Proof-carrying
domain-led EASM.

Ariema turns DNS, registration, mail, TLS, Certificate Transparency, web, infrastructure, and network-service telemetry into explainable, evidence-backed external attack surface intelligence. For CT-derived events, findings can carry cryptographic proof material that can be independently verified.

Open Workbench Review CT Proof
7
observation pillars
80+
intelligence endpoints
238
validation tests
CT
proof layer
Why Ariema

External findings are easy to collect. They are hard to trust.

Security teams are flooded with certificate alerts, DNS changes, unknown hosts, exposed services, mail posture gaps, and infrastructure drift. Ariema is built to answer the analyst questions behind every signal: where did this come from, how confident is it, what contradicts it, what changed, and what evidence can be checked?

Domain-led observation

Ariema starts from domains and follows the internet-facing evidence outward across DNS, registration, TLS, CT, web, mail, infrastructure, and network-service signals.

Explainable findings

Findings carry confidence, proof tier, evidence quality, contradictions, why it applies, and why it might not. Uncertainty is exposed instead of hidden.

Verifiable CT evidence

For Certificate Transparency events, Ariema can attach cryptographic proof material so certificate-derived findings are independently checkable.

Seven observation pillars

Domain-first telemetry, correlated across independent evidence paths.

Every domain is observed through seven specialized pillars. Each pillar collects its own telemetry, runs its own checks, and produces its own scored observations before Ariema correlates the evidence into current state, deltas, findings, graph relationships, and analyst-ready explanations.

Click a pillar below to expand the specific signals, findings, and cross-pillar joins it contributes. The tree stays simple: domain at the root, independent observations underneath, and one shared evidence model at the output.

independent telemetry scored findings cross-pillar correlation evidence quality
Observation topology Domain → Signals → Evidence
01DNS

Resolver state, authoritative records, delegation, CNAME chains, wildcarding, CAA, DNSSEC hints, TTLs, and record drift.

A / AAAANS / SOACNAMECAADNSSEC
SignalsRecord posture, delegation paths, resolver disagreement, TTL movement, dangling CNAMEs, and authoritative nameserver changes.
FindingsDNS drift, takeover candidates, weak delegation, wildcard ambiguity, missing CAA, and record anomalies.
Correlates withCT certificate names, infrastructure movement, web exposure, mail routing, and network-service ownership.
02Registration

RDAP/WHOIS-derived registrar state, lifecycle posture, expiry windows, status codes, cohorts, and authority changes.

RDAPexpiryregistrarstatus
SignalsRegistrar, expiry, renewal state, transfer locks, domain status codes, lifecycle phase, and cohort behavior.
FindingsExpiry risk, suspicious transfer movement, registration drift, inconsistent authority, and abandoned-domain indicators.
Correlates withNameserver changes, CT issuance timing, provider moves, portfolio cohorts, and ownership concentration.
03Infrastructure

IP, ASN, hosting, CDN, provider attribution, lineage, clustering, concentration risk, and movement across infrastructure families.

ASNproviderCDNlineage
SignalsIP ownership, ASN, hosting provider, CDN edge, reverse DNS, infrastructure family, and lineage over time.
FindingsUnexpected provider movement, concentration risk, unmanaged hosting, suspicious clustering, and infrastructure drift.
Correlates withDNS resolution, TLS certificates, exposed services, web fingerprints, and graph centrality.
04TLS / PKI / CT

Certificate inventory, SAN expansion, issuer posture, expiry, CT observations, trust relationships, and CT proof material where available.

certsSANsCT logsproof bundle
SignalsCertificate fingerprints, SANs, issuers, validity windows, CT log observations, expiry posture, and chain context.
FindingsUnauthorized certificates, unmanaged hostnames, certificate sprawl, issuer drift, expiry risk, and proof-backed CT events.
Correlates withDNS ownership, registration state, web identity, infrastructure lineage, and workspace authorization scope.
05Mail

MX posture, SPF/DMARC/DKIM signals, MTA-STS, TLS-RPT, BIMI, provider identity, and domain-level mail exposure drift.

