/methodology
How ShieldScope analyzes, scores, and explains security posture.
What ShieldScope is
ShieldScope is a passive security posture analysis platform. Every tool operates on publicly available data — DNS records, HTTP responses, certificate chains, URL structure, and submitted artifacts — without probing, exploiting, or authenticating against any system. Nothing executes. Nothing is stored. Results reflect what was observable at the time of analysis.
The goal is a defensible read on observable posture, not a prediction of risk or a breach probability estimate.
What ShieldScope can observe
- DNS records: SPF, DKIM, DMARC, subdomain records, certificate transparency logs
- HTTP response headers from publicly accessible endpoints
- TLS certificate chain, expiration, and subject names
- Redirect chains: each hop, destination URL, and response codes
- URL structure and composition: hostname, path, query parameters, encoding
- Static file structure: extension, MIME type from magic bytes, internal object structure
- Script content: keywords, patterns, encoding, and entropy — read-only, no execution
- Email header fields and body structure from submitted artifacts
- Publicly accessible HTTP service responses for discovered subdomains
What ShieldScope cannot know
Passive analysis has hard visibility limits. These are not limitations being worked around — they define what the evidence can honestly support.
- Whether a misconfigured system has been actively exploited
- Internal network configuration, firewalling, or segmentation
- Patch state of any software or operating system
- User behavior, credential reuse, or phishing exposure
- Actual exploitability — passive analysis observes posture, it does not test attack paths
- Business context — a finding that matters in one environment may be acceptable in another
- Full email delivery behavior — receiving systems apply their own filtering policies that ShieldScope cannot observe
- Runtime behavior of any file or script — static analysis reads structure, not execution
- Content behind authentication, VPN, or internal DNS
- Subdomains without publicly issued TLS certificates
- DKIM selectors outside the checked set — absence of detection is not confirmed absence
- Whether a heuristic finding reflects actual malicious intent
Confidence model
Confidence measures evidentiary certainty — how certain ShieldScope is that a finding accurately reflects observable reality. It does not measure severity, exploitability, or danger.
A finding can be OBSERVED (highly certain) and LOW severity. A finding can be INFERRED (less certain) and HIGH severity. Confidence and severity are independent. Both matter. Neither overrides the other.
Directly visible in the retrieved data. You can verify it from the displayed evidence without additional computation.
An HTTP header is absent from the response · DMARC policy is p=none · a PDF file contains a JavaScript stream
Calculated from observed data using deterministic processing. The raw evidence is observed; the conclusion requires computation to reach.
SPF lookup count (requires tracing the include chain) · file entropy score · MIME type from magic bytes
Pattern-based. The pattern correlates with the behavior — it does not confirm it. False positives are expected and declared per finding.
Suspicious URL structure · email display name inconsistent with sending domain · high entropy consistent with obfuscation
Contextual conclusion from incomplete visibility. The evidence is real; the conclusion extends beyond what was directly verified.
SPF delivery failure risk (lookup count is DERIVED; what receivers will do is INFERRED) · probable infrastructure role from response patterns
Data was retrieved, but the evidence does not support a stable conclusion. Analysis ran and produced contradictory or unresolvable results.
Conflicting DNS answers · multiple SPF records where receiver behavior is undefined by the RFC
When a finding involves multiple reasoning steps, the headline confidence reflects the weakest step in the chain. The full reasoning chain is shown in the finding detail so you can see where uncertainty was introduced.
Scoring
Scores measure posture degradation, not breach probability. They answer: how much does the observed posture reduce resilience, authentication strength, trust clarity, or safe handling? They do not answer: will this domain get breached?
That distinction is not a hedge — it is an accuracy constraint. ShieldScope performs passive analysis with bounded visibility. Claiming breach probability from that evidence base would be false precision.
- Scores are directional, not absolute. A score of 72 is not mathematically twice as safe as 36. It means fewer or less significant posture weaknesses were observed.
