# Scanward — External Security Scanner & Attack Surface Monitoring

## What Is Scanward?

Scanward is an external security scanner and external attack surface management (EASM) platform built for small and medium businesses, digital agencies, and managed service providers (MSPs). It continuously monitors your internet-facing domains across six security dimensions and delivers a single A-F security grade.

Unlike enterprise EASM tools that cost thousands per month and require sales calls, Scanward starts free (1 domain) and scales to $79/month for 50 domains. There is no enterprise tier, no sales process, and no minimum commitment.

## What Does Scanward Scan?

### SSL/TLS Certificate Monitoring
Scanward checks SSL certificate validity, expiration dates, TLS protocol versions (TLS 1.2, TLS 1.3), cipher suite strength, and certificate chain validation. It alerts you days before certificates expire so you never wake up to a broken site. Auto-renewal from Let's Encrypt can fail silently — Scanward catches that.

### DNS Record Monitoring
Scanward queries A, AAAA, MX, NS, TXT, and CNAME records. It checks for DNSSEC validation, detects dangling CNAME records (subdomain takeover risk), tests for open zone transfers, and flags missing MX records. DNS misconfigurations are one of the most common attack vectors for domain hijacking.

### HTTP Security Headers
Scanward checks for the presence and configuration of critical HTTP security headers:
- **Strict-Transport-Security (HSTS):** Prevents SSL-stripping attacks by forcing HTTPS connections
- **Content-Security-Policy (CSP):** Defends against cross-site scripting (XSS) by controlling which content sources are allowed
- **X-Frame-Options:** Prevents clickjacking by controlling whether your site can be embedded in iframes
- **X-Content-Type-Options:** Prevents MIME-type sniffing attacks
- **Permissions-Policy:** Controls which browser features (camera, microphone, geolocation) your site can access
- **Referrer-Policy:** Controls how much referrer information is shared with other sites

### Email Authentication (SPF, DKIM, DMARC)
Scanward verifies that your domain has proper email authentication configured:
- **SPF (Sender Policy Framework):** Specifies which mail servers are authorized to send email for your domain
- **DKIM (DomainKeys Identified Mail):** Adds cryptographic signatures to outgoing email so recipients can verify it wasn't tampered with
- **DMARC (Domain-based Message Authentication, Reporting & Conformance):** Tells receiving mail servers what to do when SPF or DKIM checks fail — and where to send reports

Without these records, anyone can send email that appears to come from your domain (email spoofing), which is used in phishing attacks and business email compromise (BEC).

### Domain Registration Monitoring
Scanward monitors domain registration expiry dates via RDAP and WHOIS protocols. It checks registrar lock status (clientTransferProhibited) and alerts you well before your domain expires. Expired domains can be registered by attackers for phishing, brand hijacking, and email interception.

### Uptime Monitoring
Scanward checks whether your domains are reachable and responding over HTTPS. It detects downtime and alerts you when a domain becomes unreachable.

## How Scanning Works

Scanward runs automated scans on a configurable schedule based on your plan:
- **Free tier:** Every 24 hours
- **Pro tier:** Every 12 hours
- **Agency tier:** Every 6 hours

Each scan produces a score (0-100) for each of the six dimensions, which are combined into an overall A-F security grade. The scoring algorithm penalizes issues proportionally to their severity — an expired SSL certificate has a bigger impact than a missing Permissions-Policy header.

## Alert Types

Scanward sends email alerts for nine event types:
1. Overall security grade drops (e.g., A → B)
2. SSL certificate approaching expiry (7 days, 30 days)
3. Domain registration approaching expiry
4. Domain becomes unreachable
5. Individual scanner score drops significantly
6. SSL certificate has expired
7. Domain registration has expired
8. New security issue detected
9. Previously failing check is now passing (recovery)

## Who Is Scanward For?

### Small and Medium Businesses
Most SMBs don't have a security operations center (SOC) or dedicated security team. Scanward gives them enterprise-grade external security scanning without the enterprise price tag. One person can monitor all company domains from a single dashboard.

### Digital Agencies
Agencies managing 10-50 client domains need to keep every domain secure. Scanward's Agency plan ($79/month for 50 domains) provides a single dashboard to monitor all client domains. Branded PDF reports can be generated for client reviews.

### Managed Service Providers (MSPs)
MSPs responsible for client infrastructure use Scanward as a lightweight external security monitoring layer. It complements internal monitoring tools (like RMM platforms) by covering the internet-facing attack surface.

### IT Managers and Sysadmins
Individual IT professionals responsible for their organization's domain security use Scanward to get continuous visibility into their external security posture without manual checks.

