ShieldScope / Guide

Security Analysis Guide

How to use ShieldScope's passive security analysis tools — HTTP headers, email authentication, URL safety, password breach exposure, and internet-facing attack surface.

ON THIS PAGE
  1. What is passive security analysis?
  2. Analyzing HTTP security headers
  3. Analyzing email authentication (SPF, DKIM, DMARC)
  4. Checking URL safety and redirect chains
  5. Analyzing password strength and breach exposure
  6. Mapping internet-facing attack surface
  7. Inspecting suspicious scripts, URLs, and email artifacts
  8. Frequently asked questions

What is passive security analysis?

Passive security analysis means examining information that is already publicly available — DNS records, HTTP response headers, TLS certificates, WHOIS data — without sending probes, running exploits, or accessing systems you don't own. It is distinct from active scanning, which makes requests designed to discover vulnerabilities.

ShieldScope never fingerprints, never brute-forces, and never interacts with a target beyond what a normal browser request would do. This means you can analyze any domain or URL — including ones you don't control — legally and without risk. It also means results are based entirely on observable, public data.

All five tools follow the same principle: no account required, no data stored, no invasive contact with targets.

Analyzing HTTP security headers

/headers Open tool →

What are HTTP security headers?

HTTP security headers are response headers that instruct browsers how to handle content from your site. When a server responds to a request, it can include headers that tell the browser: don't execute inline scripts, always use HTTPS, refuse to render this page inside an iframe, and limit what browser features this page can access.

Missing or misconfigured security headers are among the most common findings in web application security assessments. They don't require an attacker to exploit a vulnerability — the browser itself becomes the attack surface if headers are absent.

How to run a headers analysis

  1. Go to /headers
  2. Enter any domain or URL (e.g., example.com or https://example.com)
  3. Click Analyze
  4. Review the grade and individual header findings

Understanding the grade (A+ to F)

The grade reflects overall HTTP security header coverage. Each header is assessed independently and contributes to a score out of 100.

A+All critical headers present and correctly configured. No meaningful gaps.
BMost headers present. One or two gaps that should be addressed.
CSignificant headers missing. Meaningful exposure risk.
FCritical protections absent. Standard for sites with no intentional security hardening.

Key headers and what they protect against

Content-Security-Policy Restricts which scripts, styles, and resources the browser will execute. The primary defense against cross-site scripting (XSS).
Strict-Transport-Security Forces browsers to use HTTPS for all future visits, preventing protocol downgrade attacks and cookie hijacking over HTTP.
X-Frame-Options Prevents the page from being embedded in an iframe on another site, blocking clickjacking attacks.
Referrer-Policy Controls how much referrer information the browser sends when navigating away, preventing URL leakage.
Permissions-Policy Restricts which browser features (camera, microphone, geolocation) the page can request access to.

Analyzing email authentication — SPF, DKIM, DMARC

/mail Open tool →

What are SPF, DKIM, and DMARC?

SPF (Sender Policy Framework) is a DNS TXT record that lists the servers and IP addresses authorized to send email for your domain. Receiving mail servers check SPF to verify the sending server is on the authorized list.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email. The signature is verified against a public key published in DNS. It proves the email content was not modified in transit and that it genuinely originated from the claimed domain.

DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together with a policy. It tells receiving servers what to do when authentication fails — nothing (p=none), quarantine to spam (p=quarantine), or reject outright (p=reject).

Why email authentication matters

Without properly configured SPF, DKIM, and DMARC, attackers can send email that appears to come from your domain — a technique used in phishing attacks and Business Email Compromise (BEC). BEC costs organizations billions annually and almost always begins with impersonation of a trusted domain.

DMARC at p=reject is the only configuration that actively blocks unauthorized senders. p=none is a monitoring mode only and provides no protection.

