Methodology

How Sycrion
scans work.

Every data source, scan type, and documented limitation. We show exactly what we check — and what we can't.

Data sources

passive — no contact with your servers  · active-http — low-impact GET request  · active-tls — TLS handshake only

Shodan
passive

Open ports, CVE tags, version banners from passive scan database.

SSL Labs (Qualys)
active-tls

TLS protocol versions, cipher suites, certificate chain, HSTS, known TLS vulnerabilities.

crt.sh — CT Logs
passive

Subdomain enumeration from public Certificate Transparency logs. No target contact.

URLScan.io
passive

Technology fingerprinting, HTTP metadata from historical browser scans.

NVD + EPSS
passive

CVE metadata matched against detected version banners with exploitation probability scores.

Wayback Machine
passive

Historical URLs for detecting deprecated endpoints and past configuration exposure.

VirusTotal
passive

Domain reputation from 90+ security vendor databases.

DNS lookup
passive

SPF, DMARC, DKIM, DNSSEC, CAA — direct queries, no target server contact.

HTTP path probes
active-http

Low-impact GET requests to 70 common sensitive paths (.env, admin, config). Status codes only.

JS bundle analysis
passive

Pattern matching against public JavaScript files for 27 categories of exposed secrets.

Posture score

0–100 indicator of externally observable risk signal density. Not a compliance percentage.

Starting score100
CRITICAL / HIGH CVE (EPSS ≥ 0.5)− 20
HIGH CVE (EPSS < 0.5)− 15
HIGH non-CVE− 12
MEDIUM — Confirmed− 8
MEDIUM — Inferred− 5
LOW− 2
INFO0

Diminishing returns apply from the 3rd instance of any finding class. “Possible” confidence findings apply at 50% weight. Score clamped to [0, 100].

Finding confidence

Separate from severity. A critical finding can have low confidence.

Confirmed

Directly observable. No inference.

Inferred

Based on observed data with an assumption. Most CVE matches.

Possible

Weak signal. Historical or indirect indicator.

What we cannot detect

External passive scanning has hard limits. These categories require internal access.

  • ×Internal services not exposed to the internet
  • ×Post-authentication vulnerabilities
  • ×Business logic flaws
  • ×Services behind CDN / WAF masking origin
  • ×Software where no version banner is exposed
  • ×Cloud storage misconfigurations (S3, GCS, Azure Blob)
  • ×Container / infrastructure misconfigurations
  • ×Vulnerabilities in internal APIs or microservices
  • ×Source code vulnerabilities (SAST)
  • ×Dependency vulnerabilities in application code (SCA)
  • ×Social engineering exposure

Sycrion is not a substitute for penetration testing, DAST, SAST, SCA, cloud configuration review, or internal security audit. It documents external posture as observable from public sources.

Data handling

Results stored 90 days (free) or 12 months (paid), then deleted.

EU-hosted, Frankfurt region. Processing does not leave the EU.

External queries send the target domain to: Shodan, SSL Labs (US), VirusTotal (US), URLScan.io (EU), crt.sh (EU), NVD (US), FIRST.org (US).

We do not sell scan data or use results for cross-customer benchmarking without explicit opt-in.