Active testing only with written authorisation
~/tholim_
← Services
§02·02 · Service · Continuous attack-surface monitoring

A baseline alarm on your public footprint, refreshed every day.

A pentest is a snapshot. A weekly engineering sprint moves your perimeter. Continuous attack-surface monitoring closes the gap between the two: an anchored baseline, daily passive re-scans, deltas surfaced through the channel your team already reads. The goal is to hear about regressions before your customers — or your competitor's red team — do.

Surface coverage
Subdomains (CT logs · subfinder) · TLS posture · HTTP headers · DNS · DMARC/SPF/DKIM · CDN/Origin map · Exposed JS CVEs · Wayback historical · OTX · Shodan InternetDB · Public buckets · Open ports
Investment
from €1,200/ month, retainer
Default cadence
Daily scan
Alert latency
~15 min
Onboarding
3 days, fixed
Channel
Slack · Email · Webhook
§01 · Signals we anchor and watch

Six classes of drift that trigger an alert.

Every signal below is anchored to the baseline established at onboarding, then re-evaluated on each scan. Deltas — appearance, disappearance, weakening, regression — are surfaced; steady-state matches are not.

§01·01

Subdomain & DNS drift

  • ·New subdomains appearing in certificate-transparency logs
  • ·Subdomain takeover candidates (dangling CNAMEs to deleted services)
  • ·DNS record changes on the apex (A, MX, SPF, DMARC, DKIM)
  • ·Name-server swaps and registrar changes
§01·02

Certificate & TLS

  • ·Certificate issuance, revocation, and approaching expiry
  • ·TLS protocol regression (e.g. TLS 1.3 → TLS 1.0/1.1 enabled)
  • ·Cipher suite drift after CDN provider changes
  • ·JA4S server-fingerprint shifts
§01·03

Application surface

  • ·New JavaScript libraries appearing on production pages
  • ·Vulnerable library versions published after deployment (newly-disclosed CVEs against deps you already shipped)
  • ·Source-map exposure
  • ·Secret patterns in JS bundles (entropy + 19 reference rules)
§01·04

HTTP & headers

  • ·Mozilla Observatory grade regression after CDN / framework upgrades
  • ·Security headers dropped or weakened (HSTS, CSP, X-Frame-Options)
  • ·Cookie-flag changes (Secure / HttpOnly / SameSite)
  • ·Sensitive paths newly cacheable (Cache-Control on /login, /admin, /api)
§01·05

External signals

  • ·AlienVault OTX pulse mentions of your domain
  • ·Shodan InternetDB additions on resolved IPs
  • ·urlscan.io submissions of your domain by external researchers
  • ·Newly-flagged paths in Wayback Machine historical crawls
§01·06

Email posture

  • ·DMARC policy weakening (reject → quarantine → none)
  • ·SPF lookup-count creeping toward the RFC 7208 limit of 10
  • ·DKIM key rotation gaps
  • ·MTA-STS / TLS-RPT regression
§02 · How alerts work

Anchored baseline. Severity-graded deltas. No noise.

The biggest failure mode of monitoring services is alert fatigue. Ours is engineered around it: only deltas alert, severity gates every channel, the digest tells you what changed and what stayed put.

  1. 01
    Anchor the baseline

    First scan after onboarding becomes the baseline. Stored, signed, never overwritten by subsequent scans. Reset only on explicit request — for example after a major migration.

  2. 02
    Re-scan on cadence

    Daily at a randomised time within your business window, or a custom schedule. Each run produces a full Surface Audit report (18 checks, ~25 sec) and is diffed against the baseline.

  3. 03
    Severity-gate alerts

    Red-grade regressions and new critical / high findings push within ~15 minutes to Slack / email / webhook. Yellow deltas roll up into a daily digest. Informational changes appear in the monthly summary only.

  4. 04
    Monthly written summary

    A two-page digest at the end of every month: posture trend, deltas worth the engineering team's attention, items closed since the last summary. Signed and archived for compliance pickup.

§03 · Three tiers, fixed monthly fee

Pick the cadence your stack actually moves at.

Pricing per project — we quote against the size of your subdomain map and the alerting channels you require. Rough order of magnitude in EUR is published on enquiry; no per-seat or per-event escalation.

Weekly scan

Watch

Fit · Single apex domain, small site, soloplayer or seed-stage

Weekly automated re-scan against the baseline anchor. Email digest with diffs. Slack webhook on red-grade regressions only. Monthly written summary.

Daily scan

Watch+

Fit · Multi-subdomain SaaS, post-seed to Series B

Daily re-scan across the full subdomain map (CT + subfinder feeds combined). Diff alerts to Slack / email / webhook within fifteen minutes of detection. Monthly written summary with severity-ranked deltas and recommended actions.

Daily scan + manual review

Watch++

Fit · Regulated stack, fintech, healthcare, enterprise

Daily automated coverage plus a fortnightly manual review pass: nuclei templates against newly-discovered surface, takeover scan, secret-leak deep dive on new JS bundles. Monthly written summary signed by an analyst.

§04 · Frameworks the monthly summary maps to

Built for compliance pickup, not for re-typing into your auditor's spreadsheet.

NIST CSF 2.0
DETECT, RESPOND functions
CIS Controls v8.1
Asset inventory · vuln mgmt
ISO 27001 Annex A.5/A.8
Asset & vuln management
MITRE ATT&CK
Reconnaissance tactic mapping
§05 · Out of scope by default

What this retainer does not cover.

The monitoring retainer is a passive watch on your public footprint. The work below is available as separate engagements when something we surface needs deeper attention.

  • ×Active vulnerability exploitation. If a finding warrants triage, we scope it as a short follow-on, not under this retainer.
  • ×SIEM / log analysis. We are watching the outside-in surface, not your internal telemetry. Refer to a dedicated SOC for that.
  • ×Incident response. See the incident-triage service. We help on-call but the retainer fee does not include it.
  • ×Mobile-app monitoring. Roadmapped under Tholim Mobile Audit; not yet generally available.

Want to see what your baseline looks like before signing anything?

Run a free Surface Audit on your apex domain. The output is the same baseline we would anchor on day one of the retainer — share it with us if the deltas you would want monitored aren't obvious from the report alone.

Run a baseline →