Security·10 min read

How to Run a Free External Attack-Surface Scan — and Verify It's Really Us in Your Logs

Attackers map your external attack surface before they strike — so scan it first. EchelonGraph's Surface Scanner is a free, external, no-install scan: deep TLS grading, exposed files (.env/.git/.tfstate), subdomain takeover, email spoofability, secrets, and a live CVE posture across 32 checks. And because a good scanner should never look like an attacker in your logs, every request identifies itself and carries a cryptographically signed receipt you can confirm at echelongraph.io/verify-scan. Here's how to run a scan, read the results, spot the scan in your own server logs, and prove it's genuinely us.

E

EchelonGraph

Founder

Attackers see your external attack surface first. You should see it first.

Before anyone attacks your company, they map what is reachable from the public internet: your TLS configuration, your DNS and email records, forgotten files on your web root, dangling subdomains, exposed admin panels, and the versions of the software you run. That map is your external attack surface, and attackers build it with automated scanners in minutes.

The EchelonGraph Surface Scanner lets you build the same map first — for free, from the outside, with nothing to install. You point it at a domain you own, and in a couple of minutes you get a graded report of exactly what an attacker would find.

This post covers three things: how to run a scan and read the results, how to recognise the scan in your own server logs, and how to cryptographically verify that the scan really came from EchelonGraph (and not from an attacker wearing our name) at echelongraph.io/verify-scan.

What the Surface Scanner checks — 32 checks, free

The free tier runs a genuinely deep external assessment, not a token "grade my headers" tool:

  • Deep TLS/SSL grading — protocol matrix (SSLv3 to TLS 1.3), cipher strength, forward secrecy, weak DH, OCSP stapling, certificate transparency — the kind of grade you would expect from SSL Labs or Hardenize.
  • Email spoofability — SPF, DKIM, DMARC (enforcing vs monitor), MTA-STS, DANE/TLSA, BIMI — whether someone can send mail as your domain.
  • Exposed files.env, .git/config, .tfstate (Terraform state), backups, .aws/credentials, private keys, and more — each confirmed by content signature, not a blind guess.
  • Subdomain takeover — dangling CNAMEs pointing at unclaimed cloud services.
  • Secrets and source maps — API keys and credentials leaking in your JavaScript, exposed .js.map source.
  • Security headers, cookies, CORS, redirects — the browser-side controls.
  • Technology fingerprint to CVE posture — what you run, and how many known CVEs (with live CVSS/EPSS/CISA-KEV enrichment from our own CVE platform) affect the versions we can see.
  • WAF/CDN detection, favicon fingerprint, open ports — and more.
  • Every finding is designed to be true: we adversarially reviewed the scanner to drive false positives to zero, because a security tool that cries wolf is worse than useless.

    How to run a scan (step by step)

  • Go to echelongraph.io/surface-scanner.
  • Enter the domain you want to scan (for example yourcompany.com).
  • Enter a same-domain email[email protected]. This proves you are authorised to scan your own domain; it is our anti-abuse gate, and it is why you cannot scan someone else's site. (It is not a newsletter signup — see our responsible-disclosure policy.)
  • Accept the terms and start the scan.
  • In about one to three minutes you get an A to F grade, category-by-category coverage, severity counts, a CVE-posture summary, and a sample of findings.
  • The free tier allows one scan per domain per 24 hours. On-demand and scheduled re-scanning are part of the onboarded product.

    What you get free vs. what unlocks

    The free report shows you the shape of every problem: your grade, which categories pass or fail, how many findings at each severity, and how many known CVEs affect your fingerprinted stack. Sensitive detail — the exact vulnerable URL, the evidence, the remediation steps, and the specific CVE identifiers — is shown as a locked teaser. When you onboard, you get the full unredacted report, including findings a manual review would take a security team days to surface.

    "Who is scanning my site?" — finding the scan in your logs

    When you scan your own domain, the requests show up in your access logs from EchelonGraph's infrastructure. We identify ourselves on every request so you — or a colleague on your SOC who did not run the scan — can immediately tell it is a legitimate, authorised assessment and not an attacker.

