External attack surface intelligence

See your domain
the way an attacker does.

Map your external perimeter using only public sources. Zero packets to your servers, mapped to NIS2, DORA and ISO 27001.

Try it free → See the method

Aligned with NIS2 DORA ISO 27001

didroot · passive scan

0 packets sent

ct.logs→ 17 subdomains

dns.records→ spf · dmarc · 4 mx

tls.certs→ 1 expiring · staging

http.headers→ grade B · csp partial

tech.stack→ nginx · cloudflare

Method

Two ways to map an attack surface.
We do the quiet one.

Most scanners hammer your perimeter to find what's exposed. We piece the same picture together from public sources — without touching your servers.

01 · What others do → 02 · What we do

Active scan

What others do.

Traditional scanners send thousands of probes at your perimeter. Your SIEM, your WAF and your security team all see them coming.

Touches your servers Fills your logs Triggers alerts

Passive recon · didroot

What we do.

didroot follows the same procedure, every time. Six passive steps over public data sources — your server stays untouched.

Step 1 of 6

Discover subdomains via certificate logs

Every TLS certificate ever issued for your domain is published. We read those logs to map every subdomain you've ever exposed.

full subdomain inventory

Scroll to see how didroot does it ↓

Coverage

Eight signal layers. One report.

DNS

A · AAAA · MX NS · CAA · DNSSEC

Mail auth

SPF · DMARC DKIM selectors

TLS

validity · expiry protocol · chain

HTTP headers

7 headers graded A → F

Subdomains

via certificate transparency

WAF / CDN

provider fingerprint

Hosting

ASN · geo cloud provider

Extras

RPKI · DANE · BIMI security.txt · CORS

Packets sent to you

Public data sources

EU frameworks mapped

Typical scan time

EU regulation

Findings, mapped
to EU regulation.

Every finding is tagged with the framework articles it relates to — so your report doubles as evidence for your auditor.

NIS2Network & Information Security 2Art. 21

DORADigital Operational Resilience ActArt. 8 · 9

ISOISO/IEC 27001:2022A.8 · A.13

Services

One service today. A platform tomorrow.

Available

Passive reconnaissance

A full external map — DNS, mail, TLS, headers, subdomains, hosting, WAF — without sending a single packet to your servers.

Q3 2026

Surface monitoring

Continuous passive scans with diff alerts when your perimeter changes.

2026

Credential exposure

Targeted monitoring of breach corpora and paste sites.

Why didroot

Independent. Inspectable. Quiet.

Truly zero-touch

Public sources only. Your logs stay clean.

Founder-led

Designed and reviewed by Dídac. No outsourcing.

Inspectable

Every finding traces to a source URL & timestamp.

Flat pricing

One scope fee. No per-asset surprises.

FAQ

Common questions.

Is a passive scan really invisible?

Yes. We never resolve, probe, or send traffic to your servers. Every data point comes from third-party sources that already publish information about your domain.

How is this different from active pen-testing?

Active testing tells you what an attacker can do. Passive recon tells you what an attacker already knows before they try. Most teams should do passive first, then scope active to what passive surfaces.

Do you need access to my systems or DNS?

No access of any kind. You give us a root domain — that's it. We treat you as an external observer would.

What deliverables do I get?

An asset inventory, a findings list ranked by severity and mapped to NIS2/DORA/ISO 27001, an executive summary PDF, and a JSON export for your SIEM.

Try it free

Scan your domain.
Right now.

Full passive recon in under 30 seconds. No account, no setup, no packets to your servers.

Launch Recon →

emaildidac@didroot.com
response≤ 24h on business days
basedBarcelona · serving the EU

See your domainthe way an attacker does.

Two ways to map an attack surface.We do the quiet one.