Pyalm Guard
Jul 7, 2026

Introducing Pyalm Guard: An Authorized Security Posture Assessment Tool

Point Pyalm Guard at a domain you own and it runs a full, non-destructive checkup — DNS, subdomains, email authentication, TLS, headers, ports, threat intelligence, and breach exposure — scored into one clear risk grade.

Most teams don't find out their security posture drifted until something breaks: a certificate silently expires, a marketing subdomain quietly points at a deprovisioned host, or a supplier learns your domain has no DMARC policy the hard way. The information needed to catch all of that is public — it just lives across a dozen tools, protocols, and lookups nobody has time to run by hand. Pyalm Guard pulls it into a single, authorized checkup.

What is Pyalm Guard?

Pyalm Guard is an authorized security posture assessment tool. You point it at a domain you own or are contracted to test, and it runs a full, non-destructive external checkup — then aggregates every finding into a severity-ranked report with an overall risk grade. It's built for the moment you need to answer "how exposed are we, right now?" without standing up a heavyweight scanner.

Two things make it deliberately narrow:

  • It only assesses targets you're allowed to assess. Every scan requires you to confirm authorization, and Guard refuses government and military domains outright.
  • It has no exploitation engine. Guard does passive reconnaissance and safe active probes — it looks, it never attacks.

What it checks

A single scan runs more than a dozen modules concurrently:

  • DNS — A/AAAA, MX, NS, TXT, CNAME, SOA, and CAA records.
  • Subdomain enumeration — passive discovery from certificate-transparency logs and threat-intel feeds, plus wordlist brute-force with wildcard detection. Crucially, it flags dangling CNAMEs — the classic setup for a subdomain takeover.
  • WHOIS — registrar, key dates, nameservers, and expiry warnings.
  • Email authentication — SPF, DKIM (across multiple selectors), DMARC, and DNSSEC, so spoofing risk surfaces immediately.
  • Email OSINT & breach exposure — discovers published addresses and cross-references them against known breaches.
  • TLS/SSL — protocol versions, cipher strength, certificate chain, expiry, and weak-config flags.
  • HTTP security headers — HSTS, CSP, X-Frame-Options and the rest, each with a letter grade.
  • Ports & services — an async TCP connect scan of common ports with banner grabbing.
  • Technology fingerprint — server, framework, CMS, and languages.
  • Threat intelligence — DNS blocklists (Spamhaus, SpamCop, Barracuda), URLhaus, plus reputation and exposed-CVE lookups.
  • Vulnerability checks — exposed sensitive paths, version disclosure, weak TLS, email-spoofing risk, and directory listing.

Local-first, and it stores nothing

Guard is built so that running a scan doesn't create a new place for your data to leak from. The backend is stateless — scan jobs live in memory only and are discarded when they finish. Your scan history, saved targets and emails, and any provider API keys persist only in your own browser (via IndexedDB), and you can export or import them as JSON. There are no accounts and no server-side database.

Bring your own keys — or don't

Guard's free data sources — certificate-transparency logs, DNS blocklists, URLhaus, and public breach lists — work with zero configuration. Premium sources light up when a key is present, and keys resolve request-first: your own key, stored client-side and sent only with your scan, takes priority over any operator-configured fallback.

| Provider | Unlocks | |---|---| | VirusTotal | Domain/IP reputation and extra passive subdomains | | HaveIBeenPwned | Per-email breach and paste checks | | AbuseIPDB | IP abuse-confidence score | | Shodan | Exposed services and known CVEs | | Hunter.io | Email address discovery | | SecurityTrails | Extra passive subdomains |

A missing key never breaks a scan — that source is simply skipped with an informational note.

Authorization isn't optional

This is worth repeating because it's the whole design philosophy: only scan systems you own or have explicit written permission to test. Every scan makes you confirm authorization first, and Guard validates the hostname and blocks sensitive domains before anything runs. Unauthorized scanning may be illegal where you live. Guard is a tool for defenders assessing their own attack surface — nothing more.

Try it

Pyalm Guard joins Pyalm's family of focused products built in Dubai. If you want a fast, honest read on your external security posture, run a scan on a domain you own:

Open Pyalm Guard | Learn more about Pyalm Guard | Explore all Pyalm products

Keep reading

More from Pyalm

Jul 7, 2026

Subdomain Takeover: How Dangling DNS Records Get Hijacked — and How to Find Them

A subdomain takeover happens when a DNS record still points at a service you no longer own. Here's how dangling CNAMEs get hijacked, what an attacker can do with one, and how to detect and close them.

Jul 7, 2026

SPF, DKIM, and DMARC Explained: How to Stop Email Spoofing on Your Domain

SPF says who can send, DKIM proves nothing was tampered with, and DMARC ties them together and tells receivers what to do. Here's how the three work — and how to check yours are set up right.

Jul 7, 2026

HTTP Security Headers: A Practical Guide to HSTS, CSP, and the Rest

A handful of response headers quietly decide whether your site can be framed, downgraded, or injected into. Here's what HSTS, CSP, X-Frame-Options and friends do, and how to tell if yours are set right.

Jul 10, 2026

Pyalm Books Is a Full Accounting, POS & Inventory Platform — Not Just E-Invoicing

UAE e-invoicing is why many businesses find Pyalm Books, but it's a fraction of what's inside. Here's the full picture: double-entry accounting, a built-in POS, inventory, purchases, banking, and projects.

Jul 10, 2026

Beyond Broadcasts: Tenreply's Shared Inbox, AI Support and WhatsApp CRM

Broadcasts get attention, but the day-to-day value of Tenreply is everything around them — a shared team inbox, an AI support agent, no-code flows, and a built-in CRM that turns chats into tracked leads.

Jul 10, 2026

More Than Courses: Assignments, Learner Q&A and a Job Board in Pyalm Learn

A course library is table stakes. Pyalm Learn adds the things that make learning stick and pay off — assignments and quizzes, in-context learner Q&A, analytics, and a built-in job board — all under your brand.

Check Your Security Posture in Minutes

Pyalm Guard runs an authorized, non-destructive checkup on a domain you own — DNS, subdomains, email auth, TLS, headers, ports, and threat intel — scored into one clear risk grade. No account, nothing stored on our servers.

Open Pyalm Guard About Pyalm Guard