Zero-traffic · Black-box · Public internet only
your company Security
Research Report
your company
D
OVERALL RISK
Findings
7
3 critical · 2 medium · 2 low
Attack Surface
209
subdomains mapped
Records Extracted
6298
PHI · PII · customer roster
Still Open
7
verified 2026-07-06
How We Found This
Phase #1
Certificate Transparency
209
subdomains from crt.sh
Phase #2
DNS + HTTP Enumeration
17
live hosts identified
Phase #3
JS Bundle Analysis
5
exposed paths + secrets
Phase #4
Findings
7
confirmed
Phase #1
CT Log Mining
Phase #2
DNS Resolution
Phase #3
Infra Fingerprinting
Phase #4
Intelligence
passive intelligence · 0 packets sent · ct.sh query onlymapping from CT logs…
portal.CF
jfrog.ioJF
www.CF
auth0.comA0
trust.HC
hoppscotchN0
subdomains: 6
providers: AWS · CF · Vercel · Fly.io
alerts: —
0 packets sent to yourcompany.com
DNS resolution →
#2 Attack Surface Map
All (209)
Portal (Core App)
Clinical AI Services
Sandbox / Hoppscotch
Registry / DevOps
Auth
Docs / Trust
Staging / Dev
Portal (Core App)
Clinical AI Services
Sandbox / Hoppscotch
Registry / DevOps
Auth
Docs / Trust
Staging / Dev
Active Findings
portal.yourcompany.com
JFrog token in SPA bundle chains to GitHub org-admin + live OpenAI key + 316 private repos
api.github.com/yourcompany
Chained GH PAT unlocks customer roster + PHI + prod DB credentials
yourcompany.jfrog.io
Artifactory tenant readable via published reference token (24 staff emails + 7 named customers)
portal.yourcompany.com — 3 replicas
Unauthenticated GET returns 3,982 customer institutions (AbbVie, Pfizer, Moderna …)
hoppscotch-backend.sandbox.yourcompany.com
GraphQL introspection + verbose error stacktraces expose admin API surface and secret namespace
Legend
Has active finding
DNS-live, no finding
CT logs only
#3 Attack Surface Graph
Reachable host
Vulnerability / misconfiguration
Data reached / consequence
Primary attack path
Secondary / fleet parity
#4 Security Findings
All (7)
Critical (3)
High (0)
Medium (2)
Low (2)
Still Open 7 findings
Action Required
F-01
CRITICAL
Company GitHub organization compromised end-to-end via a single unauthenticated request against the customer portal
STILL OPEN
F-02
CRITICAL
Enterprise customer roster, employee identity graph, real-shape patient case data, and multi-customer database credentials extracted through the chained GitHub admin token
STILL OPEN
F-03
CRITICAL
Internal source code, engineering staff directory, and enterprise customer inventory extracted from published JavaScript bundle
STILL OPEN
F-04
MEDIUM
Full 3,982-institution enterprise customer/partner directory leaked unauthenticated across production, staging, dev, and demo environments
STILL OPEN
F-05
MEDIUM
Internal admin API blueprint and server-side secret naming namespace disclosed to unauthenticated attackers via sandbox tenant
STILL OPEN
F-06
LOW
Non-production portal environments reachable directly on the public internet
STILL OPEN
F-07
LOW
Email security posture allows confident inbound spoofing of yourcompany.com
STILL OPEN
#5 Infrastructure Footprint
| Provider | Services | Share | Details |
|---|---|---|---|
| Cloudflare | 7 | CDN edge · WAF · portal.* fronting · www + trust proxy | |
| Amazon Web Services | 4 | EC2 (34.211.139.226 range) · S3 (Redoc hosting) · us-west-2 primary | |
| Auth0 (Okta) | 1 | yourcompany.us.auth0.com tenant · Universal Login + db-connection | |
| JFrog Artifactory | 1 | Artifactory 7.158.4 · 12 repos (Docker/npm/PyPI/YUM) | |
| GitHub | 1 | yourcompany org (316 private repos) · Actions CI/CD | |
| HyperComply | 1 | trust.yourcompany.com (Trust Center) |
Technology Stack · discovered via headers · CSP · DNS
Backend
Django REST FrameworkNestJSApollo GraphQLFastAPINode.js
Frontend
ReactViteRedoc
Auth
Auth0JWT (RS256)SAML → Auth0 migration
Data
MySQL / MariaDBPostgreSQLFHIR Bundle
Cloud + CI/CD
AWS us-west-2CloudflareGitHub ActionsJFrog Artifactory 7.158.4
Analytics / Feature Flags
MixpanelFlagsmith (self-hosted)
#6 Email Security Posture
D
GRADE
!DMARC
p=none — receivers observe only; no quarantine or reject action taken on failing mail
!SPF
empty SPF record for yourcompany.com — no authorized senders declared
!DKIM
DKIM selector configured on yourcompany.com
!MTA-STS
not configured / not discoverable
CodeAnt AI Security Research · www.codeant.ai
your company Recon Intelligence Report
Black-box · Public internet only · 2026-07-06
Black-box · Public internet only · 2026-07-06