DEV Community

ComplianceLayer
ComplianceLayer

Posted on

Your Domain's External Attack Surface: What Hackers See Before You Do

#security #python #msp #cybersecurity

Your Domain's External Attack Surface: What Hackers See Before You Do

Published on hashnode.com — target tags: security, cybersecurity, api, devops, dns

Here's a scenario that plays out constantly: a company gets breached. The incident report comes back and the finding is something embarrassingly basic — an expired SSL cert with a weak cipher suite, an open Redis port, no SPF record on the primary domain so attackers spoofed their emails for months.

The kicker? Any attacker (or anyone else) could have spotted these issues in 30 seconds with an external scan. The company just never looked.

What "external attack surface" means

Your external attack surface is everything visible from the public internet, without any credentials or inside access. It's what your clients see, what search engines index, and what attackers enumerate.

The four core areas:

SSL/TLS security — Not just "does HTTPS work" but what protocols you accept, what cipher suites you negotiate, whether HSTS is configured, whether your cert expires in 3 days (this happens constantly), and whether certificate transparency shows unauthorized certs.

DNS configuration — Your DNS records telegraph a lot. Missing or misconfigured SPF means anyone can spoof email from your domain. No DMARC means you have zero visibility into who's sending as you. Missing DNSSEC means you're vulnerable to DNS poisoning. And dangling CNAME records pointing to unclaimed cloud resources are a trivially exploitable subdomain takeover.

HTTP security headers — These are configuration lines that take minutes to add but most servers skip:

Strict-Transport-Security
Content-Security-Policy  
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Enter fullscreen mode Exit fullscreen mode

Missing these enables clickjacking, MIME sniffing attacks, and data leakage.

Open ports — What services are publicly accessible? SSH open to the world? An admin panel on a non-standard port? A database that got misconfigured during a deployment? This is often where the real surprises live.

The tooling problem

Most security tools are built for internal use — they need credentials, network access, or agent installation. That's great for runtime security but it leaves a gap: you never see yourself the way an outsider does.

I've been using ComplianceLayer for this. It's a REST API that runs external-only scans and returns a structured report:

{
  "grade": "B",
  "score": 78,
  "risk_level": "medium",
  "critical_issues": 0,
  "high_issues": 2,
  "medium_issues": 6,
  "modules": {
    "ssl": { "grade": "A", "findings": [...] },
    "dns_email": { "grade": "C", "findings": ["No DMARC record", "SPF too permissive"] },
    "headers": { "grade": "B", "findings": ["Missing CSP", "HSTS max-age too short"] },
    "ports": { "grade": "A", "findings": [] }
  }
}
Enter fullscreen mode Exit fullscreen mode

Each finding includes a remediation step. It's not just "you're missing X" — it tells you exactly what to add.

Practical workflow for MSPs

If you're managing IT for multiple clients, the API makes this scalable:

import requests
import time

API_KEY = "your-key"
BASE_URL = "https://compliancelayer.net/v1"

def scan_domain(domain):
    # Start scan
    r = requests.post(f"{BASE_URL}/scan/", 
        json={"domain": domain},
        headers={"X-API-Key": API_KEY})
    job_id = r.json()["job_id"]

    # Poll for completion
    while True:
        time.sleep(10)
        result = requests.get(f"{BASE_URL}/scan/jobs/{job_id}",
            headers={"X-API-Key": API_KEY}).json()
        if result["status"] == "completed":
            return result["result"]

# Run monthly audit across client domains
clients = ["client1.com", "client2.com", "client3.net"]
for domain in clients:
    report = scan_domain(domain)
    print(f"{domain}: Grade {report['grade']} ({report['score']}/100)")
    if report["critical_issues"] > 0:
        alert_on_call(domain, report)  # your alerting function
Enter fullscreen mode Exit fullscreen mode

Free tier gives you 10 scans/month. Starter ($99/mo) gives you enough for a small MSP client list.

Why this matters for cyber insurance

This is the angle that's getting more relevant: cyber insurance underwriters are increasingly running external scans themselves before quoting. A company with a D-grade external posture will either get denied or pay significantly more.

Running a scan before your renewal and fixing the obvious issues (headers, DMARC, weak TLS configs) can be the difference between a reasonable premium and a nasty surprise.

Try it on your domain 

curl -X POST https://compliancelayer.net/v1/scan/ \
  -H "X-API-Key: cl_pub_YeiV6xHoTcBlOFrgCrIfVYlUoeYBSEyVl65d8bCQIlo" \
  -H "Content-Type: application/json" \
  -d '{"domain": "yourdomain.com"}'
Enter fullscreen mode Exit fullscreen mode

(That's the public demo key — 10 free scans.)

What grade does your domain get? I'm curious.

ComplianceLayer: https://compliancelayer.net

Built by ComplianceLayer — scan any domain for security compliance in seconds. Get your free API key.

Top comments (0)