Take Your First Step Toward CTEM with Snode’s Free Threat Exposure Assessment
Request now
Home
Resources Careers About us
Contact us
DARKWING NEW
Attack Surface Management

See yourself the way attackers do.

Darkwing is Snode's continuous attack surface management platform. It maps every internet-facing asset you own — including the ones you've forgotten — and tells you exactly where to act, before someone else does.

Request a Free Scan How it works
Live on Snode SOC Agentless · Multi-tenant · Self-hostable
SOC › Threat Synthesis acmecorp.com Exposure: 28/100 RECON FLOW · LIVE
1Data
Raw observations · what we found
dmyu.acmecorp.com
academy.acmecorp.com
advisories.acmecorp.com
somd.acmecorp.com
alza.acmecorp.com
ansibletmp-syn01.acmecorp.com
203.0.113.85
203.0.113.140
203.0.113.44
203.0.113.191
:80
:443
acmecorpv.com
acmecorpr.com
acmecorpn.com
South Africa · 25
Germany · 7
United Kingdom · 6
2Information
Clustered · what's actually running
Tech Stack
44
Nginx
Open Ports
76
2 unique
Services
3
WAF: Nginx WAF
People
0
emails · LinkedIn profiles
Lookalike Domains
5
0 high-sim · 3 w/ MX
3Knowledge
Risk applied · what's exploitable
Vulnerabilities
3 CRIT 4 HIGH 0 other
No critical findings
Compromised Accts
4 active 5 emails exposed
No breached credentials
Brand Impersonation
3 w/ MX 5 registered
acmecorpv.com · +4 more
External Intel
4 Shodan 1 VT 6 AbuseIPDB
Aggregated third-party signals
4Wisdom
Synthesised · attack paths + score
★ AP-008 · Email Domain Spoofing — Business Emai...
acmecorp.com
Email security controls are insufficient: DMARC p=quarantine — partial enforcement only.
★ AP-011 · Subdomain Takeover — Dangling DNS Records
downloads.acmecorp.com...
1 subdomain(s) have DNS records (CNAME) pointing to third-party services that no longer serve content.
★ AP-013 · Missing Security Headers — XSS / Clic...
acmecorp.com (missing:... rley.acmecorp.com (mis... nmnl.acmecorp.com (mi... bpgs.acmecorp.com (mi... dev.acmecorp.com (mi...
Multiple web applications are missing critical security headers: 34 site(s) missing HSTS; 57 site(s) missing CSP;
★ AP-016 · DNSSEC Not Enabled — DNS Spoofing Possible
acmecorp.com
DNSSEC is not enabled for acmecorp.com. Without DNSSEC, DNS responses cannot be cryptographically validated
28
Exposure Score
5 attack paths · 9 critical
At Risk Assets
No critical assets
Compromised Accounts
No compromised accounts
Monitored Technologies
Nginx
What is Darkwing

Continuous attack surface management,
built for the modern enterprise.

Most security teams know about 60% of their real attack surface. Darkwing finds the other 40%. From the outside, the way attackers do, then keeps watching as your environment changes — day in, day out.

Find what you didn't know you owned.

Give us a domain. We map every subdomain, exposed service, leaked credential and look-alike phishing domain registered against you — automatically, no agents, no installs.

Continuous, not quarterly.

Scheduled re-scans, real-time progress, change diffs. Catch new exposure the day it appears — not in next quarter's pen test. Pipe findings to your SIEM via REST API.

Board-ready in one click.

AI-written executive PPTX and PDF reports with risk gauges, trends and attack-path analysis. Customer-branded, MSSP-ready, short enough that the board will actually read it.

The Snode journey

From a free scan to a 12-month exposure programme.

Darkwing is the lens. It feeds the work — from a single 10-minute snapshot, through XTEM, to CTEM, our continuous threat exposure management service.

Step one · 10 minutes

Free threat exposure scan

You give us a domain. Darkwing runs passive recon against your public attack surface and produces a real findings report — assets discovered, leaked credentials, exposed services, look-alike domains.

  • No agents, no credentials needed
  • Hand-walk through the findings
  • Yours to keep, no commitment
Step two · 6 weeks

XTEM — Extended Threat Exposure Assessment

The full picture. A local node inside your environment for threat hunting and compliance, plus a full external assessment and black-box pen test by our offensive team.

  • Internal: threat hunting, risk & non-compliance audit
  • External: full Darkwing scan + black-box pen test
  • Output: a 12-month exposure management programme
Step three · continuous

CTEM — Continuous Threat Exposure Management

Once XTEM is done, the whole Snode stack runs against you around the clock. We track every realm, audit annually, and keep your exposure trend moving in the right direction.

  • Darkwing + Guardian + Mirage + Panthera
  • Weekly intel, monthly exec one-pager
  • Yearly realm audit against your programme
Every scan ends here

One number the board will understand.

Every Darkwing scan produces an exposure score from 0 (perfectly defended) to 100 (critically exposed). The CISOs we work with use it as the single metric they drive down, quarter on quarter.

