Platform Update·12 min read

AIDE Is Now a Complete Domain Intelligence Platform: Five Pillars, One Risk Score

AIDE now monitors 5 infrastructure pillars — DNS health, SSL/TLS security, email security, hosting security, and uptime availability — all feeding into a single Domain Risk Score. This post covers the complete platform, what each pillar checks, and how the scoring model works.

AW

Aideworks Team

hello@aideworks.com

Key takeaways

  • Five pillars: DNS Health (30%), SSL/TLS (30%), Email Security (20%), Uptime (10%), Hosting Security (10%)
  • 80+ discrete checks run continuously across the full infrastructure surface
  • Hosting security is the newest pillar — 27 checks covering open ports, CVE scanning, security headers, and infrastructure intelligence
  • The Domain Risk Score (0–100) uses a critical cap rule: any pillar scoring ≤ 25 caps the domain total at 50
  • Score change alerts fire for delta ≥ 5 points, with severity escalating at delta ≥ 10 (high) and ≥ 25 (critical)

In this article

Why five pillars?

Most domain monitoring tools answer two questions: is the certificate valid, and is the server responding? But the majority of real-world compromises start with something neither check would catch — a dangling DNS record that lets an attacker claim a subdomain, a DMARC policy left at p=none that lets phishing emails impersonate the domain, or a MySQL database port left open to the internet.

Five pillars means monitoring the full infrastructure surface: the DNS layer that routes everything, the TLS certificates that secure connections, the email authentication stack, the server’s exposed web surface, and endpoint availability. Together they cover the attack vectors that matter to real organisations, not just the ones that are easy to check.

PillarChecksWeight
DNS Health1730%
SSL/TLS Security1730%
Email Security1220%
Hosting SecurityNew2710%
Uptime & Availability710%

DNS Health — 17 checks, 30% weight

DNS is the lowest layer of domain infrastructure and the one attackers target first. AIDE runs 17 checks covering the full DNS attack surface. Key ones include:

  • Subdomain takeover detection: dangling CNAMEs pointing to unclaimed GitHub Pages, Heroku, S3, and Vercel slots — an attacker claims the endpoint and serves phishing content under your brand domain.
  • DNSSEC chain validation: 8 distinct states are tracked, including DS-without-DNSKEY which is treated as critical because it breaks resolution entirely for validating resolvers.
  • Zone transfer exposure: AXFR attempted against every nameserver. A successful zone transfer leaks the complete DNS zone — every hostname, IP, and record type — to anyone who asks.
  • DNSBL reputation: lookups across 20 blocklists with 4-scan confirmation to eliminate transient false positives before an alert fires.
  • Open recursive nameserver detection: an open resolver on a domain’s nameserver enables DNS amplification DDoS attacks that can direct traffic at any target.
  • DANE/TLSA: certificate pinning in DNS, verified against the live certificate chain.
  • DNS propagation consistency: responses compared across 10 global resolvers. Split-horizon configurations and stale cache issues surface here.

DNS changes are confirmed across 4 consecutive resolver polls before alerting — no false positives from transient cache misses during propagation windows.

SSL/TLS Security — 17 checks, 30% weight

17 checks cover every part of the certificate lifecycle and TLS configuration. Highlights:

  • Certificate expiry with Let’s Encrypt-specific thresholds: alert at 10 days (high) and 3 days (critical). Let’s Encrypt auto-renews at 60 days, so expiry this close means the renewal mechanism is broken — not that someone forgot to act.
  • Live OCSP revocation query: the same real-time check a browser performs. Detects revoked certificates within minutes of revocation, not at the next scheduled scan.
  • CRL fallback: Certificate Revocation List lookup with Redis caching per CRL distribution point URL, ensuring revocation status is checked even when OCSP is unavailable.
  • CAA↔issuer reconciliation: if a certificate was issued by a CA not listed in the domain’s DNS CAA records, that is a supply chain red flag — it indicates either a misconfigured CAA policy or an unauthorised issuance.
  • CT log monitoring: crt.sh queried every 30 minutes. Unknown certificates — including misissued ones — are detected within 30 minutes of issuance.
  • SMTP STARTTLS negotiation: a full EHLO→STARTTLS→TLS upgrade sequence is tested, confirming that mail submission port TLS works end-to-end, not just at the HTTPS layer.

Expiry severity escalates in tiers (warning → high → critical) and only re-fires when the tier increases, preventing alert fatigue in the days immediately before expiry.

Email Security — 12 checks, 20% weight

Email authentication is the infrastructure layer with the highest real-world compromise rate. 12 checks run continuously across the full stack:

  • DMARC policy enforcement: p=none scores 8/100 (visibility only, zero protection),p=quarantine scores 22/100, p=reject scores 30/100. A domain on p=noneis an open spoofing target.
  • SPF include chain depth: the full include graph is traced. A warning fires at 8 DNS lookups; critical at 10. RFC 7208 specifies that exceeding 10 lookups causes a permerror that breaks SPF authentication for every receiving mail server.
  • DKIM key strength: 1024-bit RSA keys are flagged critical. They are mathematically breakable with modern CPU clusters in a matter of weeks, allowing an attacker to forge valid DKIM signatures.
  • SMTP open relay detection: a live SMTP session test sends RCPT TO for an external address, confirming whether the server accepts unauthenticated third-party delivery.
  • MX DNSBL reputation: 16 parallel blocklist lookups per MX IP.
  • MTA-STS enforce mode: confirms the policy is reachable, its mode, and whether the certificate chain at the MTA-STS endpoint is valid.