How to run an email authentication analysis

  1. Go to /mail
  2. Enter a domain name (e.g., gmail.com or yourcompany.com)
  3. Click Analyze
  4. Review SPF, DKIM, and DMARC findings individually

Common findings and what they mean

DMARC p=none Monitoring mode only — reporting is active but no enforcement. Email spoofing from this domain is not blocked.
No DKIM record Email from this domain is not cryptographically signed. Spoofed email cannot be distinguished from legitimate email by signature.
SPF ~all (SoftFail) Unauthorized senders are flagged but not rejected. Effectively unenforced.
DMARC p=reject Full enforcement. Unauthorized senders are rejected by receiving mail servers.

Checking URL safety — redirects, domain age, and phishing patterns

/url Open tool →

What the URL analyzer checks

Before you click an unfamiliar link — in an email, a message, or a document — you can paste it into the URL tool to understand exactly where it goes and what signals it carries. The analysis is entirely passive: no visit to the destination, no execution of content.

Redirect chain Every hop the URL takes before reaching its destination, including intermediate domains and HTTP status codes.
Domain registration age Newly registered domains (under 30 days) are a strong phishing indicator. Attackers register domains specifically for short campaigns.
SSL certificate posture Whether HTTPS is valid, recently issued, or absent. A free certificate alone is not a safety indicator.
Deception patterns Misleading subdomain structures (e.g., paypal.com.attacker.net), brand impersonation, and URL obfuscation techniques.
Tracking exposure Third-party tracking parameters and analytics frameworks present in the destination page HTML.

How to check a URL

  1. Go to /url
  2. Paste the full URL (including https://)
  3. Click Analyze
  4. Review the risk badge, redirect chain, and individual findings

Understanding the risk score

CLEANNo risk signals detected. Risk score of zero.
LOWMinor signals present — informational. No action typically required.
MEDIUMOne or more notable patterns detected. Verify before clicking.
HIGHStrong risk indicators present. Treat as suspicious unless you can verify the source.
CRITICALMultiple high-severity signals. Do not visit unless you have specific knowledge that this link is safe.

Red flags to watch for

  • Domain registered fewer than 30 days ago
  • More than two redirect hops, especially through unrelated domains
  • The registered domain in the URL is not what you expect (check the URL decomposition row)
  • A well-known brand name appears in the subdomain, not the registered domain
  • No SSL, or SSL certificate issued within the past few days

Analyzing password strength and breach exposure

/password Open tool →

How password strength is measured

Strength is measured by how long a password would survive an offline attack — where an attacker has a stolen password hash and can run billions of guesses per second. ShieldScope estimates crack time at 10 billion hashes per second, which approximates a fast hash (SHA-1/MD5) on modern GPU hardware.

Raw length and character class diversity matter, but pattern-free randomness matters more. Password123! is 12 characters with uppercase, lowercase, numbers, and a symbol — yet it cracks in under a second because it follows the most common pattern in corporate environments. ShieldScope's analysis uses pattern detection to catch these cases.

Patterns that weaken passwords

  • Dictionary words — any word in a natural language dictionary, regardless of capitalisation
  • Common password sequences — strings that appear in breach databases (1234, qwerty, letmein)
  • Keyboard patterns — spatial sequences on the keyboard (qwerty, asdfgh, zxcvb)
  • Dates and years — years appended to words (Company2024, Summer1990)
  • Repeated characters — aaaa, 1111, !!!!
  • Enterprise reuse patterns — Word + 4-digit year + symbol (Welcome2024!)

What is the breach exposure check?

The breach check queries the Have I Been Pwned database — which contains over 10 billion passwords collected from real data breaches — without ever sending your password. This is possible through k-anonymity:

  1. Your password is hashed with SHA-1 entirely in your browser
  2. Only the first 5 characters of that hash are sent to the API
  3. The API returns all hashes starting with those 5 characters
  4. Your browser checks locally whether your full hash is in the list

Your actual password never leaves your device. This is the same technique used by Chrome and Firefox's built-in password breach warnings.

