Sentinela Security Audit
Forty-eight probes across six distinct layers: 39 observe the target from outside (no agent, no credentials, no blocked traffic — 3 of them only run after the authorization gate) and 9 are opt-in — 5 white-box that temporarily clone the repository to run SAST (Semgrep), secret scanning over git history (Gitleaks), Dockerfile lint (Hadolint), IaC scan (Trivy: Terraform, Kubernetes, CloudFormation) and GitHub Actions workflow auditing, 1 that reads dependency lockfiles via the provider API (no clone) cross-referenced with OSV.dev, 1 gray-box that connects to the official Vercel API, and 2 that cross the target’s domain and emails against public breach databases. Every finding comes with severity, technical evidence and a clear recommendation. LGPD/ISO 27001/PCI-DSS compliance map, AI-generated executive summary, score 0–100, grade A–F, diff between audits and executive PDF.
No agent · No install · Non-invasive · You must authorize the domain before the audit
Technical honesty
Sentinela Security Audit is external ASM (Attack Surface Management): non-invasive observation of the surface your domain exposes to the internet. It is not a pentest. We don’t exploit vulnerabilities, don’t brute-force, don’t try to bypass authentication. For a penetration test you want a human pentester — and we help by pointing out the obvious things before they charge a lot to point out the same ones.
Sentinela’s role is to see and warn, not to intercept. Fail-safe and fail-loud: a probe that fails becomes an informational finding, it never goes silent.
Three layers · One platform
This page is organized in three layers — easier to navigate if you have the map before the dense list of 48 probes further down.
01
Find what exists.
49 native PHP probes + Nuclei, Semgrep, Gitleaks, Trivy. The native family covers network, TLS, headers, email, exposure, privacy (LGPD-BR by default; GDPR opt-in per target), cloud — no external binary, lightweight and cheap. The wrapped family steps in where the industry already solved it: CVE templates, SAST, IaC.
See the 48 probes →02
Translate into priced risk.
Technical A–F grade comparable across targets + contextual risk by business criticality + CISA KEV + EPSS + ALE in money/year using real downtime from Uptime. The technical score stays untouchable (comparability); context lives on a parallel axis.
See scoring and financial risk →03
Close the loop down to the fix.
Every finding becomes an assignable RemediationTask with SLA, MTTR per workspace, JIRA integration and Break-the-Build via Sanctum API + SARIF 2.1.0 in GitHub Actions. Doesn’t stop at the report — goes all the way to the pull request.
See remediation and CI/CD →Most ASM tools stop at the eye — they deliver a list. CTEM is what wires all three layers into a single flow.
How it works
Website security isn’t one thing. Each layer has its own set of specialized probes observing a different aspect of your domain’s external surface.
01 · Layer
How the target presents itself on the internet — DNS, open ports, reputation.
NS health, propagation, record consistency and resolution.
CAA records (certificate issuance control, MEDIUM if absent) and AXFR zone transfer over TCP (CRITICAL if allowed — exposes the entire DNS zone).
Checks DNSSEC via DNS-over-HTTPS (Cloudflare DoH). Detects domains without DS/DNSKEY (MEDIUM) or with a broken chain — DS present but AD bit absent (HIGH).
Top-30 TCP scan + banner grabbing. Gated by explicit authorization.
Spamhaus DNSBL + optional Google Safe Browsing.
02 · Layer
How your application responds to a visitor (or attacker).
Versions (TLS 1.0/1.1 deprecated, TLS 1.3 missing), ciphers, expiry, hostname, signature, OCSP.
HSTS (preload, includeSubDomains), CSP (unsafe-inline, wildcards, Trusted Types), COOP/COEP/CORP, HTTPS redirect, version disclosure.
Secure, HttpOnly, SameSite, __Host-/__Secure- prefixes on session cookies.
.env, .git, dumps, logs, dependency lockfiles (composer.lock, package-lock.json, yarn.lock, pnpm-lock.yaml — exact pinned versions enable precise CVE targeting), OIDC discovery (/.well-known/openid-configuration), healthchecks (/actuator/health, /readyz), security.txt presence.