Worked example: critical cap in action

A domain has DMARC p=none and an open SMTP relay confirmed. Email security score = 18.

DNS score is 95 and SSL score is 90 — both healthy. But because the email security pillar scores 18 ≤ 25, the Domain Risk Score critical cap fires. The domain total is capped at 50 (High Risk), regardless of scores in other pillars. You cannot average away an open SMTP relay.

Hosting Security — 27 checks, 10% weight New in this release

Hosting security is the newest pillar and the one that covers the widest surface area. 27 checks span six groups:

Security headers

HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each evaluated for presence, validity, and recommended directive configuration.

TLS version audit

Conducted via a real TLS handshake, not header inspection. Detects TLS 1.0 and 1.1 still being negotiated, weak cipher suites, and missing forward secrecy.

Server version disclosure

Response headers inspected for software name and version strings (Apache, nginx, PHP, ASP.NET). Disclosed versions are cross-referenced against known CVEs.

Dangerous port exposure — 21 ports probed

High-severity penalties: MySQL 3306 (−20 pts), Redis 6379 (−20 pts), MongoDB 27017 (−20 pts), RDP 3389 (−20 pts). Medium-severity: FTP 21 and 16 additional ports. Database and admin interfaces open to the internet are treated as serious findings requiring immediate remediation.

CVE database cross-reference & technology fingerprinting

50+ technologies detected from response headers and page HTML. CMS plugins and software versions are cross-referenced against the CVE database. A WordPress plugin with a critical RCE vulnerability generates a concrete score penalty and a remediation link.

Infrastructure intelligence

Hosting provider, CDN, WAF, ASN, and shared hosting neighbour mapping. Third-party script detection for privacy and supply chain risk. Data enriched from IP geolocation and ASN databases.

Uptime & Availability — 7 checks, 10% weight

Uptime monitoring in AIDE is built to avoid false positives while still detecting real outages within seconds. Seven check types are supported:

  • HTTP/HTTPS availability with 3-probe confirmation: the first probe detects a non-up state, then re-probes after 5 seconds and again after 10 seconds. All three must agree before an alert fires — eliminating false positives from transient network blips.
  • Keyword / content verification: reads up to 512 KB of response body. Catches maintenance pages and CDN fallbacks that return HTTP 200 but serve no real content — a failure mode that HTTP status checks miss entirely.
  • JSON API validation: field path and expected value assertion against parsed JSON. Used for health-check endpoints that return a payload.
  • TCP port monitoring: with optional banner verification for non-HTTP services.
  • ICMP ping: raw network reachability check, separate from HTTP layer availability.
  • Latency threshold monitoring: a “slow” state is tracked separately from “down”. Degraded performance is surfaced before it becomes an outage.
  • TLS error detection at probe time: catches certificate failures, expired certificates, and hostname mismatches at every probe, before the SSL worker’s next scheduled scan.

The Domain Risk Score — how it all adds up

Each pillar produces a score from 0 to 100. The Domain Risk Score is a weighted average of all active pillar scores. If a pillar is not monitored, it is excluded and the remaining weights are renormalized proportionally.

Weighted formula

Domain Risk Score = (0.30 × DNS) + (0.30 × SSL) + (0.20 × Email) + (0.10 × Uptime) + (0.10 × Hosting)

Unmonitored pillars excluded; weights renormalized across active pillars.

The critical cap rule: if any single pillar scores ≤ 25, the Domain Risk Score is capped at 50, regardless of what other pillars score. The design intention is explicit: a single catastrophic finding in one pillar — an open SMTP relay, an exposed Redis port, a zone transfer vulnerability — overrides an otherwise healthy domain. You cannot average away a critical security failure.

Worked example

PillarScoreContribution
DNS Health9528.5
SSL/TLS9027.0
Email SecurityCritical183.6
Uptime10010.0
Hosting Security808.0
Weighted average (before cap)74.1
Email pillar = 18 ≤ 25 → critical cap applies
Domain Risk Score50 — High Risk
Score rangeRisk bandMeaning
76–100HealthyNo critical findings
51–75Medium RiskIssues warrant attention
26–50High RiskActive security risks present
0–25CriticalImmediate remediation required

Score change alerts: fire when the Domain Risk Score changes by ≥ 5 points between consecutive evaluations. Severity is medium for a delta of 5–9 points, high for 10–24 points, and critical for ≥ 25 points. De-duplication prevents repeated alerts for the same steady state — an alert only re-fires when the score moves again or when a new check finding is added.

Who the platform is for

Agencies & MSPs

Sort your entire client portfolio by Domain Risk Score. The lowest scores are the clients that need calls this week. No manual audits, no spreadsheets, no missed renewals — just a prioritised queue of action items your team can work from immediately.

Enterprise SecOps

Domain Risk Score as a board-level KPI. The full event stream integrates with SIEM and ticketing systems. 80+ discrete checks provide the audit trail evidence required for ISO 27001 and SOC 2 compliance reviews — timestamped findings with severity, remediation status, and score impact.

Hosting Providers & Registrars

CVE scanning alerts your team before clients are compromised. Email security scoring — SPF, DKIM, DMARC — reduces spam complaints from hosted IP ranges. Infrastructure intelligence maps which CMS versions and plugins run across the fleet, making coordinated patching responses practical at scale.

AIDE Platform

Five pillars. One Risk Score. Every domain in your portfolio.

Start with the pillar that matters most for your team. They all feed into the same Domain Risk Score.

Start free trial →View platform features