Hosted on Hetzner.

"Can I self-host this?"

Not currently. It's SaaS. The port scanning infrastructure in particular is complex to self-host correctly (IP reputation, rate limiting, legal compliance per jurisdiction).

"What's the scan speed?"

Full scan (all 4 categories) typically completes in 8-15 seconds. DNS/SSL/Headers are fast; port scanning is the bottleneck. We scan ~100 common ports.


Launch Day Plan

  1. Post at 9 AM Tuesday (best HN traffic window)
  2. Monitor comments — respond to everything within 30 min for first 2 hours
  3. Don't be defensive about criticism — thank them, take notes
  4. Have the API actually working flawlessly before posting (non-negotiable)
  5. Free tier must be no-friction (email + instant key, no credit card)

Success Metrics

  • Good: 50 points, 20 comments, top 30 of the day
  • Great: 100+ points, 50+ comments, front page
  • Home run: Front page + feature in "Best of HN" digest

Last updated: 2026-03-07


Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Top comments (0)