Operational Asset Monitor avatar

Operational Asset Monitor

Pricing

Pay per usage

Go to Apify Store
Operational Asset Monitor

Operational Asset Monitor

Monitor public HTTPS endpoints, domains, DNS/email posture, SPF, DMARC, MTA-STS, TLS-RPT, CAA, security.txt, and security headers for operational alerts.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

X L

X L

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

3 days ago

Last modified

Share

Monitor public HTTPS/HTTP endpoints, domains, email/DNS records, CAA records, Certificate Transparency JSON feeds, HTTP security headers, security.txt disclosure metadata, and security well-known endpoints for SSL/TLS certificate expiry, TLS certificate posture, CT certificate drift, HTTP status, domain registration expiry, domain lifecycle posture, generic DNS record drift, MX provider posture, SPF/DMARC/MTA-STS/TLS-RPT/CAA drift, security header posture, disclosure posture, and operational alert signals.

The first release is designed for free or usage-cost-only publication. A future paid event can be operational-asset-alert, charged only when a run produces a new warning, critical, or error alert.

Inputs

  • endpoints: public URLs to check.
  • domains: public domain names to check through RDAP for registration expiry.
  • dnsDomains: public domain names to check for generic A/AAAA/NS/CNAME/TXT snapshots plus MX, SPF, DMARC, MTA-STS, TLS-RPT, and CAA records.
  • securityTextDomains: public domain names to check for /.well-known/security.txt, /security.txt, and common security /.well-known/* posture endpoints.
  • certificateTransparencyUrls: public JSON URLs containing Certificate Transparency rows to parse; defaults to empty to avoid extra network calls unless explicitly enabled.
  • sslWarnDays: warning threshold for certificate expiry.
  • sslCriticalDays: critical threshold for certificate expiry.
  • domainWarnDays: warning threshold for domain registration expiry.
  • domainCriticalDays: critical threshold for domain registration expiry.
  • previousAssetIds: optional IDs from earlier runs to suppress repeated non-critical alerts.

Quick-Start Presets

Copy one of these low-cost JSON inputs into the Apify input editor and replace example.com with the customer domain:

  • examples/presets/asset-health-starter.json: one endpoint plus domain, DNS/email, security.txt, and well-known posture checks for a first scheduled monitor.
  • examples/presets/email-security-posture-watch.json: one endpoint context check plus MX, SPF, DMARC, MTA-STS, TLS-RPT, CAA, and DNS drift posture for email/security teams.
  • examples/presets/security-disclosure-metadata-watch.json: one endpoint context check plus security.txt and common security /.well-known/* metadata coverage.

Each preset caps every monitored surface at 1 item so a first run stays cheap before users expand the watchlist.

Outputs

Dataset rows include SSL, HTTP, domain-expiry, DNS/email, security-header, security.txt, and security well-known checks with status, priority, reason, expiry/status/DNS/header/disclosure/well-known fields, and a future PPE event candidate.

Every dataset row also includes a buyer-friendly operational risk layer:

  • assetRiskScore: normalized 0-100 score across expiry, outage, DNS, disclosure, TLS, CT, and header posture signals.
  • assetRiskSeverity: LOW, MEDIUM, HIGH, or CRITICAL.
  • assetRiskReasons: compact reasons assembled from the row reason and structured risk flags.
  • assetActionHints: deduplicated remediation hints where the underlying check can provide them.
  • actionPriority: P0-P3 queue label for teams that want to triage the report directly.
  • chargeableCandidate: true only when the row is an alert-worthy signal that could justify a future operational-asset-alert paid event.

Certificate Transparency rows include:

  • issuer, subject names, wildcard names, expected-domain comparison, outside-expected-domain names, serial/fingerprint, not-before/not-after, and expiry days
  • warnings for wildcard certificates, missing issuer metadata, or certificates outside the expected monitored domain suffix
  • ctRiskFlags, ctActionHints, and ctRiskScore

Domain rows include RDAP lifecycle posture:

  • registrar, nameservers, nameserver count, status codes, and RDAP event fingerprint
  • warnings for no nameservers, single nameserver, no transfer lock, registry hold, redemption, or pending delete states
  • domainLifecycleRiskFlags, domainLifecycleActionHints, and domainLifecycleRiskScore

TLS certificate rows include expiry plus posture metadata:

  • subject common name, issuer common name, SAN list/count, serial number, SHA-256 fingerprint, valid-from/valid-to, and validity length
  • hostname match result, self-signed detection, missing SAN detection, not-yet-valid detection, and long-validity detection
  • tlsRiskFlags, tlsActionHints, and tlsRiskScore

The report includes a Top Asset Risks section plus Certificate Transparency Watchlist, Domain Lifecycle Posture, and TLS Certificate Posture sections so CT drift, registrar/status/nameserver drift, and certificate issuer, SAN coverage, fingerprint, validity length, and posture warnings are visible without opening raw dataset rows.