MXSPFDMARCDKIMMTA-STS
SignalsMX providers, SPF includes, DMARC policy, DKIM selector hints, MTA-STS, TLS-RPT, BIMI, and mail provider changes.
FindingsWeak DMARC, SPF over-permissiveness, missing policy records, stale mail providers, and posture regression.
Correlates withRegistration authority, DNS changes, domain criticality, vendor concentration, and portfolio policy baselines.
06Web

Redirects, headers, web identity, login/admin/API indicators, placeholder states, dependency hints, family dossiers, and exposure cues.

headersredirectssurfacedossiers
SignalsHTTP status, redirects, headers, page identity, exposed login/admin/API surfaces, placeholder pages, and technology hints.
FindingsShadow web apps, abandoned surfaces, weak security headers, suspicious redirects, exposed admin entry points, and family-level drift.
Correlates withDNS targets, TLS identity, provider attribution, service exposure, and graph relationships.
07Network Services

Exposed services, banners, protocol hints, service roles, boundary posture, contradiction checks, and network-service deltas.

portsbannersrolesexposure
SignalsOpen service observations, protocol hints, banners, service role inference, exposure boundaries, and service-change deltas.
FindingsUnexpected exposed services, risky protocols, role contradictions, boundary changes, and externally reachable infrastructure paths.
Correlates withInfrastructure ownership, web behavior, DNS resolution, attack paths, and compound risk scoring.
What Ariema produces

From raw telemetry to evidence-backed intelligence.

Ariema turns observations into structured objects security teams can inspect, diff, correlate, export, verify, and automate against.

Current stateThe latest observed posture for a domain, asset, or portfolio.
History and deltasWhat changed since prior scans, including drift and new exposure.
Evidence objectsSource observations, confidence, proof tiers, caveats, and contradictions.
Entity graphRelationships across domains, certificates, IPs, ASNs, providers, services, and infrastructure.
Attack pathsChains of related exposure that create compound risk.
Portfolio intelligenceCentrality, anomalies, co-movement, concentration, and posture trends.
IncidentsActionable changes that can be acknowledged, suppressed, resolved, or sent by webhook.
CT proof bundlesPortable proof material for certificate transparency observations and CT-backed findings.
Every finding carries → confidence proof_tier evidence_quality contradictions why_applies why_might_not source_observations verification
Certificate Transparency proof layer

CT becomes an audit trail, not another alert stream.

Ariema is designed to bind CT-derived certificate observations to domain context and proof material. The point is not simply “a certificate appeared.” The point is being able to show the certificate, the matched hostname, the log context, the verification state, and the analyst reasoning in one evidence object.

For supported CT events, the output can be inspected, shared, audited, and independently checked instead of treated as a trust-us scanner result.

01Certificate eventprecertificate or certificate observed in CT
02Domain matchSAN / hostname linked to tenant scope
03Log evidencelog identity, leaf data, inclusion material
04Finding contextconfidence, caveats, graph links, action
sample evidence packet ct.proof.v1
verification-ready
matched_namestaging-login.example.com
certificate_sha2567b8f…c2e9
ct_loglog_id · leaf_index · tree_size
proof_materialleaf_hash · inclusion_path · checkpoint
ariema_contextunmanaged hostname · high confidence
observecertificate event appears in a public CT log
bindSANs, issuer, timing, and hostname are matched to domain scope
packageproof material and context are attached to the finding
verifythe evidence can be checked without simply trusting the scanner
View sample finding Open proof workbench
Example finding

Evidence-first output, not opaque scoring.

Ariema findings are intended to show the signal, the reasoning, the caveats, and the evidence trail in one analyst-readable object.

New certificate observed for unmanaged hostname

TLS / PKI / CT · Medium severity · High confidence
CT proof available

Why it applies

A new certificate containing staging-login.example.com was observed in Certificate Transparency. The hostname is not present in the approved inventory and resolves to infrastructure outside the expected provider set.

ConfidenceHigh
Proof tierCryptographic CT proof
Evidence qualityStrong
ContradictionsVendor ownership possible

Evidence included

  • Certificate SHA-256 fingerprint, issuer, validity window, and SAN list.
  • CT log identity, leaf hash, inclusion proof, and tree/checkpoint material.
  • DNS resolution state, related infrastructure, provider attribution, and historical delta.
  • Recommended analyst action and benign explanations to check first.
Use cases

Built for teams that need external evidence, not just asset lists.

Use Ariema to monitor domain portfolios, explain internet-facing drift, and investigate certificate, DNS, mail, web, infrastructure, and service exposure.

Unauthorized certificate issuance
Shadow domains and subdomains
Registration and registrar drift
Domain expiry and lifecycle risk
Mail posture weakness
Unexpected infrastructure movement
Subdomain takeover candidates
External service exposure
Certificate and SAN sprawl
Provider concentration risk
Portfolio-wide anomalies
Compound attack paths
API-first intelligence surface

Current state, deltas, graph, workbench, incidents, and CT evidence over API.

api surface

Talk to Ariema.

See the platform, review CT evidence, and map your domain-led external attack surface with the Ariema team.

Contact: hello@ariemaintelligence.com

Open Workbench Demo hello@ariemaintelligence.com
ARIEMA · ariemaintelligence.com