Understanding the rating

CRITICALCracks in under 1 hour. Provides no effective security.
HIGHCracks within 30 days. Not suitable for sensitive accounts.
MEDIUMCracks within a year. Below modern security recommendations.
LOWCracks within 100 years. Acceptable for low-sensitivity accounts.
SECUREResistant to 100+ years of offline attack at 10B hashes/sec.

Using the password generator

The generator creates cryptographically random passwords and passphrases using crypto.getRandomValues() — never Math.random(). No generated password is ever transmitted or stored.

For most use cases, a 20-character random password with all four character classes, or a 5-word passphrase, will achieve a SECURE rating. Passphrases are often easier to remember when you need to type them manually.

Mapping internet-facing attack surface

/exposure Open tool →

What the exposure analyzer does

Every organization accumulates internet-facing infrastructure over time — subdomains for old projects, staging environments that were never taken down, admin panels that were meant to be internal, file transfer services that ended up on a public IP. The /exposure tool maps this surface passively, using public data only.

It does not scan for vulnerabilities, attempt exploits, or interact with services beyond what a browser would do. The value is in the classification of what's found — turning a list of hostnames into an organized picture of your external footprint.

How it discovers subdomains

The tool queries HackerTarget's hostsearch API, which aggregates data from certificate transparency logs, DNS records, and passive DNS sources. Certificate transparency logs are public records published by certificate authorities — every TLS certificate ever issued for a domain is logged there. This makes them one of the most comprehensive sources of subdomain data available without active scanning.

An intelligence filter then removes machine-generated CDN routing labels (such as a01.ms.a.example.com or long hex-string hostnames) that are infrastructure noise rather than useful intelligence. The suppressed count is shown in the scope notice so you can see how much was filtered.

How to run an exposure analysis

  1. Go to /exposure
  2. Enter a registered domain (e.g., example.com)
  3. Click Analyze
  4. Watch hosts appear progressively as the scan runs
  5. Review the summary cards and individual findings

Understanding the summary cards

Assets Found Total number of publicly reachable subdomains analyzed after filtering.
High Risk Hosts where a specific high-risk service was confirmed via HTTP fingerprinting — Citrix, RD Web, Jenkins, Grafana, etc.
Remote Access VPN gateways, Citrix, RD Web, and other remote access systems visible from the internet.
Dev Systems Hostnames matching development, staging, or CI/CD patterns — commonly overlooked exposure.
Cert Warnings TLS certificates that are expired, expiring within 30 days, or self-signed on live hosts.

Understanding the risk levels

HIGHA specific service was identified via HTTP fingerprinting — Citrix, Jenkins, phpMyAdmin, RDP, etc. The service itself is the risk signal, not just the hostname.
MEDIUMHostname pattern suggests a sensitive function (dev., vpn., admin., sftpadmin.) but no service was confirmed. Classification is probabilistic — false positives are possible.
LOWMinor signal present but no significant risk indicator.
INFOPublicly reachable web asset with no notable classification signals. Standard web infrastructure.

What "Confidence: Medium — false positives possible" means

When a finding is classified by hostname pattern alone — without confirming a service via HTTP response — the classification is an inference, not a certainty. A hostname containing dev is more likely to be a development system than a random web asset, but it could also be a product named "dev" or a subdomain that was repurposed. ShieldScope declares this uncertainty explicitly rather than overstating confidence.

Findings where a specific service was detected via HTTP fingerprinting carry Confidence: High — the service name, HTTP title, or server header directly confirmed the classification.

Common findings and what to do about them

Development System (MEDIUM) A dev, staging, or test subdomain is publicly reachable. These environments commonly skip hardening. If it shouldn't be public, restrict it to VPN or internal network access only.
Admin Panel (HIGH) A confirmed admin interface — Grafana, Kibana, phpMyAdmin, Splunk — is internet-accessible. These should be behind a VPN or restricted by IP. The credential attack surface is large.
Remote Access (MEDIUM/HIGH) A VPN gateway or remote desktop service is publicly reachable. This is often intentional, but confirm MFA is enforced — these are the most common initial access vectors in enterprise compromise.
Cert Expiring Soon A TLS certificate expires within 30 days. If this host serves real traffic, renew the certificate before expiry causes browser warnings or service disruption.
Direct Service Exposure A dangerous port (RDP, Redis, MongoDB, Elasticsearch) is directly reachable. These should never be internet-accessible. Restrict with firewall rules immediately.

