Methodology

We show our work.

Every Overt finding can answer the question a security-literate buyer will ask: how do you know? This page is that answer, in full.

From public signal to scored finding

public signals

HTTP response headers
CNAME chain (DoH)
IP → ASN (Team Cymru)
MX / SPF / DMARC
TXT verifications
Certificate transparency
Set-Cookie names
BGP route neighbours

detection
engine 5,700+ fingerprints · confidence model

findings · with receipts

Akamai CDN 95%
No bot protection play
DMARC p=none 98%

CDN detection: three layers, first hit wins

01

Response headers

The host is fetched and CDN-identifying headers are read — x-served-by, x-akamai-*, x-amz-cf-id, x-azure-ref. First-party evidence, highest confidence.
02

CNAME chain

DNS is resolved over DNS-over-HTTPS and delegation domains are matched — *.akamaiedge.net, *.fastly.net, *.cloudfront.net. The chain itself is the receipt.
03

IP → ASN

The origin IP is mapped to its autonomous system. General cloud ASNs are deliberately not labeled as CDNs — they surface as hosting, because that is what they are.

Because Overt itself runs on a CDN's network, that provider's own headers are excluded from its detection — it is identified by network and CNAME evidence instead. Accuracy rules like this are the product.

Independent passes beyond the CDN

WAF & bot defence

response headers + Set-Cookie names

Email security

MX records, SPF includes, DMARC policy

Identity & SaaS

verification TXT records, classified CNAMEs

Technology fingerprints

HTML, CSP, cookies — 5,700+ patterns

Security posture

SPF/DMARC/DKIM, HSTS, security headers, DNSSEC, CAA

Attack surface

CT-log subdomains, takeover candidates, exposed services

L3/L4 DDoS posture

BGP route neighbours from public routing data

Buying-team geography

licensed people-data providers, inside the product

The confidence model

A CNAME delegation is not the same kind of evidence as an HTML substring, and Overt never pretends it is. Every finding carries a numeric confidence keyed to how it was detected — header and CNAME matches score highest, network attribution lower, page fingerprints lower still. Scores compound into account priority, so a territory ranked by Overt is ranked by the strength of its evidence.

header / CNAME~95–98%
MX / NS / TXT~90%
IP → ASN~70–95%
HTML fingerprint~55–70%

security posture · sample

Posture grading reads email authentication, transport security, HTTP security headers and information disclosure into a single 0–100 score — the same grade your prospect's CISO would compute.

What we can't see — said plainly

On-premise appliances

A DDoS appliance or WAF with no DNS, routing or response footprint is externally invisible — to us and to every vendor in this category. We say "none detected", never "none exists".

Ports, banners, TLS internals

Overt reads what a normal HTTPS client and the public DNS see. It does not port-scan and does not buy scan-index data — a deliberate line that keeps the method clean and the legal posture simple.

Anything behind a login

Internal tooling, private admin panels and authenticated apps are out of scope by definition. Detection is passive; the one active check that exists is opt-in and reserved for authorized targets.

When a finding is uncertain, the uncertainty ships with it. That is the whole methodology in one sentence.

Watch the method run on your accounts.

Book a live scan of your territory