How the platform actually works.
This page explains the mechanics of Deepinfo's CTEM platform: the data underneath, how discovery and scanning operate, how findings flow through a nine-state issue lifecycle, how vulnerability scoring uses EPSS and CISA KEV, and how the platform integrates with the security stack you already run. Long but useful.
Built on a dataset we own.
Most exposure platforms run on data licensed from third-party providers. Deepinfo built its own internet-scale dataset and runs on it directly. That's the architectural choice that makes everything else work the way it does.
The dataset doesn't just power the customer-facing platform. It powers our own internal scanning. It's also sold separately as Data Feeds and API Services for organizations that want to build with the data directly. Coverage, freshness, and history aren't subject to anyone else's roadmap.
From one seed to your full surface.
Deepinfo's discovery engine starts from a seed (typically your primary corporate domain) and expands outward through every relationship the internet's data layer reveals.
Forward enumeration.
Subdomain discovery via passive DNS records, certificate transparency logs, web crawling, and search-engine indexing. Most discoverable subdomains surface within hours of being seeded.
Reverse enumeration.
Reverse-IP, reverse-MX, reverse-NS, reverse-WHOIS lookups against the Deepinfo dataset. If your organization owns one IP and that IP hosts other domains, those other domains are surfaced. If subsidiaries register domains under shared infrastructure, the relationship gets discovered.
Smart discovery rules.
Built-in rules that capture common patterns: variations of your brand, country-specific TLD variants, common subsidiary naming patterns, M&A-acquired domain inheritance. Rules are continuously refined.
Asset approval workflow.
Discovered candidates aren't automatically monitored. They appear in a discovery queue where your team can approve, ignore, or set them aside. Approved assets enter the monitored inventory. Ignored assets stay out, with a record of the decision.
Seven data layers per asset, on a continuous schedule.
Every monitored asset is scanned across seven independent data layers. Scanning runs continuously on Deepinfo's schedule (we don't depend on your team to trigger it), with full historical state preserved per layer.
-
01
Whois
Domain registration data: registrar, registration date, expiration, registrant if public.
-
02
IP-Whois
IP-level Whois: ASN, country, organization, network range.
-
03
DNS
Live DNS records (A, AAAA, MX, NS, SOA, TXT, and the long tail).
-
04
SSL
TLS certificate state: issuer, validity, cipher suites, certificate chain, hostnames.
-
05
Port scan
TCP and UDP port scans surfacing exposed services.
-
06
HTTP
HTTP response headers, status codes, redirect chains, security headers.
-
07
Web data
Page content, technology fingerprinting, login page detection, screenshots.
Each layer's data is timestamped and versioned. When something changes (DNS modified, certificate rotated, port opened), the platform surfaces the delta as an event, not just an updated state. This is how drift detection works.
Nine states, because open and closed isn't enough.
A binary "open / closed" model loses critical information. Was an issue resolved by remediation, or by removing the asset entirely? Was it ignored, or marked as a false positive after analysis? Did a "resolved" issue stay resolved on the next scan? Deepinfo tracks issues through nine states.
-
01
Newly Detected
Issue surfaced for the first time.
-
02
Reappeared
Issue previously resolved that's been detected again on a new scan.
-
03
Unresolved
Issue acknowledged by your team and pending action.
-
04
Marked as Resolved
Your team marked it fixed.
-
05
Verified Resolved
Subsequent scan confirmed the fix.
-
06
Risk Accepted
Your team chose not to remediate; documented business decision.
-
07
Ignored
Not relevant; documented decision.
-
08
Marked as False Positive
Detection error; documented.
-
09
Not Applicable
Out of scope for this asset / environment.
Every state transition is logged with a user, timestamp, and optional comment. The audit trail is exportable. Compliance audits, reviews, and incident retrospectives all rely on it.
Severity is the start. Exploitation is the question.
CVSS scores describe how severe a vulnerability could be in theory. They don't describe whether attackers are actually exploiting it. Deepinfo enriches every detected CVE with two additional layers of real-world signal.
CVSS: the baseline.
Common Vulnerability Scoring System. Tells you how severe a vulnerability could be: confidentiality impact, integrity impact, availability impact, attack vector. Necessary, not sufficient.
EPSS: exploit prediction.
Exploit Prediction Scoring System. Models the probability that a vulnerability will be exploited in the next 30 days using real-world attack data. A "critical" CVSS with 0.01% EPSS is genuinely lower priority than a "high" CVSS with 95% EPSS.
CISA KEV: confirmed exploitation.
CISA Known Exploited Vulnerabilities catalog. CVEs confirmed to be exploited in the wild. Every CVE in our system carries a KEV flag. KEV-listed CVEs jump to the top of the queue automatically.
The platform combines all three signals into a unified prioritization view. Your team sees what's actually being exploited, on assets that are actually exposed, with the evidence right there.
Findings route to where your team already works.
A finding that stays in our dashboard is a finding that doesn't get acted on. Deepinfo integrates with the systems your team operates daily.
SIEM and SOAR.
Native integrations with major SIEM and SOAR platforms. Findings ship as structured events. STIX/TAXII supported for threat intel use cases.
Ticketing.
Native integrations with major ticketing systems. Issues open as tickets with severity, evidence, and remediation guidance pre-populated.
Chat and email.
Slack and Microsoft Teams routing per channel. Email with frequency configurable: instant, hourly, daily, weekly, monthly.
Where a native integration doesn't exist, the API exposes everything. Build custom integrations with your security automation platform of choice. The platform doesn't trap your data.
Outputs designed for the different audiences who consume them.
Different stakeholders need different views. Boards want trend lines and risk-score deltas. Operators want detailed findings with evidence. Auditors want compliance-mapped exports. The platform produces all of them.
Reports (8 types).
- Executive summary
- Weekly progress
- Asset detail
- Vulnerability detail
- Vulnerability overview
- Issue detail
- Issue overview
- CTI email breach summary
Generated on schedule or on demand. Exportable as PDF, Excel, or via API.
Alerts (15 event types).
- New issue detected
- Reappeared issue detected
- Asset security score decreased
- Asset SSL changed
- Asset Whois changed
- Asset DNS changed
- Domain security score decreased
- New asset discovered
- New vulnerability detected
- Reappeared vulnerability detected
- New email breach detected
- New compromised device detected
- New fraudulent domain detected
- New impersonation account detected
- Vendor risk score dropped below threshold
Frequency configurable per channel.
Customer data handled with the care it deserves.
Deepinfo aligns to enterprise security standards. SOC 2 Type II audited. ISO 27001 (see /trust for current status). GDPR-aligned data handling for EU customers. KVKK-aligned for Türkiye customers.
Customer-discovered data (your assets, your findings, your monitoring scope) is yours. We don't sell it. We don't use it to train shared models. We don't surface it to other customers. Full audit logs available.
See the Trust CenterRun the platform against your own domain.
The fastest way to understand the platform is to see it work. Free threat exposure report in 60 seconds, or book a working demo with our team.