Methodology

Tool Inventory

Every email scan runs through seven open-source or hosted tools in sequence. Their outputs are normalised into a unified findings schema.

• email-validator-local — MX verification and disposable-domain detection, evaluated in-worker with no external call.
• HIBP (Have I Been Pwned) — Lookup against the public breach corpus to determine whether the address is exposed.
• leakcheck — Secondary breach lookup covering corpora complementary to HIBP, including paste sites.
• epieos — Account-footprint discovery across Google and other platforms keyed by the email.
• emailrep — Reputation score and contextual signals (prevalence, account ages, impersonation claims).
• theHarvester — Harvests organisational email addresses and hosts tied to the target domain from open sources.
• maigret — Enumerates social-platform presence across 500+ sites using a username derived from the email.

Tools are scheduled in a single pipeline with explicit timeouts; a failing tool is isolated and never blocks the rest of the scan.

Scoring Rubric

Risk is computed on a 0–100 scale where 100 = no risk and 0 = critical risk, as a per-category weighted average across findings, then bucketed into one of five letter grades (A–F) that match the gauge you see in the report. Breach exposure and password safety carry the heaviest weight; reputation and social footprint weigh less — a confirmed credential breach is materially more dangerous than a public social account.

• A — score 80–100. No publicly available evidence that materially enables targeting.
• B — score 60–79. Observable footprint, no critical exposure.
• C — score 40–59. Real exposure that warrants concrete action.
• D — score 20–39. Significant exposure; multiple vectors.
• F — score 0–19. Active breach material or unusually broad attack surface.

Grades and weights are calibrated against reference scenarios and covered by regression tests; no single scan path can drift them.

MITRE ATT&CK Mapping

Every finding passes through a static rule table that emits the matching ATT&CK technique. No LLM is involved at this layer — mappings are 100% deterministic and reproducible.

• T1589.001 — Credentials — Triggered by breach exposure or password-safety failures.
• T1589.002 — Email Addresses — theHarvester results surfacing organisational addresses tied to the target domain.
• T1593.001 — Social Media — Social-platform account discovery, plus cross-platform reverse-image correlation.
• T1585.001 — Establish Accounts — Weak email authentication (DMARC / SPF / DKIM) enabling domain impersonation.

Duplicate techniques collapse to a single entry per scan, so the ATT&CK map never inflates with repeated findings.

Data Retention

Scan results and PDF reports are retained for 30 days, then automatically deleted. The raw scan target (email/domain) is wiped immediately on scan completion — it is never stored alongside the report.

Storage Region

All encrypted reports are stored in us-east-1 (AWS S3, Northern Virginia). There is no cross-region replication.

AI Usage

We use Gemini 2.5 Pro for the executive narrative, and only that. Everything else — scoring, MITRE mapping, citations, validation, remediation templating — is deterministic and produced from fixed rules and templates.

No customer data is used to train any model, and the model provider does not retain inputs for improvement purposes.

What We Do NOT Do

• No user sessions — no session cookies, no accounts to log into.
• No third-party email forwarding for marketing or enrichment.
• No model training on customer data.
• No retargeting cookies, no ad-network tracking pixels.
• No LinkedIn-style account takeover — we never log in, request passwords, or touch inboxes.
• No sale, rental, or sharing of customer reports with any third party.
• No scanning of targets the requester has not proven ownership of.

Questions?

To discuss the methodology or request technical verification, reach [email protected]