Catches leaks the ExposureProbe misses because they use unpredictable names (dump_2026_xyz.sql, instance_db_hash.sql.gz). Detects open directory listing (Apache/nginx/IIS/Caddy autoindex) on 18 common backup paths and cross-references HTML/robots.txt/sitemap.xml for links with sensitive extensions. Validates via fingerprint (SQL keywords, gzip/zip/SQLite magic bytes, KEY=value format in .env).
Secrets in bundle, public source maps, vulnerable libs (jQuery, Bootstrap, Vue 2, Moment.js), missing SRI, mixed content, CSRF in POST forms.
PEM keys in HTML (CRITICAL), connection strings with credentials (CRITICAL), credentials in HTML comments (HIGH), RFC 1918 IPs in inline scripts (MEDIUM). Filters placeholders.
Stack trace exposed on 404/500: Laravel/Whoops, Symfony, Django, Rails, ASP.NET, Express.
Version, plugins (wordlist 250+, 100/scan), themes, XML-RPC, user enum, debug.log. CVE matching via Wordfence Intelligence — 100k+ vulns with CVSS, daily sync. Automatic EPSS + CISA KEV enrichment.
Drupal (exposed CHANGELOG, settings.php), Joomla! (XML manifest, /administrator/), Magento (/magento_version, default admin path). CMS-specific checks.
Crawl of up to 10 pages. Detects obfuscated JS (eval/atob, Dean Edwards packer), hidden spam content, external iframes, forms with action hijacking, User-Agent cloaking. Cross-references URLs against URLhaus + OpenPhish (~300k entries, daily sync).
Exposed OpenAPI/Swagger, enabled GraphQL introspection, field suggestions.
Exposed GraphQL Playground, JWTs in body/cookie with alg:none (CRITICAL), long expiry, sensitive claims.
Detects S3, GCS and Azure Blob buckets referenced in the HTML. Tests public listing (CRITICAL) or records as INFO if private.
Wildcard with credentials, Origin reflection, null origin.
TRACE enabled, sensitive verbs (PUT/DELETE without authentication).
ACTIVE check behind the authorization gate: sends TRACE/TRACK with a unique token in a header and confirms Cross-Site Tracing when the server echoes the token back (MEDIUM — proof, not just "declared"). Non-destructive, narrow scope.
next, redirect, return parameters — confirmed by the parsed host in the response.
Sensitive paths declared (admin, internal, backup) in /robots.txt and /sitemap.xml.
WAF/CDN fingerprint via headers, cookies and body (Cloudflare, Sucuri, Imperva, Akamai, CloudFront, Fastly, Vercel, Azure, F5, Wordfence, ModSecurity). Shows the scanner IP for allowlisting.
Parallel sweep of ~40 common paths (admin panels, phpMyAdmin, debug panels — Horizon, Telescope, Pulse, Debugbar, Clockwork —, backups, uploads, config, logs). An OPEN debug panel (HTTP 200) escalates to CRITICAL: queue dashboards render queued job payloads — channel tokens, webhooks, recipient PII; present but protected (403) stays HIGH. Soft-404 detection via canary. Gated by authorization.
Software versions exposed in HTTP headers (Server, X-Powered-By, X-AspNet-Version) and meta generator, enabling targeting by a specific CVE.
Reflection of X-Forwarded-Host and X-Original-Host in the body or Location. Detects the password-reset poisoning and cache-poisoning vector (HIGH).
Private RFC 1918 IPs (10.x, 172.16–31.x, 192.168.x, 127.x) and internal hostnames (.internal, .corp, .lan) in HTTP headers — reveals infra topology to the attacker.
Forms with input[type=password] submitted over HTTP (CRITICAL — cleartext password) or to an external domain (HIGH — credential harvesting).
