What we do
We use GET/HEAD-style public checks, metadata review, header analysis, indexing review, route surface mapping, public evidence capture, and business-contextual reporting.
Security scope
Passive, authorized, business-aware review only.
ProofCairn is not an automated pentesting product. Our trust and exposure checks are designed to help businesses understand visible risk without unsafe or invasive behavior.
What we do not do
No brute forcing, exploitation, token forging, destructive requests, privileged API calls, credential stuffing, malware, or unauthorized account access.
Assisted reviews
Assisted and deep reviews require customer authorization, clear scope, and professional validation before risk claims are delivered.
Third-party domains
Monitoring uses public pages, ProofCairn identity, domain throttling, robots awareness, and opt-out handling.
Responsible disclosure and reporting
If a review surfaces a serious exposure, ProofCairn redacts sensitive values and frames evidence around business impact, confidence, and remediation priority. We do not publish customer findings without permission.
Opt-out
Domain owners can request exclusion from active monitoring. Verified opt-outs are enforced before scheduled monitoring runs.
Open opt-out policy