The DNS checks are deliberately low-support and public-only:

  • MX: warns when no mail exchanger is present, identifies common mail providers, detects null MX, and adds single-exchange/single-provider/failover risk flags without alerting on every redundancy smell.
  • DNS_SNAPSHOT: records A, AAAA, NS, CNAME, and TXT values with a compact fingerprint. First run creates a baseline; later scheduled runs alert when the fingerprint changes. Rows include record types, record count, values by type, risk flags, risk score, and action hints.
  • SPF: warns when no v=spf1 TXT record is present, when +all is used, or when the record has no softfail or hardfail all mechanism.
  • DMARC: warns when no _dmarc TXT record with v=DMARC1 is present, when the policy is missing or unrecognized, when the policy is monitoring-only with p=none, when enforcement is partial with pct<100, when aggregate reporting is missing, or when subdomain policy/alignment posture is weak. Rows include p, sp, pct, rua, ruf, adkim/aspf alignment, forensic options, risk flags, risk score, and action hints.
  • MTA_STS: checks _mta-sts TXT records for v=STSv1 and id, warning when inbound mail transport security policy discovery is absent or incomplete.
  • TLS_RPT: checks _smtp._tls TXT records for v=TLSRPTv1 and rua, warning when SMTP TLS failure reporting is absent or incomplete.
  • CAA: warns when no certificate authority authorization record is present and lists allowed issuers when available. Rows include issue, issuewild, iodef, critical-tag count, wildcard coverage, risk flags, risk score, and action hints.

Security Header Monitoring

Endpoint checks also produce a security-headers row from the same HTTP response:

  • Tracks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy presence.
  • Warns on missing HSTS or CSP.
  • Warns on weak HSTS, weak CSP, weak referrer policy, missing clickjacking control, and weak content-type options.
  • Outputs securityHeaderPresentCount, securityHeaderMissing, securityHeaderWeak, securityHeaderRiskFlags, and securityHeaderScore.
  • Parses CSP directives and reports cspDirectiveCount, cspDirectives, cspHasDefaultSrc, cspHasFrameAncestors, cspHasReporting, cspHasUpgradeInsecureRequests, cspRiskFlags, cspActionHints, and cspRiskScore.
  • Flags missing default-src, missing frame-ancestors, missing report-uri/report-to, missing upgrade-insecure-requests, wildcard sources, unsafe-inline, and unsafe-eval.

The report includes an Email/DNS Posture section so generic DNS snapshot drift, MX provider/risk, SPF, detailed DMARC policy posture, MTA-STS/TLS-RPT mail transport security posture, and CAA findings are visible without opening raw dataset rows.

The security.txt checks are public-only and low-support:

  • Tries /.well-known/security.txt first, then /security.txt.
  • Warns when security.txt is missing.
  • Warns when a present security.txt has no Contact field.
  • Extracts Contact types, Expires, Policy, Encryption, Canonical, Acknowledgments, Hiring, CSAF, Preferred-Languages, completeness score, and risk flags.
  • Flags missing Canonical, Encryption, Policy, Preferred-Languages, expired/expiring disclosure files, and canonical mismatch as structured posture risks.
  • Warns when Expires is within 30 days and marks expired files as critical.

The security well-known posture row probes a compact fixed set under the same securityTextDomains domain:

  • /.well-known/security.txt
  • /.well-known/csaf/provider-metadata.json
  • /.well-known/change-password
  • /.well-known/openid-configuration
  • /.well-known/assetlinks.json
  • /.well-known/apple-app-site-association

It outputs present/missing/redirect paths, coverage score, risk flags, action hints, and booleans for each well-known endpoint so scheduled runs can detect public security metadata drift.