Responses with Set-Cookie without Cache-Control: no-store/private (MEDIUM) and evidence of a session served from a shared cache via the Age header (HIGH). RFC 7234.
Validates security.txt per RFC 9116: mandatory Contact (HIGH), mandatory Expires (MEDIUM), expired record (MEDIUM) or valid for more than 1 year (LOW).
03 · Layer
Who answers for this domain, how it receives email, and protection against hijacking.
SPF (with lookup budget RFC 7208 §4.6.4), common DKIM selectors, DMARC, absence of records.
Policy quality analysis: SPF +all/?all (HIGH), SPF ~all without DMARC enforcement (MEDIUM), DMARC p=none (HIGH), DMARC pct<100 (LOW). Goes beyond presence — evaluates whether the policy actually protects.
Secure SMTP transport policy (RFC 8461): publishes policy, file accessible, enforce mode. TLS reporting (RFC 8460) configured.
Domain expiry, clientHold status, pendingDelete.
Checks via RDAP whether the domain has a registrar lock: clientTransferProhibited (MEDIUM if absent) and clientDeleteProhibited (LOW if absent). Prevents domain hijacking.
Passive discovery via Certificate Transparency (crt.sh) + subdomain takeover check on 16 services (GitHub Pages, Heroku, Fastly, etc.).
04 · Layer
The Brazilian layer — LGPD observable from outside, based on the articles that hit the typical site. Findings feed the compliance map (LGPD/ISO 27001/PCI-DSS).
GA4, GTM, Meta Pixel, Hotjar, Clarity, TikTok, LinkedIn, Mixpanel, Amplitude, Segment, FullStory and more — 24 hosts + 11 inline patterns (gtag, fbq, dataLayer). Detects a tracker loading BEFORE the banner even when there’s no HTTP cookie. HIGH if no banner. Ref art. 7º, I.
Detects the banner presence (CookieYes, OneTrust, Cookiebot, Iubenda, Klaro, Didomi, Usercentrics, Termly, Osano and custom) and checks whether there’s a visible "Reject"/"Necessary only" option. An "accept or nothing" banner is a consent defect (ANPD Cookie Guide, art. 8º §4º).
Detects a link/mention of the privacy policy and DPO contact via DOM parsing (XPath on <a href> + visible text). Scans a dedicated page (/politica-de-privacidade, /privacidade) collected by the crawler even when the home doesn’t cite it. Refs art. 9º + art. 41.
POST forms collecting email, CPF, phone, name or password without a checkbox or visible link to the privacy policy nearby — missing informed consent (art. 8º, §1º). DOM parsing with heuristic fallback on form siblings.
CPF, email, phone or RG passing via querystring in page links. Value masked before persisting as evidence. Leaks in server logs, browser history and Referer to third parties — a classic security risk (art. 46).
Cross-references a foreign hosting fingerprint (Cloudflare, AWS CloudFront, Vercel, Azure, Fastly, Akamai, Fly.io, Netlify, Render, Railway — 17 headers + 7 tokens in Server/Via) with a mention of "international transfer"/"standard contractual clauses" in the text. No disclosure = LOW (art. 33).
Classic tracking cookies (_ga, _gid, _fbp, hjid, _hjSessionUser, etc.) set on first visit with no banner detected — HIGH (art. 7º, I).
05 · Layer
Human vector — the target’s domain and emails in public data breaches.
Opt-in per target. Cross-references the registrable domain (+ extra domains) against the Have I Been Pwned catalog synced locally (daily sync). Emits an aggregate finding with breach count, compromised accounts and the most recent date; severity by recency and sensitivity of exposed data. 100% passive — doesn’t touch the target.
Collects mailto: and fallbacks (contact@, admin@, security@) and cross-references via h8mail against public breach databases.
