toolbox chromos Recon by toolbox chromos
External Attack Surface & M365 Identity Review

See your outside view before attackers do.

Recon is a fixed-price external assessment that shows exactly what's publicly visible about your business — domains, email posture, exposed services, and Microsoft 365 identity signals — then turns it into a clean, executive-ready report with a clear list of what to fix first.

Request a Recon review See what the report covers
No logins No agents 72-hour delivery M365-focused
0h
From scope to report
0
Credentials required
15–0
Page executive report
$0
Fixed-price snapshot
The gap

Most teams have never seen their own outside view.

Your firewall protects the inside. But attackers, vendors, competitors, and cyber-insurers start from the outside — and that's the part almost no one checks. Here's what tends to sit exposed, quietly, for years.

Email anyone can spoof

Missing or weak SPF, DKIM, and DMARC let attackers send convincing email as your domain — the root of most business email compromise and invoice fraud.

Admin panels on the open internet

Remote management consoles, NAS dashboards, and login portals exposed publicly are first-pick targets for credential stuffing and ransomware crews.

Forgotten subdomains

Old marketing sites, staging environments, and abandoned services still resolve, still run outdated software, and still belong to your name.

Cloud left wide open

Public storage buckets, misconfigured services, and stray endpoints leak documents and structure long before anyone notices.

Microsoft 365 identity signals

Your tenant, federation setup, and identity posture are partly visible from outside — and they tell an attacker a lot about how to get in.

A history that never disappears

Archived pages and indexed URLs preserve old logins, file paths, and systems you took down years ago — still discoverable today.

How Recon works

Noisy raw data in. A clear decision out.

Recon runs the same external reconnaissance an attacker would — then does the part they never will: translate it into something your leadership can act on.

recon.toolboxchromos.com
Discover · external footprint
Subdomainsmail · vpn · portal · legacy+6
Open servicesHTTPS · RDP gateway · FTP14
M365 tenantidentified · federated
Email authSPF ok · DMARC missing!
Archived URLsindexed login + file paths38
Prioritize · by real-world risk
Critical2
High5
Medium8
Low6
Report · executive-ready PDF
External Exposure Report
Prepared for leadership · 15–20 pages
Executive summary M365 posture Findings
Fix first · prioritized roadmap
1Publish a DMARC policy
stops domain spoofing · low effort
2Pull the RDP gateway behind VPN
removes a ransomware entry point
3Retire the legacy subdomain
eliminates outdated software
4Tighten M365 identity gaps
close conditional-access holes
01 / SCOPE

Scope your domain

You hand us one thing: your domain. No accounts, no installs, no internal access. We confirm scope in a one-page agreement and get to work.

02 / DISCOVER

Run external recon

We map your public footprint from the outside — subdomains, services, email and DNS posture, Microsoft 365 identity signals, and your historical web footprint — using only publicly available evidence.

03 / PRIORITIZE

Rank what actually matters

Every finding gets a severity, the evidence behind it, and its real-world impact — so a 40-page scanner dump becomes a short list of things that genuinely move your risk.

04 / DELIVER

Get the report and fix first

You receive a 15–20 page PDF written for decision-makers, plus a 30-minute readout. It ends with a prioritized roadmap your team — or your MSP — can execute immediately.

Packages

Fixed price. Fixed timeline. One page to sign.

No hourly billing, no open-ended scope, no long procurement cycle. Pick the depth that fits and you'll know exactly what you're getting.

START HERE
External ASM Snapshot
$2,500
⏱ 3 business days
  • Public domains & subdomains mapped from the outside
  • DNS hygiene & email posture (SPF / DKIM / DMARC)
  • Web services & exposed technologies
  • Findings with severity, evidence & remediation
  • 15–20 page PDF report
  • 30-minute readout call
Request a Snapshot
External + Identity Review
$5,000
⏱ 5 business days
  • Everything in Snapshot, plus a deeper identity layer
  • Microsoft 365 & Entra-focused identity exposure review
  • Tenant, federation & identity posture analysis
  • Working session to walk through findings
  • Remediation priorities for IT or your MSP
Request a Deep Dive
Continuous Monitoring
$1,500 / month
⟳ Monthly re-scan
  • Monthly external re-scan of your footprint
  • Change tracking — see what's new or newly exposed
  • Quarterly review call
  • Notes written for internal IT or an outside MSP
Request Monitoring
The deliverable

A briefing, not a scanner dump.

The output is a clean PDF and a readout call — written so a managing partner, owner, or administrator can understand the risk and the plan without a security background.

External Exposure Report
Sample preview · figures illustrative
PDF + READOUT
Severity rollup
2
Critical
5
High
8
Medium
6
Low
Host inventory
HostServiceExposure
portal.exampleRDP gatewayPublic
mail.exampleSMTP / OWAReview
www.exampleHTTPSHardened
Microsoft 365 posture
Tenant identifiedFederatedFound
DMARC policyEmail spoofingMissing
MTA-STSTransport TLSPartial
Top findings
Source-control file exposed on web hostSVC-001
No DMARC — domain can be spoofedEML-002
Admin panel reachable from the internetHST-004
Illustrative sample. Every report is generated from your own live external footprint.

  • Executive summary

    The whole picture in one page — risk posture and priorities, plain English.

  • Microsoft Entra & 365 identity posture

    What your tenant, federation, and identity signals reveal from the outside.

  • Email & DNS hygiene

    SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI, DNS records, and certificate transparency.

  • Host inventory & service matrix

    Every public host and service, organized — not a wall of raw output.

  • Findings, evidence & remediation

    Each issue with severity, the proof behind it, business impact, and how to fix it.

  • Domain intelligence, OSINT artifacts & history

    Registration details, public footprint, and the historical record still indexed today — plus methodology and scope.

Methodology & scope

Strictly outside-in. Nothing intrusive.

Recon is a passive external review built on publicly visible infrastructure and open-source evidence. We keep it clean on purpose — so there's nothing to install, nothing to risk, and nothing to explain to your compliance team.

Passive external review
No credentials required
No internal access
No software installed
No exploitation
Public & open-source evidence only
Who it's for

Built for lean teams without an enterprise security budget.

Recon is sized for 50–500 person organizations on Microsoft 365 with no internal security team — the firms enterprise ASM platforms price out and ignore.

CPA & accounting firms

Sensitive client financials and tax data under your name.

RIAs & wealth management

Client portfolios, wire instructions, and regulatory scrutiny.

Law firms

Privileged matter data and a reputation that can't take a breach.

Medical practices

Patient records, HIPAA exposure, and connected systems.

Title companies

Closing funds and wire fraud make you a direct target.

Defense subcontractors

Supply-chain expectations and external scrutiny on exposure.

Credit unions

Member data and the trust your members place in you.

MSP clients & insurance referrals

A clean external baseline for renewals, binding, and onboarding.

Know your outside view
before someone else maps it.

Send your domain and we'll scope a Recon review. Most snapshots are delivered within 72 hours — no logins, no agents, no long contract.

Request a Recon review Compare packages
or email support@toolboxchromos.com