PERSONA: Compliance Officer / CISO
CATEGORY: Compliance / Risk
ENDPOINTS: 4 used
UPDATED: April 2026

USE CASE · COMPLIANCE OFFICER / CISO

Attack surface visibility for NIS2 and DORA

NIS2 and DORA require regulated entities to maintain documented oversight of their external attack surface and to review it on a periodic basis. Enterprise VM suites are priced per-asset and gated behind sales calls. DFIR Platform gives you a scriptable exposure scanner, multi-source IOC context, and an AI-written board summary — priced per credit, no seat minimums.

Create a free account (100 credits/mo)Try /exposure-scanner — no signup

CONTEXT

Attack-surface oversight is required, tooling is priced for F500

NIS2 is in force across EU member states and DORA applies to financial-sector entities. Both require regulated organizations to identify and periodically assess their external-facing assets. The standard answer is a seat-based vulnerability-management platform with a mandatory sales call, per-asset pricing, and a six-week procurement cycle. Mid-market banks, hospitals, utilities, and in-scope suppliers need something they can actually afford and operate without hiring a dedicated VM analyst.

PAIN POINTS

Enterprise ASM suites commonly quote $40k–$120k/year with per-asset pricing and annual commitments.
Spreadsheet-driven inventories drift within weeks — subdomains are added, certs rotate, forgotten SaaS tenants appear.
Auditors want evidence of periodic reviews, not a one-off screenshot from six months ago.
Small compliance teams need JSON they can archive, diff, and attach to an ISMS ticket — not a PDF locked inside a vendor portal.

The reality

“Enterprise ASM suites commonly quote $40k–$120k/year with per-asset pricing and annual commitments.”

CAPABILITIES

The endpoints that solve it

DFIR Platform exposes the primitives a compliance-driven ASM program needs: a single exposure scan endpoint that enumerates external assets for a given organization, an enrichment endpoint that attaches reputation context to every asset, and an AI endpoint that turns the scan JSON into a board-ready paragraph. Run it on a cron, commit the output to a private repo, and your quarterly evidence is already there.

External exposure scan

10 credits

POST /v1/exposure/scan

Enumerates domains, subdomains, TLS certificates, and exposed services for a given organization or domain. Returns structured JSON with source attribution — suitable to diff quarter-over-quarter and attach as evidence.

Multi-source asset enrichment

3 credits / IOC

POST /v1/enrichment/lookup

Accepts the domains and IPs returned by the exposure scan and aggregates reputation from up to 11 sources (VirusTotal, AbuseIPDB, Shodan, Censys, urlscan, GreyNoise, OTX, Pulsedive, ThreatFox, IPVoid, Hybrid Analysis). Flags assets that are already known-bad before an auditor or attacker finds them.

AI threat profile

20 credits

POST /v1/ai/threat-profile

Converts the combined scan + enrichment JSON into a short narrative suitable for a risk-committee slide — adversary context, notable exposures, and suggested remediation priorities in plain English.

Public exposure scanner

Same scanner exposed at /exposure-scanner in the browser. Useful for tabletop exercises, tender due-diligence on a third party, or showing the board what an attacker sees without giving them an API key.

WORKFLOW

A quarter-ending compliance scan in three calls

The workflow below is the shape of a scheduled job you run once per quarter (or monthly, if your ISMS demands it). Each step produces a persistent JSON artifact you commit to a private repo, attach to a Jira ticket, or hand to your auditor.

$ dfir-lab run compliance-attack-surface

# 1. Enumerate the external attack surface (10 credits)
curl https://api.dfir-lab.ch/v1/exposure/scan \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"target": "example-bank.eu"}' \
  -o scan-2026Q2.json

# 2. Enrich the discovered assets (3 credits per IOC)
jq '[.assets[] | {type, value}]' scan-2026Q2.json > indicators.json
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d @indicators.json \
  -o enrichment-2026Q2.json

# 3. Ask the AI for a board-ready narrative (20 credits)
curl https://api.dfir-lab.ch/v1/ai/threat-profile \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": '"$(cat enrichment-2026Q2.json)"',
    "context": "Quarterly NIS2 / DORA review — summarize exposure posture and change vs. previous quarter."
  }' \
  -o narrative-2026Q2.md

# Commit all three files to your ISMS evidence repo.

Three endpoints, three artifacts, one auditable trail. Same script next quarter, diff the JSON.

01
Step 01
Scope
Agree the in-scope domain list with the CISO and ISMS owner. For DORA, include every customer-facing and ICT-third-party endpoint; for NIS2, the full corporate perimeter and essential-service assets.
02
Step 02
Scan
Call /v1/exposure/scan for each in-scope domain. Capture the raw JSON response verbatim — timestamps included.
03
Step 03
Enrich
Feed the discovered assets into /v1/enrichment/lookup. Anything with a negative verdict from two or more sources becomes a remediation ticket.
04
Step 04
Narrate
Pipe the merged JSON into /v1/ai/threat-profile. The output is a short paragraph the CISO can paste into the quarterly risk report.
05
Step 05
Archive
Commit scan, enrichment, and narrative to a private, access-controlled repository. This is the audit evidence — the diff between quarters is the story.

PRICING

Pricing that tracks your workload

A typical mid-sized regulated entity scans a handful of domains per quarter and a few dozen on an ad-hoc basis. Professional ($99/mo, 2,500 credits) covers quarterly cycles for most in-scope organizations. Banks and critical-infrastructure operators with dozens of subsidiaries or third parties should move to Enterprise for unlimited credits and an on-premise option.