06 · Layer
Opt-in (Agency+ plan) — 5 white-box probes with a temporary repo clone (SAST, secret scanning, Dockerfile, IaC, GitHub Actions), 1 that reads dependency lockfiles via the provider API (no clone) and 1 gray-box connector that reads the Vercel API.
composer.lock, package-lock.json, yarn.lock, requirements.txt, poetry.lock, go.mod, Gemfile.lock — GitHub/GitLab (subgroups)/Bitbucket. Optional PAT for private repos. Cross-referenced with OSV.dev + CVE/EPSS/KEV.
Static analysis with rulesets detected by stack: PHP/Laravel, JavaScript/Express/React, Python/Django/Flask, Go, Ruby, Java + OWASP Top 10. Findings grouped into 15 buckets (SQLi, XSS, command injection, path traversal, mass assignment, weak crypto, etc.). CWE-78/89/94 automatically promoted to CRITICAL.
Gitleaks scans the current tree + history --depth=N (default 50 commits). Detects AWS/GCP/Azure keys (CRITICAL), GitHub PAT, Stripe/Twilio/SendGrid, PEM private keys, and ~150 other patterns. Value masked (first 4 + last 4 chars) before persisting.
Dockerfile lint detecting insecure practices: persistent USER root (HIGH), ADD instead of COPY, unpinned versions in apt/apk/pip/npm, latest tag, missing HEALTHCHECK, shell without pipefail, apt cache not cleaned. 9 translated buckets.
Misconfigurations in Terraform (.tf), Kubernetes manifests, CloudFormation, Helm charts, Ansible playbooks + CIS Docker benchmark. Severity straight from Trivy (CRITICAL/HIGH/MEDIUM/LOW), cap of 500 findings per run ordered by severity.
Custom parser for .github/workflows/*.yml: pull_request_target + checkout of the PR head (CRITICAL — classic RCE), permissions: write-all (MEDIUM), actions without a SHA pin (@branch HIGH, third-party @tag MEDIUM), secrets echoed in run (HIGH).
Connects to the official Vercel API with a per-target read-only token (encrypted). Audits the Node version (HIGH if EOL/no security support, MEDIUM if recent end of life), whether the latest production deploy broke — with the build error lines — and the failed-build rate in recent history. Doesn’t read environment variables or source code.
The 39 probes in layers 1–4 run on every audit once the domain is authorized (3 of them — Ports, Directory Discovery and active XST confirmation — require an extra authorization gate for active probing). The opt-in probes (layers 5 and 6) need extra data: breach-monitoring toggle, authorization to collect emails, the repository URL for the white-box analyses, and a read-only Vercel token for the project audit.
Score & grade
Each finding has a fixed weight by severity. The sum is the penalty — subtracted from 100. The grade is a band of the score, for a quick read.
Penalty
penalty = 10·critical + 5·high + 2·medium + 0.5·low score = clamp(100 − penalty, 0, 100)
New high- or critical-severity findings are highlighted in the alert. While any critical or high finding stays open, every completed audit re-notifies your channels — alerts stop once you clear the critical/high ones.
Bands
Outputs
Each finding has a stable signature — "TLS 1.0 enabled" in the January run is the same finding in the March run. A "What changed since the last audit" card with counts of resolved, new and recurring, a per-finding badge and a score trend chart across recent audits. No "everything is new every audit" noise.
An audit stops being a throwaway snapshot. Accept risk: flag a finding as known risk — it leaves the score but stays in the report, logged and auditable (who accepted, when, why). Re-test on the spot: fixed it? run just that check and confirm ✓ on the same screen, without waiting for the next weekly audit.
Cover with a dated A–F grade, summary for non-technical readers, findings grouped by category, prioritized recommendations, technical appendix. White-label available on the Agency plan.
Findings with a CVE come with EPSS (exploit probability), CISA KEV (known exploitation) and OSV.dev (dependencies). It becomes "I have 3 being actively exploited — those first" instead of "I have 47 CVEs".
Findings are correlated to LGPD, ISO/IEC 27001:2022 and PCI-DSS v4.0 controls — a dedicated tab in the audit and a section in the PDF, with coverage per framework. Automatic external-scan correlation; it doesn’t replace formal certification, but gives the DPO/client a per-standard read.