What this tool is not

The exposure analyzer is not a vulnerability scanner. It does not test credentials, attempt to access restricted content, exploit software weaknesses, or confirm that a service is actually compromisable. It tells you what is visible from the internet and classifies it — the assessment of risk is yours to make.

Inspecting suspicious scripts, URLs, and email artifacts

/sandbox Open tool →

What the script analyzer checks

The script analyzer performs static inspection — it reads the code without executing it, applies pattern matching to identify dangerous functions and techniques, decodes base64-encoded strings, and extracts embedded indicators of compromise (IOCs) including URLs, domains, and IP addresses.

This is useful when you encounter a suspicious script attached to a phishing email, found in a user's event logs, or flagged by your EDR. Static analysis gives you a defensible picture of what the script appears to do, without the risk of running it.

ShieldScope does not execute scripts or files. Results are based on static inspection only. Dynamic behavior — actions that only emerge at runtime — cannot be detected without execution.

Supported languages

ShieldScope auto-detects the language from the script content, or you can select it manually: PowerShell, JavaScript, Batch/CMD, and VBScript. Each language uses a tailored indicator set for its most common malicious patterns.

Key indicators detected

IEX / Invoke-Expression Executes a string as PowerShell code at runtime — the most common technique for running downloaded or decoded payloads without writing them to disk.
-EncodedCommand Passes a base64-encoded script to the PowerShell runtime, bypassing command-line logging and concealing intent.
DownloadString / DownloadFile Downloads content or files from a remote server. Core component of dropper and stager payloads.
AV / Defender Tampering Set-MpPreference or Add-MpPreference calls that disable real-time protection or add exclusion paths — standard pre-execution steps in ransomware deployments.
LOLBIN Abuse References to certutil, bitsadmin, mshta, or regsvr32 — trusted Windows binaries commonly abused to download payloads or bypass application control.
eval / atob (JavaScript) Dynamic code execution and base64 decoding in JavaScript — primary techniques in malicious ad scripts, drive-by downloads, and phishing page scripts.

Base64 decoding

ShieldScope automatically finds base64-encoded strings in the script, decodes them, and displays the decoded content. It also scans the decoded text for additional IOCs — so if a URL or domain is hidden inside a base64 payload, it will still appear in the extraction results.

How to run a script inspection

  1. Go to /sandbox
  2. Select the Script tab
  3. Paste the script content into the text area
  4. Select the language or leave it on Auto-detect
  5. Click Inspect
  6. Review the risk level, behavioral summary, findings (with context snippets), extracted IOCs, and decoded base64 strings

Sandbox URL analysis

The URL tab in /sandbox runs the same analysis as the standalone /url tool with two additional signals:

  • Domain entropy — measures the randomness of the domain name. High Shannon entropy (above 4.0 bits) is a signal of algorithmically generated domains (DGAs) used by malware to evade blocklists.
  • Suspicious file extension — flags URLs ending in executable or archive extensions (.ps1, .exe, .bat, .hta, .dll, .zip) which are frequently observed in malware delivery links.

Email artifact analysis

The Email tab performs static inspection of raw email source — pasted headers, full .eml files, or MIME content. No email account is accessed, no messages are fetched, and no network connections are made to any mail server. Only the text you paste is analyzed.

How to get raw email headers: In Gmail, open the email → three-dot menu (⋮) → Show original → copy all. In Outlook (desktop), open the email → File → Properties → Internet headers. In Outlook Web, open the email → three-dot menu → View → View message source. Copy everything from the first header line through the blank line separating headers from the body, or copy the full .eml content.

