Methodology
What this is
A tiered cyber-security posture platform for small and mid-sized businesses. It starts with a free, public scan of what a domain already reveals to the world and escalates — under progressively stronger authorisation — to an in-depth, owner-only vulnerability assessment. Every tier is built for two audiences at once: a non-technical owner sees what each result means and how to fix it, while a technical reviewer can expand any finding for a professional-grade explanation. That two-tier writing is deliberate — most scanners speak only to engineers, which leaves the people who actually make risk and purchasing decisions unable to act.
Guiding principle: the gate is proportional to the harm
The platform's organising rule is that the strength of the authorisation required scales with how much a check could affect its target. Reading public information needs no permission; actively probing someone's infrastructure needs proof you're entitled to. This keeps the tool defensible, lawful, and safe to expose to anonymous users at the free end while still offering real depth to verified owners at the top.
- Passive scan & self-assessment — no gate (zero harm).
- Exposure check — light gate: login + per-account usage limits.
- In-depth vulnerability scan — strong gate: proven domain ownership, paid, run on a separate engine.
The tiers
1. Passive security-posture scan — free, no login
Enter a domain and the tool inspects publicly observable signals — HTTP security headers, TLS/certificate configuration, email-authentication DNS records (SPF, DMARC) and DNS hygiene (CAA, DNSSEC) — and returns a graded report card with plain-language explanations and an optional technical deep-dive per finding.
Every check here is passive: it reads information the domain already publishes — DNS records, the certificate presented on a TLS handshake, the headers returned with a normal web request. It never probes ports or enumerates services; nothing it does is distinguishable from routine, authorised internet traffic. That is a governance decision, not a technical limit: active scanning of infrastructure you don't own sits in a legal grey area under computer-misuse statutes (e.g. the US CFAA or the UK Computer Misuse Act), so the free, anonymous tier is kept strictly passive.
Because this tier only sees what is published, the report is framed honestly: a low grade means recommended public signals are missing, not necessarily that a site is insecure. Large platforms and CDN-fronted sites often omit these headers on their root domain on purpose (scanning a big provider's apex frequently hits a redirector rather than the real application), and headers can differ per endpoint. The report says so, so a red-heavy result is never mistaken for a verdict.
2. Cyber-hygiene self-assessment — free, login optional
A guided questionnaire mapped to NIST CSF 2.0. It scores maturity across the framework's functions, draws a radar chart, and produces a plain-language gap report with prioritised recommendations. This captures the internal practices the outside world can't observe — the other half of a posture picture.
3. Exposure check — login + usage limits (the "shallow active" tier)
A TCP-connect check across a curated set of ~16 high-signal ports (web, mail, databases, remote administration). It reports what is exposed, not exploitation — which services answer the public internet and which usually shouldn't. Findings are explained in plain language with concrete remediation.
This tier is gated by login plus per-account usage limits (a cap on distinct domains and a daily rate limit), not by ownership verification — because simply observing what a host already exposes is low-harm, while the limits and the sign-in deter abuse and provide an audit trail. If the site sits behind a CDN, the results reflect the CDN's edge rather than the origin, which the tool states plainly.
4. In-depth vulnerability scan — paid, owner-verified, separate engine
The intrusive top tier, and the one the platform is really built around. Before it runs, the requester must (a) prove they control the domain and (b) acknowledge the scope of what's being scanned.
- Ownership verification offers three self-serve routes — a token file at the web root, a DNS TXT record, or a manual signed-letter review — mirroring how reputable commercial scanners and bug-bounty programmes establish authorisation. Proven ownership is the legal basis for testing.
- Scope acknowledgement reminds the owner that they may test their own site and application, but the servers and network beneath it usually belong to their hosting/cloud provider — so they should check that provider's penetration-testing / acceptable-use policy first.
The scan itself runs on a dedicated engine, decoupled from the web app via a job queue, so the heavy, long-running tools live outside the serverless platform. It combines nmap (port sweep with service/version detection) and nuclei (template-based checks for known CVEs and misconfigurations).
The differentiator is not the scanning engine — those tools are industry standard — but the interpretation layer on top of it. Each finding is translated into plain language and mapped to NIST CSF 2.0, ISO/IEC 27001:2022 and CIS Controls v8, and a "what this means for your setup" summary explains, per exposed service, what an owner can realistically change on shared/managed hosting versus their own server (always caveated, since the plan can't be known from outside). A verified owner can re-scan within a window to confirm fixes, and every report states its own coverage so a partial scan is never presented as complete.