Summary and prioritized remediation plan generated by AI from the already-enriched findings (EPSS/KEV), in the target owner’s language. Appears in the audit and the PDF. Optional, on paid plans — degrades cleanly when disabled.
CTEM
Detection is the start. Sentinela closes the Continuous Threat Exposure Management loop: it contextualizes risk to your business, quantifies it in money, prioritizes by what is actively exploited and covers remediation end to end.
You set each asset's business criticality (and environment). The technical grade stays intact and comparable, but gains a business-risk reading — the same finding weighs differently on a brochure site and on checkout.
Estimated annual exposure (ALE): downtime cost from your real Uptime data + incident probability × impact (privacy fines, recovery, reputation). Risk stops being abstract and becomes a board number — only possible with uptime and security on one platform. See the formula and a worked example.
A vulnerability under known active exploitation (CISA KEV) or with high probability (EPSS) escalates the asset risk automatically — and pulls the financial exposure with it. Fix what is being exploited, not the whole list.
Each finding becomes an assignable task: owner, due date, status and comments, with assignment and due-date emails. Auto-closes when the finding disappears between audits. MTTR and SLA-compliance panel per asset.
Token API: trigger an audit in the pipeline, poll the verdict and fail the build by minimum score or severity. SARIF 2.1.0 output for GitHub Code Scanning. Ready GitHub Actions snippet.
Register vendors, link the already-audited hostnames (continuous external posture) and add the security questionnaire — comparative A–F cyber rating per vendor, no new scan engine.
Recurrence
Set it up once and Sentinela runs on the agreed schedule, generates a diff against the last run and re-notifies your chosen channels on every completed audit while critical or high findings remain — new ones are highlighted.
By profile
Compliance / Legal
7 LGPD detectors observable from outside: third-party trackers (GA, Pixel, Hotjar) before the banner, "accept or nothing" banner (consent defect), form without notice, PII in querystring, international transfer without disclosure. The compliance map correlates everything to LGPD/ISO 27001/PCI-DSS. Monthly history shows continuous effort — for the DPO, client or ANPD.
Agency / Freelancer
Audit all your clients’ sites in one account. White-label PDF with your brand and an AI executive summary. Show A-F progress every month — a concrete argument for renewal.
Technical team
The diff between runs becomes the backlog. Webhook delivers critical findings to the team channel, or opens a ticket straight in Jira (per-finding button or automatic, with dedup so re-runs don’t duplicate). Breach monitoring alerts when the domain shows up in a new public dataset. Repository analysis (Business+) cross-references dependencies with OSV.dev without maintaining Dependabot. The Vercel connector warns about Node EOL and a broken production deploy straight from the official API.
Transparency
Before running any active probe on your domain, we require you to check "I authorize the audit of this domain". Without it, only 100% passive probes run (DNS, WHOIS, CT logs). This protects you (and us) and aligns with security research best practices and with the LGPD.
Comparison
| Sentinela | Detectify | Probely | Intruder | |
|---|---|---|---|---|
| Localized (PT-br native) | ✓ | — | — | — |
| Payment in BRL | ✓ | — | — | — |
| LGPD: trackers, banner & forms | ✓ | — | — | — |
| Includes uptime | ✓ | — | — | — |
| A–F score + diff between runs | ✓ | partial | partial | partial |
| White-label PDF | Agency | enterprise | enterprise | enterprise |
| Malware scan (JS/cloaking/threat intel) | ✓ | paid extra | — | — |
| WordPress CVE (Wordfence 100k+) | ✓ | partial | — | — |
| WAF detection + scanner IP | ✓ | partial | — | — |
| SPF/DMARC strength (beyond presence) | ✓ | — | — | — |
| Domain lock (anti-hijacking) | ✓ | — | — | — |
| Breach monitoring (HIBP) | ✓ | partial | — | partial |
| LGPD/ISO/PCI compliance map | ✓ | — | — | — |
| AI executive summary | ✓ | — | — | — |
| Local daily threat-intel sync | ✓ | — | — | — |
| Focus | ASM + LGPD-BR | DAST + ASM | DAST | VM + ASM |
Detectify, Probely and Intruder do things Sentinela doesn’t (deep DAST, fuzzing, authenticated scan). Sentinela attacks a different problem: broad external-posture coverage + LGPD-BR + uptime, at an affordable price.
