Ground Control / Sentinel
Attack surface scan — checks running every 6 hours

How much of your attack surface
can attackers see?

Sentinel scans your DNS, web headers, TLS configuration, and Microsoft 365 setup — continuously, from the attacker's perspective.

No credit card
No installation
Results in 60 seconds
01 / Attack Surface

Attackers don't need your password.
They need your misconfiguration.

Sentinel maps three attack surface layers. Each check runs from the public internet — exactly how an attacker would look at your infrastructure.

01

DNS & Email

Email spoofing starts with one missing record.

DMARC, SPF, and DKIM are public. Attackers check them before you do. A policy set to p=none means anyone can send from your domain.

DMARC policy enforcement (p=reject / p=quarantine)
SPF hard fail and include chain integrity
DKIM selector presence and M365 alignment
DNS & Email deep scan →
02

Web & TLS

Your website answers questions you didn't mean to answer.

Missing security headers tell attackers what protections are absent. An expired or misconfigured certificate tells customers to leave.

HTTP security headers (CSP, HSTS, X-Frame-Options)
TLS version enforcement (1.2+ required)
Certificate expiry — alerts at 30 days and 7 days
Web & TLS deep scan →
03
Partial

Cloud & SaaS

Microsoft 365 ships with defaults that benefit attackers.

DKIM signing is off for custom domains. Legacy authentication stays enabled. MFA isn't enforced. These aren't edge cases — they're defaults.

DKIM signing enabled for custom domain
Conditional Access policy gaps
MFA enforcement and legacy auth detection
M365 configuration check →
02 / How It Works
01

Add your domain

Enter yourcompany.com. No DNS changes required. No installation. No agents to deploy on your servers. Sentinel reads your public DNS records — that's it.

60 seconds to add
02

We scan continuously

SPF, DKIM, DMARC, SSL certificates, MX records, MTA-STS, and Microsoft 365 configuration — checked every 6 hours from multiple locations. Results stored with full history.

Every 6 hours, automatically
03

Get alerted before problems become incidents

Email, Slack, webhook, or Microsoft Teams when anything changes or degrades. SSL expiry warnings at 30 days and 7 days. DMARC failures within the hour they happen.

Alert within minutes of detection
Use Cases

Go deeper on
what matters most.

Each attack surface has its own checks.
Start with the one most relevant to you.

DNS & Email Security
Live

For IT teams who manage their own domain and want to know if email spoofing is possible — and whether Microsoft 365 is correctly configured.

Check your email setup →
Web & TLS Security
Live

For teams who run a public website and want to know what security headers are missing and when their certificate expires.

Check your website →
Microsoft 365 Configuration
Soon

For M365 tenants who want a baseline check of their security configuration — Conditional Access, MFA gaps, DKIM, and Secure Score.

Join the waitlist →
04 / NIS2 Compliance

NIS2 compliance
isn't optional.
We make it less painful.

If your company falls under NIS2 — or supplies to companies that do — Article 21 requires demonstrable technical controls around email security, encryption, and asset management.

Sentinel maps every finding to the relevant NIS2 article and generates a report you can share with customers, auditors, or the ACN. No consultant required. No six-month implementation.

Note: Sentinel assesses technical controls only. Formal NIS2 compliance requires organisational measures and may require an accredited auditor. This report documents your technical posture — it does not constitute legal certification.

Download sample report →

Available on the Team plan — €79/month

NIS2 Article 21 — Coverage map
Art. 21(2)(h) Cryptography & encryption
Covered
DKIM signingSSL/TLS enforcementMTA-STS policy
Art. 21(2)(c) Business continuity
Covered
Domain expiryMX record healthSSL expiry monitoring
Art. 21(2)(i) Asset management
Covered
Domain inventoryCertificate trackingSubdomain monitoring
Art. 21(2)(j) Multi-factor authentication
Covered
M365 Conditional AccessMFA gap detectionSign-in policy check
Coming Next

More of your
attack surface.
Coming in 2026 Q2.

We're adding three new scan categories this year. All findings surface in the same dashboard. No new tool to learn.

Upcoming scan categories

Subdomain enumeration

Find exposed services you forgot were public.

2026 Q2

Leaked credentials

Detect company email addresses in breach databases.

2026 Q2

GitHub exposure

Flag secrets and internal references in public repositories.

2026 Q2
05 / Pricing

Simple pricing.
No hidden fees.

All plans include EU data residency. Prices in EUR, billed monthly. Annual billing saves 20%.

Free

€0 forever
Domains 3
Check frequency Daily
History 7 days
Alerts Email only
Users 1
NIS2 report
Slack / webhook
API access
Start free

No credit card required

Most popular

Pro

€29 per month
Domains Unlimited
Check frequency Every 6 hours
History 90 days
Alerts Email + Slack + webhook
Users 1
NIS2 report
Slack / webhook
API access
Start Pro — 14 days free

Cancel any time

Team

€79 per month
Domains Unlimited
Check frequency Every hour
History 1 year
Alerts Email + Slack + webhook + Teams
Users 5
NIS2 report ✓ Full PDF export
Slack / webhook
API access
Start Team — 14 days free

Cancel any time

Need more? Custom plans for larger teams, MSSP resellers, and enterprise procurement with SLA and Italian-language support.

Contact us →
06 / FAQ

Common questions.

Still have questions? hello@groundcontrol.land

Scanning available now

Find out if your domain
is vulnerable.
It takes 60 seconds.

No credit card. No installation. No DNS changes. Enter your domain and see your results immediately.

Free for 3 domains
No credit card
EU data residency