Live monitoring

See your entire
attack surface.
Fix risk before it hits.

CertControl gives security teams full visibility across certificates, TLS exposure, internal networks, and attack paths — in one unified platform.

Start free trial Book a demo

14-day free trial · No charges during trial · Cancel anytime

Days TLS cert
lifetime (2029)

8×

Increase in
renewal frequency

8000+

Annual renewals
per 1k certs

app.certcontrol.pro — Control Center

The problem

Most teams don't know
what's actually exposed

Certificate expiry is only part of the story. Hidden services, weak TLS, exposed admin ports, and disconnected findings are where incidents begin.

🕳️

Unknown internet-facing services

Assets appear faster than teams can inventory them. Shadow infrastructure operates in silence — until an attacker finds it first.

🔓

Certificates expire unexpectedly

Manual tracking via spreadsheets breaks down. One missed renewal takes down login flows, APIs, and customer-facing services.

📡

Weak TLS and HTTP headers

Deprecated protocols, weak cipher suites, and missing security headers quietly expand your risk surface without triggering any alarms.

🧩

Disconnected, siloed findings

Most tools show isolated issues. Very few show how exposed services, CVEs, and business systems connect into real attack paths.

New industry standard

47-day certificates are coming

Mar 2026

200

200-day maximum Transition begins — automation becomes critical

Mar 2027

100

100-day maximum Manual renewals already strained at this cadence

Mar 2029

47-day maximum — final deadline Full enforcement. Every 6 weeks per certificate.

The CA/Browser Forum has unanimously voted. The timeline is set. For most organisations, this represents an 8× increase in renewal frequency — and spreadsheets simply won't scale.

Certificates in organisation 1,000

Renewals per year (today) ~1,000

Renewals per year (2029) ~8,000

Manual tracking viable? No.

CertControl tracks every certificate, alerts before expiry, and supports ACME/Let's Encrypt automation to remove the manual burden entirely.

The platform

From certificates to full attack surface — in one platform

Built for teams that need real operational control, not five separate tools that don't talk to each other.

🔐

Certificate lifecycle management

Track every certificate — expiry, chain health, revocation, SAN validation, and risk scoring across all environments.

⚡

TLS & HTTP security analysis

Detect weak protocols, deprecated ciphers, and missing security headers. Full A+ to F grading per endpoint.

🎯

Attack path visualization

See how CVEs, shadow assets, and open ports connect into exploitable paths from internet to critical systems.

📊

Executive reporting

Four professional report types: Executive Summary, Operational Risk, Expiry Forecast, and Change/Drift detection.

Attack Surface Overview

Security Findings

Platform in action

Every view you need — built-in

From real-time scanner operations to board-ready executive reports.

app.certcontrol.pro — Control Center

Unified command view — security score, exposure risk, attack surface, and operational health in one screen.

Interactive attack graph — visualize how CVEs, shadow assets, and services connect into real attack paths with risk scoring.

External scanner — discover subdomains, resolved hosts, open ports, and TLS certificates across your internet-facing surface.

Scanner fleet management — monitor internal, external, and discovery scanners across your entire network in real time.

Executive Summary — grade distribution, 30-day trend, and finding impact score. Print to PDF for board and audit reporting.

Operations Dashboard — 12-month certificate expiry forecast with urgency colour coding and per-month drill-down.

On-premise agent

Scan internal networks without opening firewalls

Cloud-only tools miss internal assets. CertControl deploys a lightweight Docker agent behind your firewall — it scans locally and pushes only metadata outbound.

Zero Trust

Outbound HTTPS only. No inbound ports, no VPN, no remote execution.

Privacy by Design

Internal hostnames replaced with [masked] before data leaves your network.

~200 MB Docker image

Alpine-based, non-root. Runs anywhere Docker runs. No database.

Offline resilient

Local disk spool queues results when cloud is unreachable. Never lose scan data.

How the agent works

🏢

Your internal network

TLS scan · OCSP check · HTTP headers · Service fingerprint · Hostname redaction

↓ Outbound HTTPS · HMAC-SHA256 signed · mTLS optional

☁️

CertControl Cloud

Unified dashboard · Security scoring · Expiry alerts · Push config to agents

Scanner Fleet — runtime management

Why CertControl

Built differently — by design

Enterprise-grade capabilities at a price that makes sense. No shared tenants, no legacy architecture, no compromise.

🏗️

Your own dedicated instance

Every customer gets a fully isolated Docker environment with a separate database and network. Your data is never co-mingled.

Dedicated Docker instance Separate database Full data sovereignty EU-hosted — included on all plans

🇪🇺

Built in Denmark, hosted in Europe

A Danish company with all infrastructure in EU data centres. Full GDPR alignment, standard DPA available for all paid plans.

Data never leaves Europe GDPR-aligned processing Standard DPA included Built by Danish security engineers

⚙️

Custom features, delivered fast

No six-month roadmap. No enterprise sales cycle. Tell us what you need — we build and ship quickly to match your operational reality.

Direct access to engineering Configured to your environment Modern stack — not legacy software New features every sprint

Security by design

We practice what we preach

Security is not a feature added later. It's built into every line of code from day one.

AES-256-GCM

Secrets encrypted at rest

Passwords BCrypt-hashed. API keys and ACME private keys AES-256-GCM encrypted. Reset tokens SHA-256 hashed.

Zero inbound

Zero-trust agent architecture

Agents make outbound-only HTTPS calls. No inbound ports, no VPN, no remote execution capability.

CSRF + XSS

Full application security hardening

CSRF tokens on all state-changing requests. Output escaping everywhere. Content-Security-Policy enforced.

TOTP 2FA

Multi-factor auth & brute-force protection

TOTP 2FA with backup codes. 5 failed attempts triggers 15-minute lockout. Constant-time comparisons prevent timing attacks.

Immutable

Full audit trail

Every admin action, login, and configuration change logged with timestamp, user, and IP. Immutable audit log.

Attack Graph Exploration

The team

Built by people who've been on call

CertControl is designed by engineers who have experienced certificate-related outages firsthand — when login flows break and the board asks how it happened.

Identity & Access Management

Deep expertise in OIDC, SAML, and OAuth2. We understand how certificates underpin authentication flows and what breaks when they expire unexpectedly.

Kubernetes & Cloud Platforms

Hands-on experience with container orchestration and cloud-native architectures — and the certificate complexity they introduce at scale.

Reverse Proxies & Edge Security

Experience with F5, ISVA, and other reverse proxies — where certificate misconfigurations cause the most visible and painful outages.

Enterprise Operations & Compliance

We know audit and governance requirements firsthand. CertControl is built to satisfy them — not as an afterthought, but from the ground up.

Get started

Ready to see your full attack surface?

Start your 14-day free trial with full platform access. No charges during the trial. Takes 5 minutes to set up.

Start free trial — full access Contact sales

Credit card required to provision your dedicated environment. No charge before trial ends.

See your entireattack surface.Fix risk before it hits.

Most teams don't knowwhat's actually exposed