FAQ — security audit
No. It’s automated, recurring external ASM. A pentest involves active human exploitation and is out of our scope — and we say so up front so you don’t expect what we don’t deliver.
No. Probes are lightweight and respect rate limits. The whole audit completes in a few minutes with negligible impact.
Because even lightweight probes touch your server. Explicit authorization protects you legally and us ethically.
No. We detect and document. Exploitation is the work of a contracted human pentester.
Yes. External probes don’t depend on the framework. There’s specific analysis of WordPress, Drupal, Joomla! and Magento when we detect the stack. If the target uses a WAF, Sentinela detects it automatically and shows the scanner IP in the interface — you allowlist the IP in the WAF and re-audit for full results.
Credential leak: the "monitor breaches" toggle on the target form — we cross-reference the domain (and optional extra domains) against the locally synced Have I Been Pwned catalog, without touching the target. Email leaks: h8mail probe. Repo dependencies/code: you fill the repository URL on the target (and an optional PAT for private repos). Vercel: provide the Project ID, the Team ID (if the project belongs to a team) and a read-only Vercel token on the target — we audit Node EOL and deploy health via the official API, without reading env vars or code.
No. It’s an automatic correlation between the external audit’s findings and LGPD, ISO/IEC 27001:2022 and PCI-DSS v4.0 controls — a per-standard read to prioritize and show the DPO/client. It doesn’t replace a formal audit/certification, which involves documentation, processes and jurisdiction beyond an external scan’s reach. It’s purely presentational: it doesn’t change the score.
After enrichment (EPSS/KEV), an AI generates an executive summary and a prioritized remediation plan from the real findings of that audit, in the target owner’s language. It appears in the audit and the PDF. It’s optional (paid plans) and degrades cleanly: if disabled, the section simply doesn’t appear — nothing is invented beyond the findings.
Seven detectors observable without credentials: (1) third-party trackers loading without a banner (GA, GTM, Meta Pixel, Hotjar, Clarity, etc. — including inline gtag/fbq with no HTTP cookie), (2) "accept or nothing" banner with no visible reject option (consent defect, ANPD), (3) privacy policy and DPO contact — we scan a dedicated page (/politica-de-privacidade) if the home doesn’t cite it, (4) forms collecting email/CPF/phone/name without nearby notice, (5) PII in querystring (CPF/email/phone in URL — leaks in logs and Referer), (6) international transfer without disclosure when the site runs on Cloudflare/AWS/Vercel without mentioning standard clauses, (7) classic tracking cookies (_ga, _fbp, _hjid, etc.) set on first visit with no detected banner. Explicit refs to Art. 6º VI, 7º I, 8º §1º/§4º, 9º, 33, 41, 46 + the ANPD Cookie Guide.
No. It’s the observable part — what can be seen from outside without access to contracts, ROPA, DPIA or internal processes. It helps the DPO prioritize obvious fixes and give the board a dated measure of progress, but full compliance involves documentation, training and jurisdiction outside the scope of an automated tool.
On the target form you link an <strong>Uptime monitor</strong> (we auto-suggest when the host matches). The calculation sums real incident hours from the last 12 months of that monitor × the <strong>"revenue per hour"</strong> field you fill in on the same form. Without a linked monitor, this leg shows as unavailable — we don’t guess with industry benchmarks. Full breakdown in the post <a href="/blog/como-calculamos-risco-financeiro-em-reais" class="underline">How we compute risk in R$/year</a>.
Ready to see?
Free includes 1 audit per month. For automatic weekly runs, Pro or above.