your company: Security Research Report
Scanned 6 Jul, 20:28
Zero-traffic · Black-box · Public internet only

your company Security
Research Report

your company
D
OVERALL RISK
Findings
7
3 critical · 2 medium · 2 low
Attack Surface
209
subdomains mapped
Records Extracted
6298
PHI · PII · customer roster
Still Open
7
verified 2026-07-06

How We Found This

zero-traffic · black-box methodology
Phase #1
Certificate Transparency
209
subdomains from crt.sh
crt.sh209 subdomains
Phase #2
DNS + HTTP Enumeration
17
live hosts identified
live hosts12 interesting
Phase #3
JS Bundle Analysis
5
exposed paths + secrets
portal SPAverified live
Phase #4
Findings
7
confirmed
3 critical2 medium2 low
Phase #1
CT Log Mining
Phase #2
DNS Resolution
Phase #3
Infra Fingerprinting
Phase #4
Intelligence
passive intelligence · 0 packets sent · ct.sh query onlymapping from CT logs…
portal.CF
jfrog.ioJF
www.CF
auth0.comA0
trust.HC
hoppscotchN0
subdomains: 6 providers: AWS · CF · Vercel · Fly.io alerts: 0 packets sent to yourcompany.com DNS resolution →

#2 Attack Surface Map

209 subdomains · 7 categories
All (209) Portal (Core App) Clinical AI Services Sandbox / Hoppscotch Registry / DevOps Auth Docs / Trust Staging / Dev
Portal (Core App)
portal.yourcompany.com portal.staging.yourcompany.com portal.dev.yourcompany.com portal.demo.yourcompany.com www.yourcompany.com app.yourcompany.com
Clinical AI Services
ai-search-api-docs.yourcompany.com ai-search-portal.yourcompany.com ai-search-admin-portal.yourcompany.com chatwd.yourcompany.com cdl.yourcompany.com cdl.sandbox.yourcompany.com
Sandbox / Hoppscotch
hoppscotch.sandbox.yourcompany.com hoppscotch.yourcompany.com hoppscotch-backend.sandbox.yourcompany.com admin.sandbox.yourcompany.com backend.sandbox.yourcompany.com clinicaldefinitionslibrary.sandbox.yourcompany.com
Registry / DevOps
yourcompany.jfrog.io devops.dev.yourcompany.com devops.prod.yourcompany.com devops.yourcompany.com backstage.dev.yourcompany.com
Auth
yourcompany.us.auth0.com
Docs / Trust
docs.yourcompany.com trust.yourcompany.com ace-docs.yourcompany.com ace-docs.dev.yourcompany.com
Staging / Dev
atropos.dev.yourcompany.com atropos.staging.yourcompany.com atropos.uat.yourcompany.com catalog.staging.yourcompany.com catalog.dev.yourcompany.com dataset-selector.dev.yourcompany.com
Active Findings
portal.yourcompany.com
JFrog token in SPA bundle chains to GitHub org-admin + live OpenAI key + 316 private repos
F-01 · Critical · Still Open
api.github.com/yourcompany
Chained GH PAT unlocks customer roster + PHI + prod DB credentials
F-02 · Critical · Still Open
yourcompany.jfrog.io
Artifactory tenant readable via published reference token (24 staff emails + 7 named customers)
F-03 · Critical · Still Open
portal.yourcompany.com — 3 replicas
Unauthenticated GET returns 3,982 customer institutions (AbbVie, Pfizer, Moderna …)
F-04 · Medium · Still Open
hoppscotch-backend.sandbox.yourcompany.com
GraphQL introspection + verbose error stacktraces expose admin API surface and secret namespace
F-05 · Medium · Still Open
Legend
Has active finding
DNS-live, no finding
CT logs only

#3 Attack Surface Graph

Reachable host
Vulnerability / misconfiguration
Data reached / consequence
Primary attack path
Secondary / fleet parity
EXPOSED SURFACE ROOT CAUSE DATA REACHED portal.yourcompany.com yourcompany.jfrog.io api.github.com/yourcompany hoppscotch-backend.sandbox ai-search-api-docs portal.dev.yourcompany.com yourcompany.com Secrets baked into public JS bundle Over-scoped long-lived tokens Auth0 tenant · open self- signup Unauth /api/institutions/… GraphQL introspection open Clinical AI OpenAPI public Empty SPF + DMARC p=none GitHub org owned · 316 private repos Live OpenAI production API key 4,267 named enterprise customers PHI + employee identity + DB creds Admin API + AI attack surface

#4 Security Findings

3 critical · 0 high · 2 medium · 7 still open
All (7) Critical (3) High (0) Medium (2) Low (2)
Still Open 7 findings
Action Required
F-01
CRITICAL
Company GitHub organization compromised end-to-end via a single unauthenticated request against the customer portal
STILL OPEN
F-02
CRITICAL
Enterprise customer roster, employee identity graph, real-shape patient case data, and multi-customer database credentials extracted through the chained GitHub admin token
STILL OPEN
F-03
CRITICAL
Internal source code, engineering staff directory, and enterprise customer inventory extracted from published JavaScript bundle
STILL OPEN
F-04
MEDIUM
Full 3,982-institution enterprise customer/partner directory leaked unauthenticated across production, staging, dev, and demo environments
STILL OPEN
F-05
MEDIUM
Internal admin API blueprint and server-side secret naming namespace disclosed to unauthenticated attackers via sandbox tenant
STILL OPEN
F-06
LOW
Non-production portal environments reachable directly on the public internet
STILL OPEN
F-07
LOW
Email security posture allows confident inbound spoofing of yourcompany.com
STILL OPEN

#5 Infrastructure Footprint

6 providers · 2 regions
ProviderServicesShareDetails
Cloudflare 7
CDN edge · WAF · portal.* fronting · www + trust proxy
Amazon Web Services 4
EC2 (34.211.139.226 range) · S3 (Redoc hosting) · us-west-2 primary
Auth0 (Okta) 1
yourcompany.us.auth0.com tenant · Universal Login + db-connection
JFrog Artifactory 1
Artifactory 7.158.4 · 12 repos (Docker/npm/PyPI/YUM)
GitHub 1
yourcompany org (316 private repos) · Actions CI/CD
HyperComply 1
trust.yourcompany.com (Trust Center)
Technology Stack · discovered via headers · CSP · DNS
Backend
Django REST FrameworkNestJSApollo GraphQLFastAPINode.js
Frontend
ReactViteRedoc
Auth
Auth0JWT (RS256)SAML → Auth0 migration
Data
MySQL / MariaDBPostgreSQLFHIR Bundle
Cloud + CI/CD
AWS us-west-2CloudflareGitHub ActionsJFrog Artifactory 7.158.4
Analytics / Feature Flags
MixpanelFlagsmith (self-hosted)

#6 Email Security Posture

grade D · DMARC p=none
CodeAnt AI Security Research · www.codeant.ai
your company Recon Intelligence Report
Black-box · Public internet only · 2026-07-06