Scoring (passive scan)
The passive report begins at 100 and deducts points per failed check, weighted by severity (critical 30, high 15, medium 8, low 3, info 0). The total maps to a letter grade (A ≥ 90, B ≥ 75, C ≥ 60, D ≥ 40, otherwise F).
Two honesty principles govern it:
- Unverifiable is not the same as failed. When a check can't be completed — a site refusing an automated connection, say — it's recorded as informational with zero penalty, not scored as if the protection were absent.
- Severity reflects real-world impact, not checklist completeness. Email-spoofing exposure and expired certificates outweigh a missing low-risk header, because they map to materially larger business consequences.
Framework alignment
Findings across the tiers map to internationally recognised, jurisdiction-neutral controls. These mappings are indicative — to help an organisation connect a finding to its existing control framework — not a claim of certification or audit.
| Check area | NIST CSF 2.0 | ISO/IEC 27001:2022 (Annex A) | CIS Controls v8 | Supporting guidance |
|---|---|---|---|---|
| HTTP security headers | PR.PS, PR.DS | A.8.26 (application security), A.8.9 (config mgmt) | 4 (secure configuration), 16 (application security) | OWASP Secure Headers Project |
| TLS / certificates | PR.DS-02 (data in transit) | A.8.24 (use of cryptography) | 3.10 (encrypt data in transit) | NIST SP 800-52 Rev 2 |
| Email authentication (SPF/DMARC) | PR.DS, DE.CM | A.8.23 (web filtering) | 9.5 (DMARC implementation) | NIST SP 800-177 Rev 1 (Trustworthy Email) |
| DNS hygiene (CAA/DNSSEC) | PR.IR, PR.DS | A.8.20 (network security), A.8.21 (network services) | 4 (secure configuration) | NIST SP 800-81 Rev 2; CA/Browser Forum Baseline Requirements |
| Exposed network services (exposure & in-depth scan) | PR.IR-01, ID.RA-01 | A.8.20, A.8.21 | 4, 12 (network infrastructure) | — |
| Known vulnerabilities / misconfig (in-depth scan) | ID.RA-01, PR.PS-02 | A.8.8 (technical vulnerabilities) | 7 (continuous vulnerability mgmt) | — |
The platform deliberately avoids region-specific regimes as its primary frame so it remains applicable across global markets; sector- or region-specific frameworks can be layered on as an optional mapping later.
Known limitations
Stated plainly, because acknowledging them is part of doing this credibly:
- The passive legacy-TLS check is best-effort. It flags a weakness only on a successful handshake with an old protocol version, and the runtime may itself decline to offer TLS 1.0/1.1, which can mask a server that still accepts them.
- A single request, one vantage point, one moment. Passive results reflect what the domain returned to one automated request; geo-distributed and repeat sampling are out of scope.
- CDN edge vs origin. Both the passive and exposure checks may reflect a CDN rather than the origin server; this is surfaced in the results.
- The in-depth scan is only as complete as the run. A scan can be limited by time budgets or template coverage; every deep report states what each tool did (including partial or skipped steps) so coverage is never overstated.
Roadmap
- Continuous monitoring — scheduled re-scans with change alerts and exportable, saved history so on-screen and PDF reports always match a point in time.
- Broader interpretation — tuning the framework and deployment mappings as real scan output is observed, and optional sector/region framework overlays.
- Operational hardening for multi-customer use (managed review workflows, SSRF hardening on the verification fetch).
About
grc-scan was founded by Andrew Siropiatov, a financial-services risk professional with 20+ years assessing counterparty, credit and operational risk at institutions including the EBRD and Crédit Agricole. The platform began from a single conviction: the discipline that governs risk inside regulated finance — repeatable frameworks that turn scattered signals into clear, comparable, evidenced verdicts — is exactly what smaller businesses lack when they try to understand their cyber exposure.
That work most recently included leading venture due diligence on technology start-ups: designing one consistent assessment framework and applying it across teams, markets and technologies to produce comparable, defensible conclusions. The same approach shapes every design decision documented above — the gate-proportional-to-harm model, the honest scoring that refuses to mistake "unverifiable" for "failed", and the mappings to NIST CSF 2.0, ISO/IEC 27001:2022 and CIS Controls v8.
That risk-and-governance foundation is paired with formal security credentials, and the platform is being built to a professional standard from day one. We are now building out the team and an advisory board across cyber security and operational-risk governance to guide the platform's next stage of growth.
grc-scan is deliberately scoped today and expanding with intent. We welcome conversations with prospective customers, partners and advisors.
Andrew Siropiatov, Founder — LinkedIn