- Confidence does not automatically adjust severity. A HEURISTIC finding contributes its full severity weight. The finding card declares the uncertainty; the score does not silently reduce it.
- Scores are explainable from findings. Every point deducted maps to a specific finding with stated rationale. If a score is surprising, the findings explain why.
- Absence of findings is not confirmation of safety. It means nothing significant was observed within the tool’s scope at the time of analysis.
- INDETERMINATE findings do not contribute to score. When analysis produced no stable conclusion, there is no finding to score.
Severity
Severity describes the magnitude of posture degradation a finding represents. It is independent of confidence.
| Level | Meaning |
|---|---|
| CRITICAL | Operational trust cannot reasonably be maintained without remediation. Immediate abuse potential or severe trust failure. Reserved — not published in V1 pending calibration. |
| HIGH | Substantial posture degradation. The finding alone materially reduces resilience or eliminates a layer of protection. |
| MEDIUM | Meaningful reduction in security posture. Creates a real gap in realistic scenarios. Mitigating factors may exist. |
| LOW | Informational weakness. Best practice deviation with limited practical posture impact. Worth noting, not structurally significant. |
| INFO | Observation or context. No posture degradation. Zero score contribution. |
Severity reflects operational impact — not urgency designed to alarm. CRITICAL is not a label for “concerning.” It is reserved for findings where the posture failure is severe enough that the surface cannot be considered operationally trustworthy without remediation. Keeping that bar high makes CRITICAL meaningful when it appears.
False positives and ambiguity
Heuristic findings are pattern-based. The pattern is real; the conclusion is not certain. ShieldScope declares this per finding rather than suppressing uncertain findings or presenting them without qualification.
- Heuristic findings require corroboration. A single HEURISTIC finding in isolation warrants investigation, not immediate action. Look for supporting evidence before concluding.
- Shared infrastructure distorts attribution. CDN edge nodes, shared hosting, and multi-tenant certificate environments can make findings appear to apply to a target when they reflect the shared layer.
- Passive visibility limits what can be concluded. Dynamic behavior, authenticated content, and internal-only responses are outside the scope of any passive analysis tool.
- Findings support operational judgment — they do not replace it. Security context, business requirements, and risk tolerance are known to the analyst, not to ShieldScope.
Evidence-first analysis
Wherever possible, ShieldScope exposes the observable evidence behind a finding rather than presenting an unsupported conclusion. The intent is that you can read what was found, understand the reasoning, and evaluate whether the conclusion applies in your context.
This means:
- Findings show the evidence that triggered them, not just the verdict
- Confidence labels describe how the evidence was obtained, not how alarming the finding is
- Scope limitations are declared inline — you know what was and was not checked
- Uncertain conclusions are labeled uncertain rather than presented with false confidence
- Scores are derivable from the finding list — there are no opaque deductions
A conclusion you cannot audit is an opinion. ShieldScope is designed so that a security-literate analyst can agree or disagree with any finding based on the presented evidence, not just accept or reject the verdict.
Design principles
- Passive analysis only. Every check uses publicly available data. No probing, no execution, no unauthorized interaction with any system.
- Explainability over output. A finding without reasoning is an opinion. Results include confidence, evidence, and the basis for each conclusion.
- Posture over prediction. ShieldScope does not estimate breach probability. It describes observable posture degradation.
- Declared limitations. Scope boundaries are stated inline. Uncertainty is labeled, not hidden behind a score.
- Transparency over inflated certainty. A clean scan means nothing was found within scope. The platform does not overstate what passive visibility can support.
- Operational realism over marketing language. Findings reflect what was observed, not what drives alarm or urgency. Severity is calibrated against posture impact, not emotional response.
- No data retained. Submitted targets are processed transiently. No scan history, no accounts, no behavioral tracking.
Canonical documentation
The full technical specifications behind this methodology are published at github.com/ShieldScope/meta.