Operational Asset Monitor
Pricing
Pay per usage
Operational Asset Monitor
Monitor public HTTPS endpoints, domains, DNS/email posture, SPF, DMARC, MTA-STS, TLS-RPT, CAA, security.txt, and security headers for operational alerts.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
X L
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
3 days ago
Last modified
Categories
Share
Monitor public HTTPS/HTTP endpoints, domains, email/DNS records, CAA records, Certificate Transparency JSON feeds, HTTP security headers, security.txt disclosure metadata, and security well-known endpoints for SSL/TLS certificate expiry, TLS certificate posture, CT certificate drift, HTTP status, domain registration expiry, domain lifecycle posture, generic DNS record drift, MX provider posture, SPF/DMARC/MTA-STS/TLS-RPT/CAA drift, security header posture, disclosure posture, and operational alert signals.
The first release is designed for free or usage-cost-only publication. A future paid event can be operational-asset-alert, charged only when a run produces a new warning, critical, or error alert.
Inputs
endpoints: public URLs to check.domains: public domain names to check through RDAP for registration expiry.dnsDomains: public domain names to check for generic A/AAAA/NS/CNAME/TXT snapshots plus MX, SPF, DMARC, MTA-STS, TLS-RPT, and CAA records.securityTextDomains: public domain names to check for/.well-known/security.txt,/security.txt, and common security/.well-known/*posture endpoints.certificateTransparencyUrls: public JSON URLs containing Certificate Transparency rows to parse; defaults to empty to avoid extra network calls unless explicitly enabled.sslWarnDays: warning threshold for certificate expiry.sslCriticalDays: critical threshold for certificate expiry.domainWarnDays: warning threshold for domain registration expiry.domainCriticalDays: critical threshold for domain registration expiry.previousAssetIds: optional IDs from earlier runs to suppress repeated non-critical alerts.
Quick-Start Presets
Copy one of these low-cost JSON inputs into the Apify input editor and replace example.com with the customer domain:
examples/presets/asset-health-starter.json: one endpoint plus domain, DNS/email, security.txt, and well-known posture checks for a first scheduled monitor.examples/presets/email-security-posture-watch.json: one endpoint context check plus MX, SPF, DMARC, MTA-STS, TLS-RPT, CAA, and DNS drift posture for email/security teams.examples/presets/security-disclosure-metadata-watch.json: one endpoint context check plus security.txt and common security/.well-known/*metadata coverage.
Each preset caps every monitored surface at 1 item so a first run stays cheap before users expand the watchlist.
Outputs
Dataset rows include SSL, HTTP, domain-expiry, DNS/email, security-header, security.txt, and security well-known checks with status, priority, reason, expiry/status/DNS/header/disclosure/well-known fields, and a future PPE event candidate.
Every dataset row also includes a buyer-friendly operational risk layer:
assetRiskScore: normalized 0-100 score across expiry, outage, DNS, disclosure, TLS, CT, and header posture signals.assetRiskSeverity: LOW, MEDIUM, HIGH, or CRITICAL.assetRiskReasons: compact reasons assembled from the row reason and structured risk flags.assetActionHints: deduplicated remediation hints where the underlying check can provide them.actionPriority: P0-P3 queue label for teams that want to triage the report directly.chargeableCandidate: true only when the row is an alert-worthy signal that could justify a futureoperational-asset-alertpaid event.
Certificate Transparency rows include:
- issuer, subject names, wildcard names, expected-domain comparison, outside-expected-domain names, serial/fingerprint, not-before/not-after, and expiry days
- warnings for wildcard certificates, missing issuer metadata, or certificates outside the expected monitored domain suffix
ctRiskFlags,ctActionHints, andctRiskScore
Domain rows include RDAP lifecycle posture:
- registrar, nameservers, nameserver count, status codes, and RDAP event fingerprint
- warnings for no nameservers, single nameserver, no transfer lock, registry hold, redemption, or pending delete states
domainLifecycleRiskFlags,domainLifecycleActionHints, anddomainLifecycleRiskScore
TLS certificate rows include expiry plus posture metadata:
- subject common name, issuer common name, SAN list/count, serial number, SHA-256 fingerprint, valid-from/valid-to, and validity length
- hostname match result, self-signed detection, missing SAN detection, not-yet-valid detection, and long-validity detection
tlsRiskFlags,tlsActionHints, andtlsRiskScore
The report includes a Top Asset Risks section plus Certificate Transparency Watchlist, Domain Lifecycle Posture, and TLS Certificate Posture sections so CT drift, registrar/status/nameserver drift, and certificate issuer, SAN coverage, fingerprint, validity length, and posture warnings are visible without opening raw dataset rows.
