CyberCrawler
We scan the internet so attackers find nothing first.
Cyber Crawler is our continuously running web crawler. It maps publicly reachable digital assets across the United States and Canada, looking for exposures and vulnerabilities the way an attacker would. When it finds a real risk, we reach out to the organization that owns it, privately.
Find it first. Disclose it privately. No public dumping, ever.
What Cyber Crawler finds
The exposures attackers look for, found first.
Cyber Crawler observes only what is reachable from the public internet, the same surface an attacker sees. It never logs in, never touches data behind authentication, and keeps evidence to the minimum needed to prove a finding is real.
Exposed databases & storage
Open databases, public S3/GCS/Azure buckets, and backups reachable without credentials.
Leaked secrets & API keys
Credentials, tokens, and keys exposed in public code, configs, and responses.
Weak & expiring TLS
Expired certificates, weak ciphers, and misconfigured HTTPS across your domains.
Subdomain takeovers
Dangling DNS records pointing at unclaimed cloud resources an attacker can seize.
Exposed admin panels
Login pages, dashboards, and management consoles that should never face the internet.
Vulnerable & end-of-life services
Internet-facing software with known CVEs or versions past end of life.
Risky open ports
Databases, remote access, and internal services exposed on public IPs.
Email & DNS gaps
Missing or misconfigured SPF, DKIM, and DMARC that enable spoofing.
Shadow IT & forgotten assets
Subdomains and hosts your team stood up and forgot, outside your inventory.
How it works
From crawl to private disclosure.
Crawl
We continuously crawl publicly reachable IP space and domains across the US and Canada, building a live map of exposed assets.
Triage
AI agents separate real, exploitable exposure from internet background noise. If it is not a genuine risk, it never becomes an alert.
Disclose privately
We identify the organization that owns the asset and reach out directly and confidentially. No public posts, no data for sale.
Help them close it
We share what we found and how to fix it. If they want to go deeper, Cyber Swarm verifies and AutoFix remediates.
Responsible disclosure
We are security researchers, not opportunists.
Finding an exposure is only useful if it gets fixed without putting anyone at greater risk. Cyber Crawler follows strict disclosure principles on every finding.
- Private first. We contact the affected organization directly and confidentially. We never publish, post, or sell findings.
- Minimal evidence. We collect only what is needed to prove a finding is real, and never exfiltrate data or access systems behind authentication.
- Time to fix. We give organizations reasonable time to remediate before any finding is closed, and we are happy to verify the fix.
- No strings attached. A disclosure is not a sales pitch. We tell you what we found because someone should. What you do next is up to you.
Where Cyber Crawler fits
One platform. Two layers. One closed loop.
Cyber Crawler is the front door. It is the first step of a platform that takes a risk all the way from discovered to fixed and verified in production.
Discovery Layer
Cyber Crawler · you are here
Continuously finds exposures across the public internet and discloses them privately.
Authorized AI penetration testing that proves what is actually exploitable, with evidence.
Remediation Layer
Closes the loop: generates, validates, deploys, and verifies the fix in production. Never Break Prod™.
Discover → Verify → Remediate → Verified in production
Land with Cyber Crawler, read-only and no risk. Expand with Cyber Swarm to prove exploitability. Own the loop with AutoFix. Every step earns the next.
Did we reach out to you?
If Cyber Crawler contacted you, here is what it means.
Our crawler found something on an asset that appears to belong to your organization, and we wanted you to know before someone with worse intentions did. The message you received describes what we observed and how to confirm it.
There is nothing to buy and nothing you owe us. If you want help confirming the finding or closing it, we are glad to assist, and we can verify the fix once it is in place.
To confirm the disclosure is genuinely from us, contact us through the button below or email cyberarmy@codeproof.com and reference the asset in question.
Want to know what we can see?
Get a free report on your own external attack surface. Same discovery engine, pointed at the domains you verify and authorize.