Security audit

Enumerate a domain's external attack surface in one workflow: certs, DNS posture, email auth, HTTP security headers, and tech stack.

When to use this pack

Before a pentest, an acquisition diligence call, or a quarterly review — you want a fast read on what an attacker sees from the outside.

Tools in this pack

• Certificate transparency search $0.005 POST /api/cert-transparency Search public Certificate Transparency logs (via crt.sh) for every cert issued to a domain. Returns the cert list plus a deduped subdomain set extracted from the SANs — the fastest way to enumerate subdomains for a security audit. Free upstream, no key required.
• DNS lookup $0.002 POST /api/dns-lookup Resolve any DNS record type for a host: A, AAAA, MX, TXT, CNAME, NS, SOA, CAA, SRV, PTR. Returns the records plus a count. Built on Node's native resolver — no external API.
• SPF check $0.003 POST /api/spf-check Fetch and validate a domain's SPF record (RFC 7208). Parses mechanisms (ip4/ip6/include/a/mx/all), counts DNS lookups against the famous 10-lookup limit, and flags the qualifier on `all` (-/fail, ~/softfail, ?/neutral). The first stop when an email is hitting the spam folder.
• DMARC check $0.003 POST /api/dmarc-check Fetch and validate a domain's DMARC policy at _dmarc.<domain> (RFC 7489). Surfaces the enforcement policy (none/quarantine/reject), reporting addresses, alignment modes, and common misconfigs (no rua, p=none stuck for months, percent <100). Pair with SPF and DKIM for full Feb-2024 sender-rule compliance.
• HTTP headers + security analysis $0.003 POST /api/http-headers Fetch a URL and return every response header plus a security analysis: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/CORP/COEP. Scores 0–100 by presence, flags weak HSTS, and warns on Server/X-Powered-By identity leaks. SSRF-protected.
• TLS certificate $0.003 POST /api/tls-cert Inspect the TLS certificate of any public host: subject, issuer, validity window, days remaining, SANs, and SHA-256 fingerprint.
• Tech stack detection $0.005 POST /api/tech-stack Detect the technology stack of a public website: CDN, web server, language/runtime, frontend framework (Next.js, Nuxt, SvelteKit, Remix, Astro, React, Vue, Angular), CMS (WordPress, Drupal, Ghost, Shopify, Wix, Squarespace, Webflow), analytics (GA, GTM, PostHog, Mixpanel, Segment, Hotjar, Plausible, Fathom), and payments (Stripe, PayPal). Signature-based; no third-party API.

Workflow

1. Pull the certificate transparency log to enumerate every subdomain a CA has ever issued a cert for — this is the fastest external recon step.
2. For each interesting subdomain, resolve A/AAAA/MX/NS/CAA records to map the live infrastructure and certificate authority constraints.
3. Check SPF and DMARC on the apex to see whether the domain can be spoofed in email — a missing or weak DMARC is one of the highest-impact findings on most audits.
4. Pull HTTP response headers on the apex and a few key subdomains; the security analyzer scores HSTS, CSP, XFO, XCTO, Referrer-Policy, Permissions-Policy, and the COOP/CORP/COEP triad.
5. Inspect the live TLS cert (chain, expiry, SANs) — useful for spotting near-expiry, mismatched SANs, or weak chain configurations.
6. Fingerprint the tech stack so you know what CMS/framework/CDN to research for known CVEs.

Run it in Claude

claude mcp add agent402 -s user -- npx -y agent402-mcp@latest

Then paste this prompt into Claude:

Run a security audit on example.com. Use Agent402 to: (1) pull the certificate transparency log, (2) check SPF and DMARC on the apex, (3) fetch HTTP security headers and the TLS cert, (4) fingerprint the tech stack. Report findings ranked by severity, and call out anything that would block a SOC 2 review.

← All skill packs