1. You provide your domain names, for example: "example.com".
2. We automatically find the systems belonging to this domain, such as name servers, mail servers, and subdomains, for example: "admin.example.com“ or “crm.example.com”.
3. You can add further subdomains.
4. You confirm we have your approval to scan.
5. We start automated vulnerability checks. We look for gaps in your IT infrastructure facing the internet. For example: open ports, unpatched server software, faulty server configurations, SQL injections, XSS, expiring security certificates and other potential security threats.
6. It is not a one-time scan. We proceed to continuously monitor your infrastructure. When new vulnerabilities in your infrastructure appear, we immediately inform you.
7. We do not just list all the vulnerabilities we have identified. We also assess and rank them according to their danger level.
8. You get access to your reporting dashboard. It shows overview and detailed information about your security risks, plus practical, understandable advice how to resolve each vulnerability.
9. In the dashboard, you have access to your past reports too, to use them as an audit trail.

We perform a range of many different security scans. We start with the search for new subdomains and perform full-port scans with service detection. Depending on the services found, we continue the scans with service-specific modules, such as testing weak usernames and passwords (e.g., for ssh, telnet, etc.), web vulnerabilities (such as SQL injections, XSS, etc.), or exploits of vulnerabilities in mail systems.

In addition, we check whether your IP addresses or domains appear on blocklists and subdomain takeovers.

Another dedicated monitoring system detects data leaks: unauthorized publication of your internal company data, or employee credentials (e-mail addresses or passwords) shared on dark web websites. These mainly originate from attacks on other websites where you or your employees have accounts.

Read details of the scans performed or our risk rating.

No. Internal systems are currently not in the scope of our audits.

But the main security risk comes from the external systems. They are accessible to everyone 24/7, therefore they pose an enormous risk if vulnerable.

Fixing vulnerabilities is not included in our service. We give concrete recommendations on which vulnerabilities are serious and how you can resolve them.

You are also welcome to contact us (support@offensity.com).

Offensity is a convenient web-based tool. No installation cost and effort needed to use it:

• No servers, no storage, no maintenance – we run the scans for you.
• Instant access to the latest features, with automatic upgrades.

You don’t need both at the same time. Cancel the old thing and use just Offensity.

Standard vulnerability scanners work in a "system-centric" way. The operator defines the target (usually IP addresses), starts the scan manually, or defines a schedule for regular scans. Planning and executing the scans and interpreting the results is complex and requires a wide range of expertise.

Our security monitoring solution focuses not on systems but on companies. We regularly check whether domain names or IP addresses change or whether we can detect adjustments to e-mail and name servers. Accordingly, we adapt our scanning configurations individually.

We perform incremental scans at short intervals. Therefore, we detect new issues within a short time.

Vulnerabilities, once discovered, will be rechecked regularly. Or, you can permanently close issues as accepted risks or false positives.

Some vulnerability scanners help only with specific use cases. For example, there are scanners for networks or web applications. This makes it necessary for companies that handle their vulnerability management to buy several products at a high total price.

Security monitoring from Offensity combines different scanners. Furthermore, data leakage monitoring and blocklists complement our security scans.

Yes. Our reporting dashboard provides an API. Use this API to transfer all issues to an internal bug tracker. (This synchronization process is not included in our products. We only provide access to the data).

Yes. All reports can also be exported as PDF and shared with colleagues (in case they should not get direct access to the dashboard), with external developers or with agencies. You can also export the data from the infrastructure monitoring as a CSV file for possible further processing

Offensity indexes and lists all services visible on the public internet. You can filter the services in your infrastructure by a specific port, by software, or by any other keyword. Have a look at the infrastructure view in our demo dashboards.

Offensity provides a one-page report that graphically presents risks and summarizes the most important measures. You can also find the Management summary in our demo dashboard.

Yes. You will be able to access the full functionality of the Professional package. The trial expires automatically after 4 weeks.

Yes. You can click through an Offensity Demo Report immediately - without logging in.

Products with monthly contract binding can be canceled at any time. The product will be active until the end of the billing cycle for the already paid billing period.

You can cancel products with yearly contract binding anytime. You will continue using the product until the end of the period that you have already paid. But we hope you will not cancel.

Vulnerability scanners always generate some server load. We try to achieve a good balance between fast scans and a reasonable workload on the target systems. For example, our full-port scan runs at an average of one SYN packet per second per IP address, which means that a full scan (UDP and TCP) takes about 1,5 days. In the web domain, our goal is to send a maximum of 10 packets per second per subdomain at any given time.

Our experience shows that most systems cope very well with the server load we generate.

Since we cannot determine who is running the servers with IP addresses, we only allow subdomains as targets.

Human penetration testing is essential when security requirements are high. It uses the knowledge, creativity and unpredictability of ethical hackers to perform deep tests customized for each individual company. It finds complex vulnerabilities that only humans can find. We recommend to do it once or twice per year.

Offensity is not a replacement for penetration testing, but an addition. It is a simple, comprehensive and low-cost way to regularly monitor all your external attack surface. Because it is automated, it can do things humans cannot. For example:

• Check regularly and at very short intervals. Human pen testers cannot test multiple times each day in each week. That means Offensity instantly catches even new vulnerabilities. That is not the case with human penetration testing – if a new security issue appears on the next day after a human test, without Offensity it will remain undetected for months, until the next penetration test.
• Secondly, Offensity is simpler and quicker. It does not require any setup to start scanning, it automatically ranks the risks, and delivers easy-to-understand recommendations how to resolve each issue.
• Finally, Offensity has a lower price than using cybersecurity experts.