What the email analyzer checks

Display name spoofing The visible sender name (e.g., "PayPal Security") is compared against the actual sending address. If the display name references a known brand but the email domain doesn't match, this is the primary impersonation technique used in phishing — most mail clients show only the display name.
Reply-To mismatch When the Reply-To header points to a different domain than the From address, replies go to an attacker-controlled mailbox instead of the visible sender's domain. Legitimate bulk mailers sometimes do this — it requires context from other signals.
SPF / DKIM / DMARC results Parsed from Authentication-Results and Received-SPF headers added by the receiving mail server. SPF verifies the sending IP is authorized for the domain. DKIM verifies the message wasn't tampered with in transit. DMARC verifies alignment between these checks and the From domain. All three failing simultaneously is a strong spoofing indicator.
Anchor text mismatch In HTML email, the visible link text can differ from the actual href destination. ShieldScope detects two variants: a visible URL that points to a different domain, and link text containing a brand name while the href points to a non-brand domain. This is one of the most reliable phishing indicators in HTML email.
Brand name in URL domain A URL in the body uses a hostname containing a known brand name (e.g., paypal-login-verify.xyz) but does not originate from that brand's actual domain. Registering brand-adjacent domains is a primary phishing infrastructure technique.
URL shorteners Shortened URLs (bit.ly, t.co, tinyurl.com, etc.) conceal the final destination and are used to bypass link reputation filters. Detection uses exact hostname matching against a known shortener list.
Risky attachment extensions Attachment filenames are extracted from MIME parts and classified by extension. High-risk extensions include executables (.exe, .scr, .dll), scripts (.ps1, .bat, .vbs, .hta, .js), macro-enabled Office files (.docm, .xlsm), and disk images (.iso, .img) commonly used to bypass mark-of-the-web controls.
Double extension (e.g., invoice.pdf.exe) Files named with a benign extension before the real executable extension are designed to exploit Windows' default behavior of hiding known extensions. The file icon shows a PDF but executes as a binary.

Understanding risk states

The email analyzer uses four distinct states that deliberately avoid collapsing unverified-safe with verified-safe:

CLEAN No suspicious indicators observed, and at least one positive authentication signal (SPF, DKIM, or DMARC pass) was found in the submitted headers. The sending infrastructure is verified.
NEUTRAL No suspicious indicators observed, but no authentication headers were present in the submitted content. The absence of bad signals is not the same as confirmation of safety — the sender's identity could not be verified.
MEDIUM / HIGH / CRITICAL One or more suspicious indicators were found. The overall risk level is determined by the combined weight of all findings. Individual finding cards show their severity and confidence label.
PARSE LIMITED The submitted content could not be parsed as a valid email source. This occurs when input is malformed, contains no recognizable headers, or is raw HTML/text without email structure. Paste complete email source for full analysis.

Confidence labels on findings

Each finding card displays a confidence label alongside the severity badge:

  • OBSERVED — the indicator is directly present in the submitted content with high specificity. Example: SPF fail in a parsed Authentication-Results header.
  • HEURISTIC — the indicator is inferred from a pattern that is associated with malicious activity but not exclusively so. Example: a brand name appearing in a URL domain that isn't the brand's canonical domain. Requires context from other signals.
  • INFERRED — the finding results from the combination of two or more individually observed indicators (correlation). Example: download + execute chain in a script.

Heuristic findings should always be considered in the context of other signals. A single heuristic finding on an otherwise clean email from a known sender may be a false positive — several heuristic findings together with authentication failures are a different picture entirely.

How to run an email analysis

  1. Go to /sandbox and select the Email tab
  2. Open the suspicious email in your mail client and access its raw source (see note above for each client)
  3. Copy the raw email content — headers through body — and paste it into the text area
  4. Click Analyze
  5. Review the risk level and delivery summary, then the authentication section (SPF/DKIM/DMARC), then individual findings in severity order
  6. Check the URLs in Body section for shorteners and suspicious domains, and the Attachments section for file risk classification
For the most complete analysis, always paste the full email source including all server-added headers. Headers-only input (without the body) will still analyze sender infrastructure and authentication, but cannot check body URLs, attachment names, or anchor text mismatches.

