External attack-surface assessment · Bennd Technologies

What attackers see when they look at your bank.

We scan your public surface from the outside, the same way a real attacker does — passive only, no probing, no authentication, no exploitation. Then we tell you, in plain English, what's exposed and how to fix it.

Request an assessment How it works
1,588
actively-exploited CVEs tracked daily
via CISA KEV + OSV.dev — refreshed every 6 hours
~3 min
average assessment time
13 public-data sources, in parallel
0
authenticated requests, ever
we see only what a normal browser sees
What we check

Thirteen public-data sources, connected by an AI analyst.

Most scanners run a checklist. Surface reasons across the evidence — when it sees a versioned banner, it cross-references CISA KEV. When it finds a dev subdomain, it pulls on the thread. When two pieces of evidence form an attack chain, it writes the chain out for you.

dns_lookup
Full record set + SPF / DKIM / DMARC enforcement strength.
tls_inspect
Cert chain, key strength, TLS version, expiry runway.
http_headers
HSTS, CSP, X-Frame, Permissions-Policy — strength + gaps.
subdomain_enum
Certificate-Transparency log enumeration via crt.sh.
whois_lookup
RDAP-first registration data: registrar, expiry, status.
wayback_snapshots
Historical URLs, exposed admin paths, dotfiles.
security_files
security.txt, robots, sitemap — plus .git/.env exposure probes.
tech_stack
Server, framework, CDN, JS-library versions.
email_security
MTA-STS, TLS-RPT, BIMI — modern email-auth posture.
threat_intel_lookup
CISA KEV (daily) + OSV.dev (live) — current CVE intel.
shodan_host
Open ports, banners, vendor-flagged CVEs per IP.
github_leaks
Public-repo search for credentials tied to your domain.
hibp_breaches
Have-I-Been-Pwned breach correlation by email domain.
How it works

From first email to delivered report — typically 48 hours.

No procurement marathon. No 30-page MSA. We start with one conversation and end with a confidential briefing.

Reach out

Email, WhatsApp, or call. Tell us your domain and which inbox should receive the report. First assessments are complimentary — we'd rather show you what we'd find than convince you.

We assess

Surface runs against your public surface — DNS, certificates, headers, threat intel, leaks, the full thirteen sources. A human reviews every finding before the report is finalised.

You receive

An executive one-pager (250 words, in plain English), a 15–30 page detailed technical report with evidence and remediation, and a 30-minute video walk-through.

How we work

Public data only. No exploitation. No theatre.

Surface is a passive scanner. It queries public DNS, certificate-transparency logs, public HTTP responses, and free public APIs. It does not authenticate, brute-force, fuzz, or send any traffic that a normal browser or public-API consumer wouldn't. Every scan is logged in audit.log. Every finding is evidence-cited. Every report is reviewed by a human before it leaves us.

Local

Namibian-registered. We understand the budgets, the regulators, and the constraints you operate under. Calling us doesn't go to a sales-development rep in another time zone.

Specific

Not a checklist. We connect findings into real attack chains and explain each one in business language for the CEO and technical depth for the CTO.

Honest

We frame findings as "publicly known issues affecting versions ≤ X" — not "you are vulnerable to Y." We don't oversell what we can't confirm passively.

Common questions

The five things people ask before saying yes.

Is this legal? Don't I need to authorise you first?
Yes, it is legal. Surface uses only public data — DNS records, certificate transparency logs, public web pages, and free public APIs. We do not authenticate, brute-force, fuzz, or send any traffic that a normal browser or public-API consumer wouldn't. Authorisation is required for active testing, which we don't do here. If you'd nonetheless prefer we don't run an assessment on your organisation, tell us and we won't.
What does an assessment cost?
First assessments are complimentary — we'd rather show you what we'd find than persuade you it's worth paying for. If you'd like remediation help or ongoing monitoring after that, engagements are scoped per organisation with pricing shared upfront. No retainers, no surprise invoicing.
Who else sees the report? Will you go public?
Only the contacts you nominate see your report. We never share findings with journalists, regulators, your competitors, or anyone else. If we ever found something so severe that it created national-scale risk (we have not yet), we'd coordinate with you and CSIRT.NA before any external disclosure — and only with your knowledge. Our standard practice is responsible disclosure, not public shaming.
What's in scope, and what isn't?
In scope: your public-facing surface — what an internet-based attacker can see without authentication. DNS, TLS, HTTP, subdomains, public APIs, public threat-intel feeds, public code repositories. Out of scope: authenticated testing, internal network red-team, source-code review, social engineering of staff, physical penetration. We partner with specialist firms when you need those.
How long does it take? What do I get?
From first contact to delivered report: typically 48 hours. You receive (a) a one-page executive summary in plain English for your CEO, (b) a 15–30 page technical report with evidence, attack chains, and remediation steps for your CTO/CISO, and (c) a 30-minute video walk-through. Critical findings get a same-day phone call from us, before the report goes out.
Who's behind this

Project Surface is built and operated by Bennd Technologies.

B

Bennd Technologies

Bennd Technologies is a Namibian-registered cybersecurity, software, and AI-automation studio. We work remotely with clients across Namibia and the broader region. Every assessment is reviewed by a human before it leaves us. Every report is evidence-cited. If something we send you needs explanation, the person who sends it is the same person who picks up when you call back. More about Bennd →

Why this matters

The Namibian organisations we've already scanned all had real, fixable gaps.

Every assessment we've run on public Namibian infrastructure has surfaced at least one finding that ought to be remediated within the week. Outdated JavaScript libraries with U.S.-government-listed exploits. Missing email encryption that lets phishing operators impersonate banks. Forgotten subdomains. None of these are abstract. They are present, visible from outside, and being indexed right now by the same automated tools attackers use.

If you'd like to see what your own organisation looks like through this lens — without commitment, and with a human reviewing the findings before they're sent — we'd like to show you.

Want to see what we'd find on yours?

Confidential assessment. Report within 48 hours. No commitment.

Email
security@bennd.tech
WhatsApp
+264 81 000 0000
Call
+264 81 000 0000

For findings on critical national infrastructure, escalation to CSIRT.NA is part of our standard process if you would prefer a coordinated disclosure path. Procurement / vendor-onboarding details available on request.