Skip to main content

EASMYour external attack surface, mapped from a single domain.

You enter your root domain, we pull up your entire exposed surface: forgotten subdomains, IPs, TLS certificates, services and cloud assets nobody ever inventoried. Continuous discovery, findings ranked by risk, an alert on the first change.

Free account · Hosted in the EU · one domain is enough
240+
detection modules
1 domain
in, the whole surface out
24/7
continuous monitoring, not a yearly audit
HOSTED IN THE EUEUROPEAN LAWGDPRNIS2 ART. 21OSWE CONSULTANT
We built the EASM the way an attacker enumerates a target, not like a compliance checklist.
own2pwn · OSWE-certified pentesterA pentester answers you within 24 h

Clear pricing, no surprises.

Discovery
€0
  • 1 monitored domain, up to 25 assets
  • 10 scans / mo
  • Multi-source discovery + more than 240 detection modules
  • CVE correlation, KEV and EPSS prioritisation
  • 2 AI-native validations / mo
  • Email alerts, 1 user
  • Free, no time limit
Start for free
Recommended
Pro
€99 / mo
  • Up to 5 domains, 250 tracked assets
  • 100 scans / mo
  • 30 AI-native validations / mo
  • HMAC-signed webhooks (Slack, Teams, Discord, PagerDuty)
  • Jira, GitHub, GitLab, Slack integrations
  • PDF and CSV exports, API access (5 keys), up to 5 users
Subscribe
Business
€299 / mo
  • Up to 15 domains, 1,000 tracked assets
  • Unlimited scans
  • 100 AI-native validations / mo
  • SSO, RBAC and role management
  • SIEM connector, custom integrations
  • Priority support
Subscribe
Enterprise
Custom
  • Unlimited domains, scans, assets and AI validations
  • SSO / SAML, SCIM provisioning
  • Enhanced AI validation (extended reasoning)
  • SLA, GDPR-compliant DPA, NIS2 guidance
  • Dedicated support
Talk to a pentester

What is slipping past you today.

01

Your surface grows with no inventory

A staging subdomain left online, a cloud bucket created off-process, a subsidiary's instance: the exposed surface widens with every project, and these are the first doors an attacker tries.

02

A scanner only sees the declared

A vulnerability scanner tests the IPs you hand it. It will never tell you anything about what you forgot to inventory: the entire blind spot stays invisible.

03

NIS2 Article 21 is waiting

The directive mandates asset mapping and continuous monitoring of the exposed surface. A quarterly spreadsheet can't keep up with a surface that moves every week.

From one domain to continuous monitoring.

01Discovery

You enter a domain

A single root domain name in, for example acme.com. No agent to install, no IP range to provide, no cloud access to connect. The scan starts right away. You stay in control of the scope: we follow the chain from what you give us, no reckless attribution of assets that aren't yours.

02Surface

We unroll your entire exposed surface

14 discovery modules start from that domain and rebuild what an attacker would see: subdomains (via Certificate Transparency and 6 public sources), DNS records, IPs and ASNs, ports and services, technology fingerprints, cloud storage (S3, Azure, GCP), TLS certificates. The forgotten subdomains, the pre-prod environments left online, the open bucket: they all surface in the inventory. Discovery is included from the free tier, not reserved for the most expensive plan.

03Prioritization

Risk triage, then AI validation on critical cases

More than 240 detection modules analyse every asset (TLS, HTTP headers, secret exposure, cloud misconfig, CVEs by banner and version). Vulnerabilities are correlated to the CVE catalogue and prioritised with CISA KEV and EPSS, so the exposed admin console moves ahead of the ordinary port 443. On High and Critical findings from a verified domain, you can trigger AI-native validation: an autonomous agent tries to confirm real exploitability, its tooling running inside an ephemeral sandbox with filtered network egress. It is AI, not a pentester, and it is quota-limited (30 validations a month on Pro). We lower the noise, we don't promise zero false positives.

