External observation platform
We monitor availability 24/7 and audit your domain’s external security posture. You catch problems before your customer does — with pricing in BRL, hosted in Brazil.
No card to start · 5 monitors free forever · 2-minute setup
Dashboard
exemplo.com.br
Uptime 30d
99.97%
Grade
B · 84/100
Latest checks (1 min)
unsafe-inline
medium
Two products, one platform
No agent, nothing to install on your server. We observe the way a visitor — and an attacker — would.
Sentinela Uptime
Sentinela Security Audit
How it works
Website security isn’t one thing — it’s TLS, DNS, headers, email, LGPD, WAF, exposed code and dependencies. Each layer has its own set of specialized probes. Sentinela runs them all, explains every finding, and prioritizes what matters.
How the target presents itself on the internet.
DNS · DNS Security (CAA + AXFR) · DNSSEC (via DoH) · TCP Ports · Reputation (DNSBL + Safe Browsing)
How the application responds to a visitor (or attacker).
TLS · Headers · Cookies · Path exposure · Sensitive file discovery · JS Bundle · Source Leak · Error page · WordPress · Multi-CMS (Drupal/Joomla!/Magento) · Malware Scan · API Surface · GraphQL/JWT · Cloud Storage · CORS · HTTP methods · Active XST confirmation · Open redirect · Robots/Sitemap · WAF Detection · Directory Discovery · Tech Disclosure · Host Header Injection · Internal Network Leak · Form Password · Caching Security · Security.txt Quality
Who answers for this domain, how it receives email, and protection against hijacking.
Email presence (SPF/DKIM/DMARC) · Email strength (SPF/DMARC quality) · MTA-STS/TLS-RPT · Whois (RDAP) · Domain Lock · Sub-domains (CT + takeover)
The Brazilian layer — LGPD observable from outside. Feeds the LGPD/ISO 27001/PCI-DSS compliance map.
Third-party trackers · Banner & dark pattern · Policy & DPO · Form without notice · PII in URL · International transfer · Tracking cookies
Human vector — the target’s domain and emails in public data breaches.
Credential leak (registrable domain vs Have I Been Pwned, 100% passive) · Email leaks (via h8mail)
Opt-in (Agency+) — 5 white-box probes with a temporary repo clone + 1 that reads dependency lockfiles via the provider API + 1 gray-box connector to the Vercel API.
Repo dependencies (OSV.dev) · SAST (Semgrep) · Secret scanning (Gitleaks) · Dockerfile (Hadolint) · IaC (Trivy) · GitHub Actions · Vercel (API)
The People and Source code layer probes are opt-in and need extra data (breach toggle, repository URL, Vercel token). The other 39 probes run on every audit once you authorize the domain — 3 of them (Ports, Directory Discovery and active XST confirmation) behind an extra authorization gate for active probing.
Score & grade
penalty
penalty = 10·critical + 5·high + 2·medium + 0.5·low score = clamp(100 − penalty, 0, 100)
Alerts only fire for new high- or critical-severity findings. What persists between runs doesn’t alert again — you’ve already been warned.
ranges
Uptime
Six pull modes (Sentinela fetches the target) and one push (the target pings us — for internal jobs with no exposed HTTP).
Checks the expected status, measures response time and watches the SSL certificate — warns 30 days before expiry.
Extends HTTP by matching (or negating) a keyword in the body. Detects a generic error page that returns 200.
Sends an echo packet and measures latency. For a server or device with no exposed HTTP.
Opens a socket on a specific port. SSH, SMTP, MySQL, Redis — services that don’t speak HTTP.
Your cron pings a unique Sentinela URL. No ping within the interval → goes DOWN. For backup, sync or queue jobs.
Resolves the A record and measures lookup duration. Detects a lost zone and slow propagation without HTTP.
Queries the official Vercel API on every check. Goes DOWN when the production deploy fails or runtime errors exceed the threshold you set (0 = any new error).
Who it’s for
Agencies & freelancers
Monitor and audit all your clients’ sites in a single account. White-label PDF with your brand. Bill it as a monthly service and show A–F grade progress in every report. Dedicated page →
SMBs & e-commerce
Clear alerts, a simple grade to understand and a dedicated LGPD probe. No need to hire a consultant to know whether you’re compliant.
Technical teams (DevOps / SRE / CISO)
Webhook to Slack/Telegram, full API, diff between runs with a stable signature, KEV/EPSS enrichment to prioritize what’s actually being exploited.
Compliance & legal
Executive PDF dated per audit. Monthly history to show the DPO, client or auditor that there is continuous compliance effort — not a one-off snapshot.
What sets it apart
Competitors do uptime or security audit. Here you correlate "it went down" with "a header is missing" in the same dashboard, with the same history, on the same plan.
UI, emails, Telegram notifications, PDF and every finding description written by humans. No CVE pasted from a foreign scanner.
A dedicated LGPD probe (consent, transparency, DPO) and tracking without opt-in. We host in Brazil and speak Brazilian law natively.
Export everything: PDF, CSV via API, open webhook. Cancel whenever you want, your data stays yours.
A list of 80 findings with no context doesn’t help. Here each finding has severity, technical evidence and a clear recommendation — ordered by what moves your grade most.
It’s not a pentest and we say so up front. It’s automated, recurring, complementary external ASM — not a replacement for a human pentester.
In three steps
01
No agent, nothing to install. We observe from outside. Authorize the audit with one click to enable the active probes.
02
Real-time uptime on the channels you choose. Weekly automatic security audit (or on demand), with a diff against the previous one.
03
Dashboard to track, executive PDF to show, diff to prioritize. A clear recommendation per finding.
Plans
Uptime and Security Audit included in every paid plan. Prices in BRL, with a Brazilian invoice.
Free
R$ 0 forever
Pro
R$ 49 /month
★ Most popular
Business
R$ 149 /month
Agency
R$ 349 /month
Common questions
No. Sentinela is an external observer — we make HTTP, DNS, TCP requests and public lookups from outside. No agent, no credentials, no code in your app.
No. It’s automated, recurring external ASM (Attack Surface Management). A pentest involves active human exploitation and is out of our scope — and we say so up front so you don’t expect what we don’t deliver.
No. Probes are lightweight and respect rate limits. A full audit runs in a few minutes with negligible impact.
Because even lightweight probes touch your server. Explicit authorization protects you legally and us ethically. Without authorization, only 100% passive probes run (DNS, WHOIS, CT logs).
Yes — and we have a dedicated probe to check your site’s LGPD compliance. We host in Brazil, retain data per our policy, and offer a DPA on the Enterprise plan.
Yes. External probes don’t depend on your framework. There’s extra WordPress analysis when we detect the stack, and the report explicitly indicates when something sits behind a WAF.
Yes. No penalty, no minimum term. You keep access until the end of the paid cycle and then 30 days read-only to export everything, before definitive deletion per our LGPD policy.
Start free
No card. No deadline. No automatic charge. Upgrade when you need to.