Skip to content
Browse docs

Testing surfaces

The layers of your attack surface ShieldView covers, and how to scope each.

ShieldView tests your whole attack surface, not just the perimeter. Each surface can be scoped independently, and findings are correlated across all of them into the attack paths an adversary would actually take.

What ShieldView covers

  • External & perimeter: internet-facing assets, exposed services and shadow IT, discovered continuously.
  • Internal & infrastructure: Active Directory attack paths, lateral movement and privilege escalation, via a sealed in-network appliance that connects outbound-only.
  • Web applications: OWASP Top 10, injection, authentication, SSRF and business-logic flaws.
  • APIs: broken object-level authorization (BOLA/IDOR), JWT, rate-limiting and CORS, with schema-aware REST and GraphQL testing.
  • Cloud: IAM and configuration review across AWS, Azure and GCP, exposed assets, secrets in infrastructure-as-code, and cloud attack paths.

Scoping each surface

External and web/API surfaces are scoped by the domains, hosts and endpoints you authorize. Internal testing requires deploying the appliance into the network you want assessed. Cloud review connects read-only to the accounts you nominate. You only ever test what you explicitly authorize.