04Monitoring

Continuous monitoring, an alert on the first change

The surface moves every week, the inventory follows. Scans run continuously and on demand, and change detection flags every new subdomain, every port that opens, every CVE that touches an exposed service. The alert lands the same day in Slack, Teams, Jira, GitHub, PagerDuty or a signed webhook, not at the next yearly audit. This is exactly the mapping and continuous monitoring expected by Article 21 of NIS2.

Attack graph and attack paths

Assets and findings are linked together (shared certificates, DNS, cloud relationships) to reconstruct exploitation chains. You view the graph, follow the paths ranked by severity, and measure the blast radius of a finding across the rest of your surface.

The scanner goes deep on the known. EASM finds the unknown.

Vulnerability scanner
  • Starts from a list of IPs you provide
  • Only sees assets already known
  • Tests deep, but discovers nothing
  • One-off audit, no change tracking
own2pwn EASM
  • Starts from a single root domain
  • Discovers the assets nobody inventoried
  • Correlates assets with each other (certificates, DNS, ASN)
  • Continuous monitoring, an alert on the first change

What the engine does, in numbers.

Non-intrusive

The EASM scan replays no exploitation and runs on production without coordination. AI validation, on the other hand, is active testing: optional, quota-limited, reserved for critical findings.

Detection modules
240+
Discovery plugins
14
Prioritization
CVE · KEV · EPSS
Anti-SSRF guard
3 layers
Rate per host
1 to 1000 req/s
AI validations / mo (Pro)
30
Bounded agent
20 steps · 300 s
From outside
0 agent

What we do differently from other EASMs.

01

Hosted in the European Union

Your exposure data stays under European law: hosted in the EU, GDPR compliant, with strict per-customer isolation at the database level. Handing the map of your attack surface to a US vendor exposes it to extraterritorial access requests; your inventory stays hosted in the EU.

02

Designed by an OSWE-certified pentester

The discovery logic follows what an attacker enumerates first, not a generic checklist copied from a framework. Prioritisation reflects real exploitability: an exposed admin console ranks ahead of a high CVSS hidden behind a WAF. It is an offensive method turned into SaaS, not a dashboard dreamed up by marketers.

03

AI where it actually helps

No chatbot. AI is used to rank more than 240 detection modules by real risk (CVE correlation, CISA KEV and EPSS prioritisation, dedup, attack paths), so you handle what matters first. Optional and quota-limited, an AI-native validation tries to confirm the exploitability of a critical finding. It is AI, not a human, and we don't promise zero false positives: human verification is our pentests, a separate offering.

04

Non-intrusive scans, production-safe

The EASM scan is built to run on production without taking it down: no exploitation replayed, three-layer anti-SSRF guard, per-host rate limits adjustable from 1 to 1000 req/s. You add it to your perimeter without coordinating a maintenance window with the ops team. A single domain in, no agent to install, no cloud access to connect.

Your exposure data stays under European law.

  1. 01Hosted in the European Union
  2. 02Data under European law (GDPR)
  3. 03Strict per-tenant isolation
  4. 04Secrets masked before they are written
  5. 05NIS2 Art. 21: exportable PDF and CSV reports

Fits into your SOC workflow

Slack
Teams
Jira
GitHub
GitLab
PagerDuty
Webhook HMAC
SIEM

What you probably want to know.

How is this different from a classic vulnerability scanner?+

A scanner like Nessus or OpenVAS starts from a list of IPs you feed it and tests vulnerabilities on them. It only sees what you declare. EASM answers the question before that: what are you really exposing on the Internet? It starts from a single root domain, discovers the assets nobody inventoried (forgotten subdomains, staging left online, cloud buckets), correlates those assets with each other through shared certificates, DNS and ASN, then continuously monitors what appears and disappears. The two are complementary: the scanner goes deep on the known, EASM finds the unknown.

How do you discover my assets from a single domain?+

You enter your root domain, the scan starts. No agent to install, no cloud access to provide. We combine 14 discovery plugins: passive sources (Certificate Transparency via crt.sh, six public subdomain sources, WHOIS and reverse WHOIS, DNS), then non-intrusive active steps (port scanning, service fingerprinting, vhost enumeration, web crawling, cloud detection for S3/Azure/GCP). Step by step, we pull up subdomains, IPs, ports, TLS certificates, technologies and exposed services. The scope stays under your control: we unroll from the domains you declare, no reckless attribution to entities that aren't yours.