The DNS checks are deliberately low-support and public-only:
MX: warns when no mail exchanger is present, identifies common mail providers, detects null MX, and adds single-exchange/single-provider/failover risk flags without alerting on every redundancy smell.DNS_SNAPSHOT: records A, AAAA, NS, CNAME, and TXT values with a compact fingerprint. First run creates a baseline; later scheduled runs alert when the fingerprint changes. Rows include record types, record count, values by type, risk flags, risk score, and action hints.SPF: warns when nov=spf1TXT record is present, when+allis used, or when the record has no softfail or hardfail all mechanism.DMARC: warns when no_dmarcTXT record withv=DMARC1is present, when the policy is missing or unrecognized, when the policy is monitoring-only withp=none, when enforcement is partial withpct<100, when aggregate reporting is missing, or when subdomain policy/alignment posture is weak. Rows includep,sp,pct,rua,ruf,adkim/aspfalignment, forensic options, risk flags, risk score, and action hints.MTA_STS: checks_mta-stsTXT records forv=STSv1andid, warning when inbound mail transport security policy discovery is absent or incomplete.TLS_RPT: checks_smtp._tlsTXT records forv=TLSRPTv1andrua, warning when SMTP TLS failure reporting is absent or incomplete.CAA: warns when no certificate authority authorization record is present and lists allowed issuers when available. Rows includeissue,issuewild,iodef, critical-tag count, wildcard coverage, risk flags, risk score, and action hints.
Security Header Monitoring
Endpoint checks also produce a security-headers row from the same HTTP response:
- Tracks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy presence.
- Warns on missing HSTS or CSP.
- Warns on weak HSTS, weak CSP, weak referrer policy, missing clickjacking control, and weak content-type options.
- Outputs
securityHeaderPresentCount,securityHeaderMissing,securityHeaderWeak,securityHeaderRiskFlags, andsecurityHeaderScore. - Parses CSP directives and reports
cspDirectiveCount,cspDirectives,cspHasDefaultSrc,cspHasFrameAncestors,cspHasReporting,cspHasUpgradeInsecureRequests,cspRiskFlags,cspActionHints, andcspRiskScore. - Flags missing
default-src, missingframe-ancestors, missingreport-uri/report-to, missingupgrade-insecure-requests, wildcard sources,unsafe-inline, andunsafe-eval.
The report includes an Email/DNS Posture section so generic DNS snapshot drift, MX provider/risk, SPF, detailed DMARC policy posture, MTA-STS/TLS-RPT mail transport security posture, and CAA findings are visible without opening raw dataset rows.
The security.txt checks are public-only and low-support:
- Tries
/.well-known/security.txtfirst, then/security.txt. - Warns when security.txt is missing.
- Warns when a present security.txt has no
Contactfield. - Extracts Contact types, Expires, Policy, Encryption, Canonical, Acknowledgments, Hiring, CSAF, Preferred-Languages, completeness score, and risk flags.
- Flags missing Canonical, Encryption, Policy, Preferred-Languages, expired/expiring disclosure files, and canonical mismatch as structured posture risks.
- Warns when
Expiresis within 30 days and marks expired files as critical.
The security well-known posture row probes a compact fixed set under the same securityTextDomains domain:
/.well-known/security.txt/.well-known/csaf/provider-metadata.json/.well-known/change-password/.well-known/openid-configuration/.well-known/assetlinks.json/.well-known/apple-app-site-association
It outputs present/missing/redirect paths, coverage score, risk flags, action hints, and booleans for each well-known endpoint so scheduled runs can detect public security metadata drift.