Frequently asked questions

What is passive security analysis?

Passive security analysis examines publicly available information — DNS records, HTTP headers, certificate data, WHOIS — without sending probes, running exploits, or accessing systems you don't own. ShieldScope never scans or fingerprints targets beyond a normal browser request.

Does ShieldScope store or log what I enter?

No. Nothing you submit is stored or retained. The password tool runs entirely in your browser. The breach check uses k-anonymity — only 5 characters of a hash are transmitted. Server-side tools (headers, mail, url) process your request and return results without logging the input.

Do I need an account to use ShieldScope?

No account required. All tools are free and accessible instantly.

What is SPF, DKIM, and DMARC in plain English?

SPF says which servers are allowed to send email for your domain. DKIM signs your email so recipients can verify it wasn't tampered with. DMARC tells receiving servers what to do when SPF or DKIM checks fail — and is the only record that actively blocks email spoofing. All three together are the baseline for email authentication.

How can I tell if a URL is a phishing link?

Paste it into /url. The tool shows you the redirect chain, the actual registered domain (which is often different from what the link text implies), the domain's registration age, and deception pattern detection. A newly registered domain, multiple redirects through unrelated sites, or a brand name in the subdomain instead of the registered domain are all major red flags.

How does the breach check not send my password?

Your password is hashed with SHA-1 inside your browser using the Web Crypto API. Only the first 5 hex characters of that hash (out of 40) are sent to Have I Been Pwned's k-anonymity endpoint. The API returns all breach hashes starting with those 5 characters — hundreds of candidates — and your browser finds your hash locally. The actual password and full hash never leave your device.

Why does my password get flagged even though it looks complex?

Complexity doesn't equal strength. A password like P@ssw0rd! has uppercase, lowercase, numbers, and symbols — but it cracks in under a second because it's one of the most commonly used passwords in breach databases. ShieldScope uses pattern detection to catch dictionary words, common substitutions, keyboard sequences, and enterprise reuse patterns regardless of how the password appears visually.

Who is ShieldScope designed for?

IT professionals, security engineers, MSPs, and technically minded users who want fast, defensible answers about security posture without running a full penetration test. The results are accurate enough to cite in assessments and clear enough to explain to clients.

How is ShieldScope different from other security header or email checkers?

Most checkers return a list of headers and a score. ShieldScope focuses on the finding — what the gap means, what attack it enables, and what a correct configuration looks like. The grading is calibrated to be defensible to security professionals, not just reassuring to non-technical users. All tools are passive and require no account or API key.

How does the internet exposure analyzer find subdomains?

The /exposure tool queries HackerTarget's hostsearch API, which aggregates data from certificate transparency logs, passive DNS, and DNS enumeration. Certificate transparency logs are public records published by certificate authorities — every TLS certificate issued for a domain is logged there and accessible to anyone. This provides comprehensive subdomain coverage without any active scanning or probing of the target.

What does NEUTRAL mean on an email scan?

NEUTRAL means no suspicious indicators were found, but the sender's identity could not be verified because no authentication results (SPF, DKIM, or DMARC) were present in the submitted content. This is different from CLEAN, which requires at least one positive authentication signal. An email can be NEUTRAL for two reasons: the full email source wasn't pasted (only partial headers), or the email genuinely has no authentication — which is itself a risk signal in contexts where authentication is expected.

What is display name spoofing and why is it dangerous?

Display name spoofing means setting the visible sender name to impersonate a trusted party (e.g., "PayPal Security" or "IT Helpdesk") while using an unrelated sending address. Most email clients — including mobile apps — prominently display the name and de-emphasize or hide the actual email address. An attacker sends from attacker@random-domain.com but it displays as "Microsoft Account Team." The recipient sees the name, clicks a link in the body, and is directed to a phishing page. SPF and DKIM may even pass if random-domain.com has valid records — the authentication checks the sending domain, not whether the display name matches.

What is an anchor text mismatch in a phishing email?