## Comparison: Scanward vs Enterprise EASM

Traditional EASM platforms (Hardenize/Red Sift ASM, Detectify, CyCognito, Expanse/Cortex Xpanse) are built for enterprises with hundreds of domains and six-figure security budgets. They typically require sales calls, annual contracts, and dedicated onboarding.

Scanward is self-serve, starts free, and focuses on the security checks that matter most for small teams: SSL, DNS, headers, email auth, uptime, and domain registration. No asset discovery across unknown IP ranges — just focused monitoring of the domains you already know about.

## Free Security Tools

Scanward offers six free security tools that require no signup:

### SPF Record Generator
Build a valid SPF record for your domain. Select from 16 common email providers (Google Workspace, Microsoft 365, Mailchimp, SendGrid, Amazon SES, etc.), add custom IP addresses and include mechanisms, choose your enforcement policy (~all, -all, ?all), and get a copy-paste DNS TXT record. Includes a DNS lookup counter to stay under the 10-lookup SPF limit.

### DMARC Record Generator
Create a DMARC policy for your domain. Choose enforcement level (none/quarantine/reject), set aggregate (rua) and forensic (ruf) reporting email addresses, configure advanced options (percentage, subdomain policy, SPF/DKIM alignment mode), and generate the TXT record.

### SSL Certificate Checker
Check any domain's SSL certificate for expiry date, TLS protocol version (1.2 vs 1.3), cipher suite strength, and certificate chain validation issues. Uses the same scanning engine as the full Scanward platform.

### DNS Lookup Tool
Query A, AAAA, MX, NS, TXT, and CNAME records for any domain. Check DNSSEC status, detect dangling CNAME records (subdomain takeover risk), and identify DNS misconfigurations. Uses the same scanning engine as the full Scanward platform.

### Security Headers Checker
Scan any website for HTTP security headers: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy. See which headers are present and which are missing, with a score from 0-100.

### WHOIS Lookup
Look up domain registration details including registration date, expiry date, registrar name, and transfer lock status. Uses RDAP with WHOIS fallback for broad TLD coverage.

## Technical Architecture

- **Backend:** Python 3.12, FastAPI, SQLAlchemy, Celery + Redis for task scheduling
- **Frontend:** Next.js (React) dashboard at app.scanward.com
- **Landing page:** Static HTML on Cloudflare Pages at scanward.com
- **Database:** PostgreSQL
- **Scanning:** Custom scanner modules for each security dimension (SSL, DNS, headers, email, uptime, domain registration)
- **Payments:** Stripe integration with checkout, billing portal, and webhooks

## Pricing

| Plan   | Domains | Scan Frequency | Price    |
|--------|---------|----------------|----------|
| Free   | 1       | Every 24 hours | $0/month |
| Pro    | 10      | Every 12 hours | $29/month |
| Agency | 50      | Every 6 hours  | $79/month |

All plans include all features (alerts, PDF reports, all six scanners). The only differences are domain count and scan frequency.

## Links

- Website: https://scanward.com
- Dashboard: https://app.scanward.com
- Free Tools: https://scanward.com/tools/
- Blog: https://scanward.com/blog/
- Privacy Policy: https://scanward.com/privacy/

## Blog & Educational Content

- What Is External Attack Surface Management (EASM)?: https://scanward.com/blog/what-is-easm/
- The Complete Guide to SPF, DKIM, and DMARC: https://scanward.com/blog/spf-dkim-dmarc-guide/
- 7 Security Headers Every Website Needs: https://scanward.com/blog/security-headers-guide/
- DNSSEC Explained: What It Is and How to Enable It: https://scanward.com/blog/dnssec-explained/
- SSL Certificate Monitoring: Prevent Expiry Downtime: https://scanward.com/blog/ssl-certificate-monitoring/
- Domain Expiry Monitoring: A Hidden Security Risk: https://scanward.com/blog/domain-expiry-monitoring/
- Check Your Domain Security Score in 30 Seconds: https://scanward.com/blog/domain-security-score/
- Scanward vs Hardenize: Security Monitoring Compared: https://scanward.com/blog/scanward-vs-hardenize/
- Domain Security Scanner: How to Scan Your Domain for Vulnerabilities: https://scanward.com/blog/domain-security-scanner/
- Subdomain Takeover: What It Is and How to Prevent It: https://scanward.com/blog/subdomain-takeover/
- Website Security Grade: What It Means and How to Improve Yours: https://scanward.com/blog/website-security-grade/
- DNS Monitoring: Why You Need It and How to Set It Up: https://scanward.com/blog/dns-monitoring/