Do you detect cloud assets (AWS, Azure, GCP)?+

Yes. Public S3 buckets, Azure Blob Storage, GCP Storage, exposed instances, subdomains pointing to a CDN or a cloud host. Dedicated modules also check storage ACLs and metadata leaks (cloud SSRF). If a cloud asset is reachable from the Internet and tied to your domain, it surfaces in the inventory.

How often is my surface re-scanned?+

You schedule periodic scans (cron) and trigger on-demand scans from the interface or the API. On every pass, you get the delta: new asset, port that opens, new CVE on an exposed service, finding resolved. Volumes depend on the plan: 10 scans a month on Discovery, 100 on Pro, unlimited on Business and Enterprise. You track your usage in real time.

What happens when I hit my quota?+

The scan is refused and the API returns an HTTP 402 until the monthly renewal or an upgrade. All quotas (scans, monitored assets, AI validations, API keys) are counted per calendar month and reset on the 1st. The dashboard shows your usage and an upgrade button. Note: the Discovery plan monitors up to 25 assets and 1 domain, the Pro plan goes up to 250 assets and 5 domains, Business up to 1,000 assets and 15 domains.

What is AI-native validation, and what are its limits?+

On a High or Critical finding, you can ask an autonomous AI agent to try to confirm it is actually exploitable. It has real offensive tooling (sqlmap, nuclei and others) that it runs against the affected asset, within strict guardrails: 20 steps, 300 seconds and 150,000 tokens per finding. If it proves exploitability, the finding moves to confirmed with a stored proof (secrets masked). It is AI, not a human pentester, and it is quota-limited: 2 validations a month on Discovery, 30 on Pro, 100 on Business, unlimited on Enterprise. We don't promise zero false positives. For thorough human verification, that's the job of our pentests, a separate offering.

Is AI validation intrusive?+

Let's separate two things. EASM discovery and scanning are non-intrusive by design: no exploitation, no destructive payload, redirects disabled, per-host rate capped (1 to 1000 req/s), three-layer anti-SSRF guard. You can add it to your perimeter without coordinating with the ops team. AI validation, on the other hand, is active testing: it runs real tooling against the live asset, which can change its state. The sandbox isolates the tooling (ephemeral container, egress filtered to the target's public IPs only), not your asset. That's why it is manual, reserved for critical findings on a domain you have verified, and quota-limited. We'd rather say it than hide it.

Where is my data hosted, and who can access it?+

Hosting in the EU, under European law. Your inventory data and findings stay under European law, isolated per account (strict per-tenant database partitioning), with secrets masked before they are written. No reselling, no sharing with third parties, no use to train external models. The optional AI validation calls Anthropic's Claude models through Google Cloud Vertex AI in a European region (standard contractual clauses, no training on your data). Handing your entire attack map to a US vendor exposes you to extraterritorial access requests, at odds with GDPR and NIS2: we keep hosting in the EU.

Can I control the scan scope?+

The scope is defined by the root domains you add (1 on Discovery, 5 on Pro, 15 on Business, unlimited on Enterprise): nothing outside is scanned. For each run, you tune custom headers and cookies (up to 50 each) and the maximum per-host rate. Useful to respect a WAF, a load window or a sensitive environment.

How does EASM help my NIS2 compliance?+

Article 21 of NIS2 mandates risk management that includes asset mapping and continuous monitoring of the exposed surface, shadow IT included. EASM addresses this part directly: a live inventory of exposed assets, CVE detection with KEV and EPSS prioritisation, an alert on the first change, PDF and CSV reports exportable for your auditors. To be clear: it doesn't cover all of NIS2 on its own (governance, incident response, supply chain remain on you). It addresses the knowing and controlling what you expose part.

Give us a domain.

You enter your root domain, we hand back your external attack surface ranked by risk. Free account, one domain is enough.