Free Tool
Free Attack Surface Preview
Enter your work email and we'll preview what your domain looks like from the outside - subdomains, email security records, and exposed metadata. Free. No obligation.
Check your domain
How exposed is your attack surface?
Enter your work email below. We'll use the domain to run reconnaissance against your external estate and return a snapshot in under a minute.
Your work email
Your email is solely to identify your domain. We won't add you to a mailing list without your consent. See our privacy policy.
Concerned about what we find?
A Pentiq consultant will walk you through it.
What we check
What's in the preview?
The preview groups external signals across three categories - the same surfaces a real attacker maps before deciding whether to go further.
External attack surface
Common subdomains and the addresses behind them - the things attackers find with reconnaissance, mapped against your domain.
Email security posture
MX, SPF, and DMARC records - the configuration that decides whether someone can send phishing emails as your domain.
Exposed web metadata
HTTPS reachability, page title, server headers, and X-Powered-By disclosures - the things your site tells visitors about its underlying tech.
Why this matters
External reconnaissance is the first thing a real attacker does.
Reconnaissance is free
Before any attacker buys an exploit, they Google. Subdomain enumeration, DNS lookups, and metadata harvesting are all free, automated, and constant. If something's exposed, it's already been seen.
Most exposure is forgotten
Forgotten dev environments, expired certs, legacy subdomains pointing nowhere - external attack surfaces grow faster than they shrink. Most clients haven't audited theirs in over a year.
Email is the cheap entry
A weak SPF record or missing DMARC policy lets attackers send phishing emails that look genuinely like yours. It's the single cheapest, highest-success attack vector going.
What happens next
We don't just show you the preview - we'll help you act on it.
The preview is a starting point. If you want a Pentiq consultant to walk through what it means - and what changes the fastest - a 30-minute conversation usually clarifies it.
- Plain-English explanation of what the preview surfaces and what it means
- Priority actions based on your specific gaps
- Options for full external infrastructure testing or Continuous Security Assurance
About this tool
What the preview is - and isn't
The Attack Surface Preview runs lightweight external reconnaissance against your domain - DNS lookups, common subdomain checks, email-record analysis, and surface web metadata. It's a snapshot, not a manual penetration test.
For a deeper view of what's actually exploitable, see External Infrastructure Penetration Testing or CSAS.
Any leads generated through this tool are stored by Pentiq in accordance with our Data Processing Agreement.
Common questions
Frequently asked questions.
Is this a real penetration test?
No. The preview runs basic external reconnaissance against your domain - DNS, common subdomain checks, email-record lookups, and surface web metadata. It's a snapshot of what's visible from the outside. A penetration test goes much deeper, with manual exploitation and business-impact analysis.
Why does it need a work email?
We extract the domain from the email so we know what to preview. We also use the email to follow up if you'd like a written-up version or want to discuss the findings.
What happens to my email address?
It's used to identify your domain, log the lead, and follow up if you've consented. We don't add you to a marketing list, sell your data, or share it with anyone outside Pentiq. See our privacy policy for the full picture.
Is anything I'd be uncomfortable sharing exposed by this?
The preview only collects information that's already public - DNS records, web metadata, email-server configuration. Nothing the tool retrieves is data only you have access to.
See the full picture
The preview is the first 5%. The rest is a real penetration test.
When you're ready to know what's actually exploitable - not just what's visible - book a 30-minute call and a Pentiq consultant will scope it honestly.