0
/ 100
SAMPLE · ACME CORP · Q2
0
Assets discovered
Subdomains, services, certificates and cloud assets surfaced from a single domain.
0
New to client
Assets the client didn't know about going in. Typical for a mid-sized enterprise.
0
Critical findings
Open admin panels, leaked credentials, unsafe TLS configs, exploitable CVEs — all validated.
10 min
Passive sweep
From "here's our domain" to "here's the report." Sub-six-week for the full XTEM engagement.
Under the hood

Operator-built. Real tools. Real results.

Darkwing isn't a marketing platform with a thin wrapper. The engine is our own — orchestrating 20+ best-in-class security tools, normalising the output, and writing it up in plain English.

snode@darkwing: ~/recon
snode $ darkwing scan --target acmecorp.com --mode active [09:42:01] queueing scan #1247 · client: Acme Corp [09:42:04] subdomain enumeration → 184 hosts [09:42:07] perimeter mapping → 412 live services (54 unknown to client) [09:42:12] vulnerability correlation → 14 critical, 31 high [09:42:18] breach intelligence → 7 datasets, 4,812 leaked records [09:42:22] ! exposed admin panel staging-admin.acmecorp.com no auth [09:42:24] ! look-alike domain acrnecorp.com registered 4 days ago [09:42:27] executive summary written · mapped to realms [09:42:28] exec PPTX + PDF generated → reports/acme-q2-exec.pptx snode $ _
The exposure management programme

Seven realms. One programme.

Every Darkwing scan rolls up into Snode's exposure management programme. We break the work into realms — discrete workstreams aimed at one specific part of your cyber posture. The realms become your security projects for the next 12 months, each with its own owner, success criteria and contribution to the overall exposure score.

01

Assets

Subdomain discovery from six passive sources plus optional DNS brute-force. HTTP/HTTPS liveness, technology fingerprinting, WAF detection, security header grading and TLS posture per host.

02

Threats

Exposed service detection — internet-reachable databases, RDP, cleartext transports, admin panels — cross-referenced with WAF coverage. Plus threat intelligence: Shodan, VirusTotal, AbuseIPDB, dark-web, typosquatting and brand impersonation.

03

Vulnerabilities

Two paths. Active Nuclei scanning with community and in-house templates for confirmed findings. Plus passive LLM-driven inference that flags historically vulnerable software from your tech stack — no exploit payload sent.

04

People

Email harvesting and LinkedIn correlation, naming-convention analysis, and deep authentication checks (SPF mechanism enforcement, DMARC at p=reject vs p=none, DKIM presence). Plus HIBP breach matching with full breach metadata.

05

Architecture

DNS configuration, DNSSEC, TLS posture, email-authentication structure, domain-expiry tracking, geographic dispersion. The structural decisions that decide how far an attacker gets after they land.

06

Controls

Detective, preventive and corrective controls — tested, tuned and traceable to a real risk. Each finding is tagged to one or more stages of the MITRE kill chain, surfacing where your coverage gaps actually sit.

07

Governance

Automatic framework mapping by jurisdiction and sector — POPIA, ECT, GDPR, NIS2, CCPA, HIPAA. Per-control compliance gap analysis graded critical through low. The thing your auditors will measure you against.

Excellence through tenacity

Built different.
Here's why the score is defensible.

The number in the gauge looks simple. Underneath it sits a scoring engine designed to survive a CISO's most uncomfortable question: "Why should I trust this number?" Four of the design choices that answer it.

Bounded multi-pillar scoring

Three confirmed critical vulnerabilities outweigh three hundred informational SSL warnings — every time. Each pillar carries a hard ceiling, each finding type a count cap, and each additional finding adds less than the last. Noise can never overwhelm signal.

Passive vulnerability inference

For environments where active probing is restricted, we route your passively detected technology stack through a language model that cross-references real CVE history. You get vulnerability-grade insight without sending a single exploit payload.

Sector-relative context

An absolute score of 58 is useless without context. Darkwing benchmarks against 20+ industry verticals and translates your score into a percentile and a five-level maturity rating — so the board hears "above the financial-services median" not just "a number we made up."

Stage-aware change detection

Continuous monitoring without phantom remediation alerts. Before we mark a finding as fixed between scans, we verify the responsible collection stage actually completed in the latest run. If it timed out, the finding is tagged unverifiable — not silently cleared.

Cross-realm attack-path synthesis

Twenty-eight (and growing) attack-path templates fire when conditions span two or more realms — credential leak plus exposed RDP, for example. Each path is rendered as a four-step attacker workflow, mapped to MITRE ATT&CK technique IDs, and adjusted for WAF coverage.

Kill-chain completeness

Every finding is tagged to one or more stages of the MITRE kill chain. The fraction of stages with supporting evidence becomes a second axis of prioritisation — orthogonal to the score. "Four of seven stages covered" tells a different story than the headline number alone.

Portfolio correlation (for MSSPs)

If you run Darkwing across multiple clients, we surface shared exposures — the same CVE across sites, the same end-of-life product deployed in three places, the same risk-trajectory pattern — and flag clients drifting toward breach territory before they get there.

Your turn

What's your exposure score?

Free. Confidential. Ten minutes. You give us a domain, we'll send you a real findings report — and a hand-walk through it from one of our analysts.

Request a Free Scan Talk to an Engineer