Domain.Posture

The Domain Audit Report

A signed PDF + JSON sidecar for any domain. Ship it to auditors as-is.

Every Domain Audit Report carries 15 dossier checks across the apex plus up to 100 CT-discovered subdomains, signed with Ed25519, ISO-timestamped, with each finding mapped to SOC 2 / ISO 27001 / NIST. Delivered to your email in 10–30 minutes.

Get the report — $29See a sample report

One price · no subscription required

Questionnaire due this week? Signed answers land in your inbox before your next stand-up.

What's inside

  • Signed PDF (~14 pages) — apex plus subdomain coverage
  • JSON sidecar — machine-readable, same content
  • Manifest (pack.json) — SHA-256 plus Ed25519 signature
  • Public key plus verify snippet — verify offline
  • Methodology link versioned per pack (v1, v2, …)

15 checks · same engine as the free dossier

  • DNS: records, MX, DNSSEC
  • Email: SPF, DMARC, DKIM, MTA-STS, TLS-RPT
  • Transport: TLS cert, redirects, CT log
  • Web: security headers, CORS, web surface
  • Identity: WHOIS / RDAP

Pricing

Domain Audit Report · one-shot

$29/ report · ₹1,999 IN

One signed report for one apex plus up to 100 CT-discovered subdomains — the same evidence a consultant would bill hours to assemble by hand. Delivered in 10–30 min by email. The artifact is valid forever — re-run only when you want fresh evidence.

Get the report →

No subscription. No account required to receive the artifact.

If your report doesn't verify against our public key, or it isn't accepted where you needed it, reply to the delivery email within 30 days for a full refund. You keep the report.

Keep it current · Starter

$49 / month

The one-shot report is a snapshot; the Starter subscription keeps it true — daily re-scans, drift alerts on regression (TLS expiry, SPF change, DMARC weakening), and a fresh signed report every month.

See subscriptions →

Methodology

Every finding cites the standard it references. Read the full methodology document at /methodology/v1.

Verify this sample

Every pack is signed with our Ed25519 key. Verify offline against the public key.

curl -O https://domainposture.com/sample/pack.pdf
curl -O https://domainposture.com/sample/manifest.json
curl -O https://domainposture.com/sample/manifest.sig
curl -O https://domainposture.com/.well-known/evidence-pack-pubkey.pem

openssl pkeyutl -verify -pubin -inkey evidence-pack-pubkey.pem \
  -rawin -in manifest.json -sigfile <(base64 -d manifest.sig)

jq -r '.artifacts.pdf.sha256' manifest.json
shasum -a 256 pack.pdf

what this is not

the Domain Audit Report is supporting technical evidence for public-facing domain controls. it is not a SOC 2 audit report and does not replace an auditor; it gives them less to chase. it is not a penetration test, not a risk register, and not a substitute for compliance tooling like Vanta, Drata, or SecureFrame — those tools manage the audit programme; the pack documents the public domain surface they reference.

Frequently asked