DefendDomain
Layer 5 · New
Beta

Security Posture Monitoring

Your own domains can be your biggest exposure: spoofable email, expiring certificates, forgotten subdomains, files you never meant to publish. Layer 5 checks every domain you own, every day, grades each one A to F, and shows your team exactly what to fix.

5
Scorecard Categories
40+
Checks Per Domain
A–F
Posture Grade
100%
Passive — Zero Payloads
Why It Matters

Most attacks start with a soft target

Before anyone crafts a phishing email, automated scanners sweep the internet for easy wins — an exposed .env file, a weak DMARC policy, a forgotten subdomain. Layer 5 makes sure that when those scanners reach your domains, they find nothing worth their time and move on.

Direct protection + deterrence

Every check earns its place two ways. It closes a real hole, and it signals a hard target. A domain that visibly does the basics — and a little better — gets scored as too sophisticated to bother with, so opportunistic attackers drop you out of the easy-victim funnel and chase someone else.

Close the holes attackers look for first

Exposed files, spoofable email, dangling subdomains, expiring certs — the commodity checklist, covered.

See your domains the way an attacker does

An outside-in view of everything you've published, including the subdomains and look-alike domains you forgot you owned.

A board-ready grade, not a 200-line report

One A–F score per domain that a CISO and a CEO can both read in five seconds — backed by exact, fix-it detail underneath.

Layer 5 Security Posture scorecard for a domain: an overall C grade at 74/100, with per-category grades and pass/warn/fail badges for Email Security, Domain & DNS, TLS/SSL, Web Hardening and Exposure, a Brand Surface deduction card, and a Rescan button
Layers 1–4

Outward-facing

Watch the outside world for other people impersonating you — look-alike domains, rogue certificates, copied content, unauthorized embeds. The threat is someone else’s infrastructure.

Layer 5

Inward-facing

Audits your own domains and configuration — the inverse view. Same platform, same domain list, same dashboard; a brand-new question: are we the soft target?

One scorecard, five questions

Every scan rolls 40+ individual checks into five plain-English categories. Each gets its own score; together they make your domain’s overall grade.

Email Security

Can someone send email as you?

  • DMARC, SPF and DKIM policy strength
  • MTA-STS, TLS-RPT and BIMI readiness
  • Null MX & blocklist (RBL) checks
  • Role-aware: graded for how the domain is used

Domain & DNS

Is the domain itself solid?

  • Subdomain takeover (dangling CNAME)
  • DNSSEC, CAA and wildcard hygiene
  • Domain expiry & registrar-lock status
  • Dangling NS delegation

TLS / SSL

Is the connection trustworthy?

  • Certificate validity, chain & hostname match
  • Expiry early-warning
  • HSTS enforcement
  • Deprecated protocols & weak ciphers

Web Hardening

Is the browser protecting your users?

  • Security headers (CSP, X-Frame-Options, nosniff…)
  • Secure cookie flags
  • security.txt & SRI
  • COOP / COEP / CORP isolation

Exposure

Are you leaking anything attackers can use?

  • Exposed files (.env, .git/, backups, configs)
  • Information disclosure (banners, stack traces, dir listing)
  • Secrets in served JavaScript (redacted fingerprint only)
  • Never stores raw secrets — salted hash + preview only

Role-aware email grading

Why an “empty” domain still gets a verdict

A registered-but-unused domain is the easiest to spoof, not the hardest — email needs no MX records to send. So Layer 5 grades each domain for its actual job:

  • Sending domains — graded for correct, enforced sender config.
  • Parked / defensive domains — graded for being locked down so they can’t be spoofed.

100% passive: DNS lookups, a TLS handshake, and plain page requests only. Layer 5 never sends an attack payload at your infrastructure.

Under the Hood

How a scan works

Enrol a domain, and a dedicated scanner picks it up automatically. One pass, five categories, one coherent scorecard.

01

Discover the surface

On enrolment we map your domain and pull its known subdomains from Certificate Transparency, so forgotten endpoints get scanned too — not just the apex.

02

Scan passively

A dedicated scanner runs all five categories in a single pass using a native engine — DNS, TLS handshake, and plain page reads. No binaries, no payloads, fully reproducible.

03

Score & grade

Findings roll up into five category scores and a 0–100 overall, shown as an A–F grade. Owned look-alike domains and risky subdomains pull the brand grade down too.

04

Track & re-check

Every issue gets fix-it guidance and a lifecycle. Scans run daily — fix something and it closes itself; if it comes back, the finding re-opens. Rescan on demand anytime.

Layer 5 'How to improve' findings list: 13 findings with severity badges — No clickjacking protection and No HSTS header (Medium, Web Hardening), Deprecated TLS protocol enabled (Medium, TLS), No CAA records (Low, DNS), No X-Content-Type-Options and No Referrer-Policy (Low, Web Hardening) — each row expandable for fix-it guidance

Findings that explain themselves

Layer 5 doesn’t just flag problems — every finding ships with hand-written, specific remediation guidance. No jargon dumps, no “consult your provider.”

  • Plain-English fix-it steps written for the exact issue, on the scorecard next to the finding.
  • A remediation lifecycle — open, acknowledged, remediated — with a full history per domain.
  • Self-healing: fix it and the next scan closes it; if it regresses, the finding re-opens automatically.
  • Exposed-secret findings store only a salted fingerprint and a redacted preview — never the raw value.

Subdomain discovery

Seeded from Certificate Transparency on enrolment and kept fresh by our live CT stream (Layer 4), so the subdomains attackers find are the subdomains we check — for dangling-CNAME takeover, DMARC coverage, and TLS health.

Whole-brand scoring

The overall grade reflects your brand's surface, not just one hostname. A spoofable look-alike domain or a takeover-ready subdomain deducts from the score — capped, so a sound primary domain is never dragged to an F by defensive registrations alone.

Built on the platform

Same domain list, same Security Center, same per-company reporting as Layers 1–4. Layer 5 is a new lens on infrastructure you've already onboarded — nothing extra to set up.

The architecture, briefly

A dedicated worker does the scanning and pulls its own work; our app just orchestrates and stores. The same proven pattern behind our domain and certificate monitoring — built to scan many domains without ever timing out.

Layer 5 architecture: scanner, platform, Security CenterDedicated scannerDOES THE SCANNING2EMAIL · DNS · TLS · WEB · EXPOSUREPulls its own work automaticallyRuns every check nativelyScores and grades locallyFully passive: DNS lookups, a TLShandshake and plain page reads.DefendDomain platformORCHESTRATES & STORESHands out domains due a scanStores findings and scorecardsTracks each finding's lifecycleFull scan history, per domain.Security CenterWHAT YOU SEEA to F grade per domainFindings with fix-it guidanceScore trend over timeA94 / 1001341Claims due domains2Scans passively, five categories3Posts scored results4Scorecard updates live

Ready to Defend Your Domain?

Join leading organizations protecting their customers and employees from sophisticated domain-based attacks.