Introducing Pyalm Guard: An Authorized Security Posture Assessment Tool
Point Pyalm Guard at a domain you own and it runs a full, non-destructive checkup — DNS, subdomains, email authentication, TLS, headers, ports, threat intelligence, and breach exposure — scored into one clear risk grade.
Most teams don't find out their security posture drifted until something breaks: a certificate silently expires, a marketing subdomain quietly points at a deprovisioned host, or a supplier learns your domain has no DMARC policy the hard way. The information needed to catch all of that is public — it just lives across a dozen tools, protocols, and lookups nobody has time to run by hand. Pyalm Guard pulls it into a single, authorized checkup.
What is Pyalm Guard?
Pyalm Guard is an authorized security posture assessment tool. You point it at a domain you own or are contracted to test, and it runs a full, non-destructive external checkup — then aggregates every finding into a severity-ranked report with an overall risk grade. It's built for the moment you need to answer "how exposed are we, right now?" without standing up a heavyweight scanner.
Two things make it deliberately narrow:
- It only assesses targets you're allowed to assess. Every scan requires you to confirm authorization, and Guard refuses government and military domains outright.
- It has no exploitation engine. Guard does passive reconnaissance and safe active probes — it looks, it never attacks.
What it checks
A single scan runs more than a dozen modules concurrently:
- DNS — A/AAAA, MX, NS, TXT, CNAME, SOA, and CAA records.
- Subdomain enumeration — passive discovery from certificate-transparency logs and threat-intel feeds, plus wordlist brute-force with wildcard detection. Crucially, it flags dangling CNAMEs — the classic setup for a subdomain takeover.
- WHOIS — registrar, key dates, nameservers, and expiry warnings.
- Email authentication — SPF, DKIM (across multiple selectors), DMARC, and DNSSEC, so spoofing risk surfaces immediately.
- Email OSINT & breach exposure — discovers published addresses and cross-references them against known breaches.
- TLS/SSL — protocol versions, cipher strength, certificate chain, expiry, and weak-config flags.
- HTTP security headers — HSTS, CSP, X-Frame-Options and the rest, each with a letter grade.
- Ports & services — an async TCP connect scan of common ports with banner grabbing.
- Technology fingerprint — server, framework, CMS, and languages.
- Threat intelligence — DNS blocklists (Spamhaus, SpamCop, Barracuda), URLhaus, plus reputation and exposed-CVE lookups.
- Vulnerability checks — exposed sensitive paths, version disclosure, weak TLS, email-spoofing risk, and directory listing.
Local-first, and it stores nothing
Guard is built so that running a scan doesn't create a new place for your data to leak from. The backend is stateless — scan jobs live in memory only and are discarded when they finish. Your scan history, saved targets and emails, and any provider API keys persist only in your own browser (via IndexedDB), and you can export or import them as JSON. There are no accounts and no server-side database.
Bring your own keys — or don't
Guard's free data sources — certificate-transparency logs, DNS blocklists, URLhaus, and public breach lists — work with zero configuration. Premium sources light up when a key is present, and keys resolve request-first: your own key, stored client-side and sent only with your scan, takes priority over any operator-configured fallback.
| Provider | Unlocks | |---|---| | VirusTotal | Domain/IP reputation and extra passive subdomains | | HaveIBeenPwned | Per-email breach and paste checks | | AbuseIPDB | IP abuse-confidence score | | Shodan | Exposed services and known CVEs | | Hunter.io | Email address discovery | | SecurityTrails | Extra passive subdomains |
A missing key never breaks a scan — that source is simply skipped with an informational note.
Authorization isn't optional
This is worth repeating because it's the whole design philosophy: only scan systems you own or have explicit written permission to test. Every scan makes you confirm authorization first, and Guard validates the hostname and blocks sensitive domains before anything runs. Unauthorized scanning may be illegal where you live. Guard is a tool for defenders assessing their own attack surface — nothing more.
Try it
Pyalm Guard joins Pyalm's family of focused products built in Dubai. If you want a fast, honest read on your external security posture, run a scan on a domain you own:
Open Pyalm Guard | Learn more about Pyalm Guard | Explore all Pyalm products