Continuous survey — sweep in progress

Route findings
into fixes.

nosaw security surveys your public surface — code, DNS, cloud, vendors — continuously, then routes every finding to a named owner with hash-stamped evidence of the fix.

Read-only reconnaissance · public surface only · no agents, no credentials required to start.

nosaw security — public surface survey plan, revision 047 nosaw SECURITY PUBLIC SURFACE — SURVEY PLAN DWG NS-0712-047 SURVEYED 2026-07-12 12:04:37 UTC REV 047 · CONTINUOUS 1,842 PUBLIC-FACING ASSETS 96 SCANS / 24 H 01 · PUBLIC-CODE 214 REPOS · 6 ORGS acme-api · CTL-098 infra-terraform · CTL-101 acme-web LOSS-01 · GITHUB PAT 02 · DNS 1,381 RECORDS · 14 ZONES dev.acme.io HOLD-02 · CNAME api.acme.io · CTL-076 mx.acme.io · CTL-051 N 03 · CLOUD 3 ACCOUNTS · 96 BUCKETS s3://acme-assets · CTL-114 rds/acme-prod · CTL-089 billing-staging LOSS-02 · OPEN PG :5432 04 · VENDOR SURFACE 27 VENDORS · 61 GRANTS stripe · CTL-133 segment · HOLD-03 · DPA okta · CTL-140 google-ads · CTL-151 · KEY ROTATED sendgrid · CTL-129 ROUTED 11:53 UTC KEYNOTES · FINDING → FIX LOSS-01 · SEV-A2 GITHUB PAT — EXPOSED repo acme-web / main FOUND 11:52:07 UTC ROUTE → ROTATE + REVOKE OWNER platform-team CTL-114 · CLOSED s3://acme-assets ACL FIXED 09:31 UTC — IaC PR EVIDENCE E-4471 ON FILE HOLD-03 · PENDING segment — DPA REVIEW DUE 2026-07-15 FINDINGS 12 · ROUTED 12 MEAN TIME TO FIX 41 MIN NEXT SWEEP 12:19 UTC KEY CONTROLLED · 1,791 ASSETS PENDING REVIEW · 49 EXPOSED · 2 — BOTH ROUTED 0 1,000 2,000 SCALE · ASSETS UNDER CONTINUOUS WATCH PROJECT acme.io — PUBLIC SURFACE SURVEYOR nosaw security METHOD CONTINUOUS SCAN · CTEM SCALE LIVE 1:1 SHEET 01 / 01 REVISION 047 — 2026-07-12 12:04 UTC AUDIT-GRADE EVIDENCE ON FILE · E-4471 E-4468 E-4465
Public-facing assets under continuous survey 1,842 Design-partner deployment
Findings routed to a named owner — last 90 days 312 Every finding, every owner mapped
Median time — detection to verified fix 3h 12m Not detection alone — closure
Hash-stamped evidence packs on file 286 Auditor-ready export by finding

Figures from operating deployments. Every number on this page carries its evidence.

The leak shows up as an invoice.

A leaked ads token doesn't trip an alarm — it spends quietly until someone reads the bill. Detection is not the product. The closed, evidenced fix is.

01

A key on the public internet runs someone else's campaigns on your card.

A Google Ads developer token pasted into a public repo, a Stripe key in a JS bundle — typical detection method: the monthly invoice.

28.6M new secrets leaked on public GitHub in 2025.

02

Open staging hosts and public buckets are also checklist failures.

A forgotten subdomain or an S3 bucket left readable is a finding for you — and a control failure for your SOC 2 auditor. Both cost real money.

Median time to detect a leaked secret in production: 327 days.

03

Most scanners stop at detection. The queue grows. Nobody owns the fix.

Ten dashboards, ten severity scales, zero routing. The finding exists — but nothing carries it to a named owner with a verified closure.

88% of web-app breaches involved valid credentials, not zero-days.

Survey. Classify. Route. Evidence.

Every finding travels one path — from public surface to a named owner to a hash-stamped record of the fix. Same path every time, no exceptions.

01 Survey

Continuous scan of public code, DNS, cloud, and vendor surface. Every asset mapped to its source, every scan diffed against the last.

02 Classify

Each finding gets a severity and a verdict — controlled, hold, or loss. Priced against your actual surface, not a generic CVSS score. No unread queue.

03 Route

The finding lands with a named owner in the tool they already work in — a PR, a ticket, a revocation. A handoff, not a notification.

04 Evidence

The fix is verified and filed — timestamp, owner, sha256. Audit-grade, exportable, mapped to SOC 2 / ISO 27001 / GDPR controls.

Four plots. One perimeter.

The same four surfaces surveyed in the plan above — scanned continuously, not quarterly. Every asset mapped to its source.

01 · PUBLIC-CODE

Repos, commits, gists, paste sites.

Keys and tokens found where attackers look first — public GitHub / GitLab / npm, orphaned forks, JS bundles served to the browser.

Google Ads · AWS · Stripe · Twilio · Meta · +4,200 patterns

02 · DNS

Zones, records, dangling CNAMEs.

The surface you forgot you own — expired certs, subdomains pointing to abandoned services, records that outlived the team that made them.

Passive + active discovery · Change detection · Weekly diff

03 · CLOUD

Buckets, groups, exposed ports.

Public S3 / GCS, over-permissive IAM, exposed metadata endpoints, IMDSv1 relics — across every account under your org.

AWS · GCP · Azure · Cloudflare

04 · VENDOR SURFACE

OAuth grants, shared buckets, third-party keys.

Your exposure includes theirs. Every vendor grant tracked, every shared credential mapped, every breach at a supplier flagged the day it lands.

SaaS integrations · Contractor access · Supply-chain drift

Proof you can hand an auditor.

Every closed finding produces an evidence pack — what was exposed, who fixed it, when, and the hash that seals it.

SpecimenFINDING F-1091 · AWS_SECRET_KEY · github.com/acme/billing FOUND 06:04:12 UTC → ROUTED 06:05:03 UTC → PR #482 MERGED 08:47:19 UTC OWNER m.keller · FIX VERIFIED SHA256 b31d4a…04af9c · EVIDENCE E-4471 ON FILE EXPORT SOC 2 CC7.1 · ISO 27001 A.12 · GDPR ART. 32

What a leaked token costs.

From a live deployment: one Google Ads token in a public paste, replayed until the card was stopped.

Before — LOSS-01

Ads token replayed from an unknown IP for 22 days before detection. $18,240 drained across four campaigns. Found by the invoice, not by a tool.

GOOGLE-ADS-TOKEN · FIRST ABUSE 2026-06-14 · DETECTED 2026-07-06

After — Continuous survey

Same surface under continuous survey. Next token exposure found in 41 minutes, revoked in 63, evidence filed. Wasted spend since: $0.

CTL-151 · KEY ROTATED · EVIDENCE E-4468 ON FILE

The difference isn't the scanner. It's that the finding had somewhere to go.

Design-partner deployment · figures on file

Findings land where work happens.

Routing means arrival — a fix task in the system the owner already works in, source mapped end to end.

GitHub GitLab Jira Linear Slack PagerDuty MS Teams Webhook / API

No destination configured? Findings still route — into a signed queue with a named owner and an SLA clock. Nothing sits unread.

See your surface surveyed.

Bring a domain. We'll walk the first survey with you — what's exposed, where it routes, and what the evidence pack looks like.

READ-ONLY RECONNAISSANCE · PUBLIC SURFACE ONLY · NO AGENTS, NO CREDENTIALS REQUIRED TO START