    A standard nginx or Apache access-log line looks like an ordinary browser visit (we use a real browser User-Agent on purpose, so that bot-management WAFs do not block us and corrupt your grade):

    203.0.113.10 - - [10/Jul/2026:14:22:07 +0000] "GET /.well-known/security.txt HTTP/1.1" 200 431 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"

    The proof that it is us is in the request headers we send on every call:

    From: [email protected]
    X-EchelonGraph-Surface-Scan: pub-1783649917380724052
    X-EchelonGraph-Verify: https://echelongraph.io/verify-scan?scan=pub-1783649917380724052&receipt=v1.eyJ0eXAiOiJzdXJmYWNlLXNjYW4i...
    X-EchelonGraph-Receipt: v1.eyJ0eXAiOiJzdXJmYWNlLXNjYW4i....9f3a2b7c

  • From — a standard RFC 7231 operator contact. That is our real support address.
  • X-EchelonGraph-Surface-Scan — the unique scan ID, which matches the ID you were shown when you started the scan.
  • X-EchelonGraph-Verify — a click-through URL that confirms the scan for you (below).
  • X-EchelonGraph-Receipt — a cryptographically signed receipt (HMAC-SHA256) over the scan ID, your domain, the authorising email domain, and the timestamp. It cannot be forged without our signing key, which never leaves our servers.
  • Most access logs do not record arbitrary request headers by default. If your SOC wants these to appear, add them to your nginx log format:

    log_format echelon '$remote_addr "$request" $status '
                       'ua="$http_user_agent" '
                       'eg_scan="$http_x_echelongraph_surface_scan" '
                       'eg_verify="$http_x_echelongraph_verify"';

    How to verify a scan at /verify-scan

    There are two ways, and both take seconds.

    Option 1 — click the verify URL. Copy the X-EchelonGraph-Verify value from your logs and open it. It loads echelongraph.io/verify-scan and confirms the scan automatically.

    Option 2 — paste the receipt. Go to echelongraph.io/verify-scan and paste the X-EchelonGraph-Receipt token into the box, then click Verify.

    For a genuine scan of your domain, you will see:

    ✓ Genuine EchelonGraph surface scan
    Domain scanned:   yourcompany.com
    Authorized by:    an address at yourcompany.com
    Scan ID:          pub-1783649917380724052
    Sent at (UTC):    2026-07-10T14:22:07Z

    How to read the result of the verification

    The verification tells you four facts, signed by us:

  • It was genuinely EchelonGraph — the signature validated against our key.
  • It was your domainDomain scanned should equal the host in your log line.
  • Someone at your org authorised itAuthorized by is the domain of the email used to start the scan (our same-domain gate means it is always someone at your company).
  • The exact timeSent at should match the timestamp of the request in your logs.
  • If all four line up, the scan was a legitimate, authorised assessment — most likely a colleague running EchelonGraph on your own domain. Nothing to worry about.

    If /verify-scan instead returns "Not a genuine EchelonGraph scan", then a request bearing our name did not come from us — someone copied our headers to look legitimate. Because our receipts are HMAC-signed, a forged or replayed token cannot pass the check: the signature will not match. Please report it to [email protected] and we will help you investigate.

    Why we go to this much trouble

    An attacker hides. A legitimate security scanner should do the opposite: announce who it is, prove it, and give you a way to check. The EchelonGraph Surface Scanner is consent-gated (you can only scan a domain you can prove you control), read-only (we never write to or exploit anything), and self-identifying with a signed receipt on every request. Our full data-handling and disclosure policy — including how the passive Discovery Radars work and how to reach us for a takedown or opt-out — is on the responsible-disclosure page.

    Frequently asked questions

    Is the surface scanner really free? Yes. One scan per domain per day, no account required to run it. Onboarding unlocks the full report, on-demand scanning, and the rest of the EchelonGraph platform.

    Do I need to install an agent? No. The scan is entirely external — it looks at what is reachable from the public internet, exactly like an attacker would.

    I see a scan from EchelonGraph in my logs. Is it safe? It is read-only and authorised (someone at your domain started it). Confirm it at /verify-scan using the receipt from your logs.

    Can someone fake an EchelonGraph scan to look legitimate? No. Every genuine scan carries an HMAC-signed receipt; /verify-scan rejects any forged or altered token, so a fake cannot pass verification.

    Why do you use a browser User-Agent instead of a bot name? Because bot-management WAFs tarpit or challenge obvious scanners, which corrupts the accuracy of your grade. We stay identifiable through the From and X-EchelonGraph-* headers and the signed receipt instead.

    Scan your surface now

    Run your free surface scan · Verify a scan in your logs · Read our responsible-disclosure policy

    Protect your infrastructure before the breach

    Map your attack surface, automate compliance, and detect insider threats in real time.

    Start free trial →