In HTML email, the visible text of a link and the actual destination (href) are independent. An attacker can write <a href="https://evil.com/steal">https://paypal.com/login</a> — the user sees a PayPal URL, but clicking it goes to evil.com. A subtler variant uses brand language in the link text: "Click here to verify your Microsoft account" pointing to attacker-infrastructure.xyz. ShieldScope parses the HTML body of email to extract all anchor tags, compares the visible text against the href destination, and flags mismatches where the text implies a trusted destination that the href doesn't match.

Does ShieldScope connect to mail servers or access my email?

No. The email analyzer only inspects text you paste into the tool. It does not connect to any mail server, access any inbox, or perform any IMAP/SMTP operations. The analysis is entirely static — applied to the raw text content you submit. Nothing about your email account, credentials, or mail server is used or required.

How should I interpret findings labeled HEURISTIC vs OBSERVED?

OBSERVED findings are based on directly present, high-specificity signals — SPF hard fail in a parsed authentication header, or a link whose visible URL text points to a different domain than its href. These are reliable signals with low false-positive rates. HEURISTIC findings are inferred from patterns associated with malicious activity but not exclusively so — for example, a brand name appearing in a URL's hostname that isn't the brand's registered domain. A heuristic finding on an otherwise clean email from a known sender might be a false positive. Multiple heuristic findings alongside observed failures — like SPF fail + brand domain spoof + URL shortener — tell a very different story. Consider the full picture rather than any single finding in isolation.

What does "false positives possible" mean on exposure findings?

When a host is classified by hostname pattern alone — a label containing dev, vpn, or admin — the classification is an inference. A hostname with "dev" in it is more likely to be a development system than not, but it isn't certain. ShieldScope shows this explicitly rather than presenting probabilistic classifications as facts. Findings where a specific service was confirmed via HTTP fingerprinting (Citrix detected, Jenkins confirmed) carry Confidence: High and are more reliable.

How does ShieldScope analyze a script without running it?

ShieldScope performs static inspection — it reads the script text and applies pattern matching to identify dangerous functions, decode base64-encoded content, and extract embedded URLs, domains, and IP addresses. The script is never executed at any point. This means results are based on what the script contains statically, not what it would do at runtime. Dynamic behavior that only emerges at execution cannot be detected.

Can I analyze scripts I received from a user's machine or a phishing email?

Yes. Static inspection of suspicious scripts is standard defensive security practice. Paste the script content into the Script tab on /sandbox. ShieldScope will analyze it without executing it. Avoid pasting scripts that contain credentials, internal hostnames, or sensitive organizational data — the content is transmitted over HTTPS to the analysis server and discarded after results are returned.

What does base64 encoding mean in a PowerShell context?

Base64 encoding represents arbitrary data as a string of ASCII characters. PowerShell supports running commands passed as base64 strings via the -EncodedCommand flag, which lets attackers conceal the actual command from casual inspection and bypass security tools that scan command-line text. ShieldScope decodes base64 strings found in scripts and displays the decoded content, so you can see what was hidden.

Is the /exposure tool a vulnerability scanner?

No. It is a passive posture analysis tool. It does not test credentials, attempt exploits, check for specific CVEs, or probe services for weaknesses. It identifies which systems are publicly reachable and classifies them by function. Assessing whether an exposure is actually exploitable is a separate step — one that requires authorization to perform.

Why are some hostnames suppressed in the exposure results?

Large organizations have hundreds or thousands of machine-generated subdomains used for CDN routing, edge infrastructure, and internal service routing — labels like a01.ms.a.example.com or long hex-string hostnames. These are not useful exposure intelligence; displaying them makes real findings harder to see. ShieldScope applies an intelligence filter to suppress them and shows the suppressed count in a scope notice so you know how much was filtered.

TOOLS
/headersHTTP security headers /mailSPF / DKIM / DMARC /urlURL safety & redirects /passwordCredential strength & breach /exposureInternet-facing attack surface /sandboxScript & artifact inspection