Security Posture Monitoring
Your own domains can be your biggest exposure: spoofable email, expiring certificates, forgotten subdomains, files you never meant to publish. Layer 5 checks every domain you own, every day, grades each one A to F, and shows your team exactly what to fix.
Most attacks start with a soft target
Before anyone crafts a phishing email, automated scanners sweep the internet for easy wins — an exposed .env file, a weak DMARC policy, a forgotten subdomain. Layer 5 makes sure that when those scanners reach your domains, they find nothing worth their time and move on.
Direct protection + deterrence
Every check earns its place two ways. It closes a real hole, and it signals a hard target. A domain that visibly does the basics — and a little better — gets scored as too sophisticated to bother with, so opportunistic attackers drop you out of the easy-victim funnel and chase someone else.
Close the holes attackers look for first
Exposed files, spoofable email, dangling subdomains, expiring certs — the commodity checklist, covered.
See your domains the way an attacker does
An outside-in view of everything you've published, including the subdomains and look-alike domains you forgot you owned.
A board-ready grade, not a 200-line report
One A–F score per domain that a CISO and a CEO can both read in five seconds — backed by exact, fix-it detail underneath.

Outward-facing
Watch the outside world for other people impersonating you — look-alike domains, rogue certificates, copied content, unauthorized embeds. The threat is someone else’s infrastructure.
Inward-facing
Audits your own domains and configuration — the inverse view. Same platform, same domain list, same dashboard; a brand-new question: are we the soft target?
One scorecard, five questions
Every scan rolls 40+ individual checks into five plain-English categories. Each gets its own score; together they make your domain’s overall grade.
Email Security
Can someone send email as you?
- DMARC, SPF and DKIM policy strength
- MTA-STS, TLS-RPT and BIMI readiness
- Null MX & blocklist (RBL) checks
- Role-aware: graded for how the domain is used
Domain & DNS
Is the domain itself solid?
- Subdomain takeover (dangling CNAME)
- DNSSEC, CAA and wildcard hygiene
- Domain expiry & registrar-lock status
- Dangling NS delegation
TLS / SSL
Is the connection trustworthy?
- Certificate validity, chain & hostname match
- Expiry early-warning
- HSTS enforcement
- Deprecated protocols & weak ciphers
Web Hardening
Is the browser protecting your users?
- Security headers (CSP, X-Frame-Options, nosniff…)
- Secure cookie flags
- security.txt & SRI
- COOP / COEP / CORP isolation
Exposure
Are you leaking anything attackers can use?
- Exposed files (.env, .git/, backups, configs)
- Information disclosure (banners, stack traces, dir listing)
- Secrets in served JavaScript (redacted fingerprint only)
- Never stores raw secrets — salted hash + preview only
Role-aware email grading
Why an “empty” domain still gets a verdict
A registered-but-unused domain is the easiest to spoof, not the hardest — email needs no MX records to send. So Layer 5 grades each domain for its actual job:
- Sending domains — graded for correct, enforced sender config.
- Parked / defensive domains — graded for being locked down so they can’t be spoofed.
100% passive: DNS lookups, a TLS handshake, and plain page requests only. Layer 5 never sends an attack payload at your infrastructure.
How a scan works
Enrol a domain, and a dedicated scanner picks it up automatically. One pass, five categories, one coherent scorecard.
Discover the surface
On enrolment we map your domain and pull its known subdomains from Certificate Transparency, so forgotten endpoints get scanned too — not just the apex.
Scan passively
A dedicated scanner runs all five categories in a single pass using a native engine — DNS, TLS handshake, and plain page reads. No binaries, no payloads, fully reproducible.
Score & grade
Findings roll up into five category scores and a 0–100 overall, shown as an A–F grade. Owned look-alike domains and risky subdomains pull the brand grade down too.
Track & re-check
Every issue gets fix-it guidance and a lifecycle. Scans run daily — fix something and it closes itself; if it comes back, the finding re-opens. Rescan on demand anytime.

Findings that explain themselves
Layer 5 doesn’t just flag problems — every finding ships with hand-written, specific remediation guidance. No jargon dumps, no “consult your provider.”
- Plain-English fix-it steps written for the exact issue, on the scorecard next to the finding.
- A remediation lifecycle — open, acknowledged, remediated — with a full history per domain.
- Self-healing: fix it and the next scan closes it; if it regresses, the finding re-opens automatically.
- Exposed-secret findings store only a salted fingerprint and a redacted preview — never the raw value.
Subdomain discovery
Seeded from Certificate Transparency on enrolment and kept fresh by our live CT stream (Layer 4), so the subdomains attackers find are the subdomains we check — for dangling-CNAME takeover, DMARC coverage, and TLS health.
Whole-brand scoring
The overall grade reflects your brand's surface, not just one hostname. A spoofable look-alike domain or a takeover-ready subdomain deducts from the score — capped, so a sound primary domain is never dragged to an F by defensive registrations alone.
Built on the platform
Same domain list, same Security Center, same per-company reporting as Layers 1–4. Layer 5 is a new lens on infrastructure you've already onboarded — nothing extra to set up.
The architecture, briefly
A dedicated worker does the scanning and pulls its own work; our app just orchestrates and stores. The same proven pattern behind our domain and certificate monitoring — built to scan many domains without ever timing out.
Ready to Defend Your Domain?
Join leading organizations protecting their customers and employees from sophisticated domain-based attacks.