Updated 2026-06-28 By Dimitry Iacoviuc ← Back to Blog

Introducing Ferrum Sentinel: A Safe Cyber Posture Scanner for the Businesses Nobody Scans

Most security tooling is built for the Fortune 500. We built one for everyone else.

We spend a lot of time on this blog taking Windows apart — parent PID spoofing, DLL hijacking, the unglamorous internals that decide whether an engagement succeeds. That work has a common thread: the organizations that hire us for it already know they need security. They have a budget, a CISO, and a calendar full of audits.

But most businesses are not that organization. The dental practice with a booking site. The 12-person agency running their whole operation on a domain and a mailbox. The MSP juggling forty small clients who each think "we're too small to be a target." These businesses have a real attack surface and almost no way to see it — a penetration test is priced for someone else, and the free online "scanners" are either alarmist lead-magnets or noisy vulnerability dumps nobody acts on.

So we built Ferrum Sentinel: a posture scanner and reporting platform that gives a non-specialist an honest, prioritized view of their public security posture — without touching anything it shouldn't.

What it does

You give it a domain. It runs a set of safe, public checks, scores what it finds, and turns the result into something a business owner can actually read: a cyber health score, a prioritized list of findings, plain-language remediation steps, and a professional report you can hand to a client or an insurer.

The flow is deliberately simple:

  1. Enter a domain — no agent to install, nothing to deploy.
  2. Run the checks — DNS hygiene, email authentication, TLS/HTTPS, HTTP security headers, domain lifecycle.
  3. Get a score and a grade — a weighted 0–100 score and an A–F grade per category, so "we improved" is a number, not a feeling.
  4. Fix things — every finding ships with business impact, technical detail, and concrete remediation steps.
  5. Report it — executive and technical reports in HTML and PDF, shareable and (for our MSP users) white-labelled.

There is a free public preview that runs the safe DNS and email-security checks with no account at all — type a domain, see where you stand. The deeper checks unlock once you prove you own the domain with a DNS-TXT record.

Safe by design — and we mean it

Here is the part that matters most, and the part that makes this different from the offensive work we usually write about.

Ferrum Sentinel is not a pentest tool. It does not exploit anything. It does not guess credentials, brute-force logins, run a DoS, fuzz endpoints, or crawl aggressively. It does not scan private or reserved IP ranges. Every module is rate-limited, timeout-bound, and passive by default — the deeper checks run only against a domain whose ownership has been verified.

That constraint is a feature, not a limitation. A scanner you can point at your own production domain — or, as an MSP, at a client's — without a change-control meeting is a scanner that actually gets used. The whole pipeline is built so that the worst thing it can do to a target is make a few well-behaved DNS queries and a handful of ordinary HTTPS requests, the same ones a browser makes.

The language is careful too. You will never see "you are hacked" or "you are safe." You will see detected, not detected, not confirmed, appears to — and findings are tagged with a confidence level so an inference is never dressed up as a fact. Security is probabilistic; the product talks like it.

What it actually checks

The default scan covers the hygiene that quietly breaks email and erodes trust:

  • DNS hygiene — record health and common misconfigurations.
  • Email security — SPF (walked against the RFC 10-lookup limit), DMARC policy and alignment, MTA-STS, TLS-RPT, and BIMI.
  • TLS / HTTPS — certificate validity and HTTPS posture.
  • HTTP headers — the security headers that are present (or conspicuously absent).
  • Domain lifecycle — registration and expiry signals.

Once you verify ownership, the deeper, owner-context checks open up:

CheckWhat it tells you
TLS configuration gradeWhich protocol versions your server still accepts — including deprecated TLS 1.0/1.1/SSL 3.0
Deep email authenticationDKIM selector discovery and key strength, plus the MTA-STS policy file itself
Security-header gradingNot just presence — your CSP is graded for the weaknesses that defeat it
Subdomain discovery & takeoverForgotten subdomains, and dangling DNS records an attacker could claim
Typosquat monitoringLook-alike domains registered against your brand
IP / mail-blocklist reputationWhether your sending IPs sit on a deliverability blocklist
Cloud storage exposureBrand-named S3/GCS/Azure buckets that are publicly listable

Each of these is the same safe, passive philosophy applied one layer deeper — a DNS lookup, an anonymous request to a public endpoint, a name compared against a list. Never an intrusion.

Built for the people who manage many of these

If you're an MSP or an IT consultant, the value isn't one scan — it's the portfolio. Ferrum Sentinel is multi-tenant from the ground up: a parent organization sees every client's grade, open critical and high findings, and trend over time in one view, with strict tenant isolation underneath so one client's data never bleeds into another's. Reports carry your branding. Monitoring runs on a schedule and emails you when something critical or high appears, so "we'll check next quarter" becomes "we knew the same day."

That's the real product: not a one-time scan (that's a transaction), but continuous, low-impact visibility with alerting (that's the subscription).

What it isn't

We'd rather tell you the limits than have you discover them.

  • It is not a guarantee. A clean score means the safe public checks didn't find a problem — not that you are invulnerable. It does not see your internal network, your endpoints, or your application logic.
  • It is not a replacement for a penetration test when you genuinely need one. It's the layer that tells most businesses whether they need that conversation yet — and gives the ones who do a clean starting map.
  • Some checks are best-effort by design. Bucket names are global, blocklists rate-limit, certificate transparency is eventually-consistent. Where we infer rather than confirm, we say so.

That honesty is the point. A tool that cries wolf gets ignored, and an ignored security tool is worse than none.

Getting started

Point the free preview at your own domain and see your email and DNS posture in under a minute — no signup. If you like what you see, verify ownership and run the full scan; if you manage clients, ask us about the MSP portfolio and white-labelled reporting.

About the author
Dimitry Iacoviuc
Founder & Principal Engineer

Dimitry Iacoviuc is the founder of Funway Interactive SRL — a professional software engineer and security expert with 25 years of battle-tested experience across software engineering, 3D web, and video streaming. He leads penetration testing and security engagements for clients worldwide. Based in Chisinau, Moldova.

← Previous
Windows Privilege Escalation: Parent PID Spoofing with SeDebugPrivilege

Ready to work with Funway Interactive?

Get in Touch More Posts