Recommended tier

Professional

2,500 credits / month

Entry price

$99/mo

01
Small in-scope entity — 3 domains, quarterly scan, ~20 assets each
(3 × 10) + (3 × 20 × 3) + (3 × 20) = 30 + 180 + 60 = 270 credits per quarter ≈ 90 credits/month
Fits Starter ($29/mo, 500 credits) with significant headroom for ad-hoc third-party due-diligence.
02
Mid-market regulated org — 10 domains, monthly scan, ~40 assets each
(10 × 10) + (10 × 40 × 3) + (10 × 20) = 100 + 1,200 + 200 = 1,500 credits/month
Fits Professional ($99/mo, 2,500 credits) comfortably, with room for incident-driven ad-hoc scans.
03
Bank or critical-infra operator — 40 domains, monthly scan, ~60 assets each
(40 × 10) + (40 × 60 × 3) + (40 × 20) = 400 + 7,200 + 800 = 8,400 credits/month
Exceeds Professional — move to Enterprise (unlimited credits, on-premise option, custom SLA).

GET STARTED

Three ways to evaluate

Pick the path that matches your stage. No sales call, no credit card required.

Create a free account (100 credits/mo)

Full API access, dashboard, and your own credits. Includes everything the free tier offers.

Try /exposure-scanner — no signup

Run the same scanner against a single domain in the browser. Useful before procurement — see what your external attack surface actually looks like, then decide whether to wire the API into your ISMS.

Open tool

API reference

Full schema, error codes, rate limits, and copy-ready code snippets for every endpoint referenced above.

Read docs

FAQ

Frequently asked

Q / 01: No — neither directive certifies individual tools. NIS2 and DORA place obligations on regulated entities; this platform is one piece of evidence an entity can use to demonstrate attack-surface oversight. Your auditor looks at your process and artifacts, not a vendor logo.
Q / 02: Domains and subdomains resolved for the target, TLS certificates and their SANs, exposed services observed via passive sources, and the source each finding came from. Structured JSON — you parse it, you own it, you archive it.
Q / 03: Scan history is persisted under your organization so you can diff quarter-over-quarter and regenerate reports. On Enterprise, an on-premise deployment is available if data residency rules out the SaaS.
Q / 04: Exposure scanning maps what is externally visible — the asset inventory side. CVE / vulnerability scanning decides whether what is visible is patched. The two are complementary; this platform focuses on the former and leaves authenticated patch scanning to tools that do it well.
Q / 05: Yes — the endpoint is stateless and rate-limited only by your credit balance. Third-party risk teams typically wire it into a GRC platform or a simple cron job that posts a weekly digest into a Slack channel.
Q / 06: The narrative summarizes the scan and enrichment JSON you feed it. Treat it as a first draft — a human analyst signs off before anything reaches a risk committee. That is also what the regulators expect.

RELATED · INDEX

Other teams solving adjacent problems

ADJACENT USE CASE

Ready when you are

Stop triaging by hand.

Create a free account — 100 credits per month, no credit card. Or keep browsing to find the use case that matches your workflow.

Browse all use cases Create free account

Attack surface visibility for NIS2 and DORA

Attack-surface oversight is required, tooling is priced for F500

PAIN POINTS

Enterprise ASM suites commonly quote $40k–$120k/year with per-asset pricing and annual commitments.
Spreadsheet-driven inventories drift within weeks — subdomains are added, certs rotate, forgotten SaaS tenants appear.
Auditors want evidence of periodic reviews, not a one-off screenshot from six months ago.
Small compliance teams need JSON they can archive, diff, and attach to an ISMS ticket — not a PDF locked inside a vendor portal.

The reality

“Enterprise ASM suites commonly quote $40k–$120k/year with per-asset pricing and annual commitments.”

The endpoints that solve it

External exposure scan

10 credits

POST /v1/exposure/scan

Multi-source asset enrichment

3 credits / IOC

POST /v1/enrichment/lookup

AI threat profile

20 credits

POST /v1/ai/threat-profile

Public exposure scanner

A quarter-ending compliance scan in three calls

$ dfir-lab run compliance-attack-surface

# 1. Enumerate the external attack surface (10 credits)
curl https://api.dfir-lab.ch/v1/exposure/scan \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"target": "example-bank.eu"}' \
  -o scan-2026Q2.json

# 2. Enrich the discovered assets (3 credits per IOC)
jq '[.assets[] | {type, value}]' scan-2026Q2.json > indicators.json
curl https://api.dfir-lab.ch/v1/enrichment/lookup \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d @indicators.json \
  -o enrichment-2026Q2.json

# 3. Ask the AI for a board-ready narrative (20 credits)
curl https://api.dfir-lab.ch/v1/ai/threat-profile \
  -H "Authorization: Bearer $DFIR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "indicators": '"$(cat enrichment-2026Q2.json)"',
    "context": "Quarterly NIS2 / DORA review — summarize exposure posture and change vs. previous quarter."
  }' \
  -o narrative-2026Q2.md

# Commit all three files to your ISMS evidence repo.

Three endpoints, three artifacts, one auditable trail. Same script next quarter, diff the JSON.

Step 01

Scope

Agree the in-scope domain list with the CISO and ISMS owner. For DORA, include every customer-facing and ICT-third-party endpoint; for NIS2, the full corporate perimeter and essential-service assets.

Step 02

Scan

Call /v1/exposure/scan for each in-scope domain. Capture the raw JSON response verbatim — timestamps included.

Step 03

Enrich

Feed the discovered assets into /v1/enrichment/lookup. Anything with a negative verdict from two or more sources becomes a remediation ticket.

Step 04

Narrate

Pipe the merged JSON into /v1/ai/threat-profile. The output is a short paragraph the CISO can paste into the quarterly risk report.

Step 05

Small in-scope entity — 3 domains, quarterly scan, ~20 assets each

(3 × 10) + (3 × 20 × 3) + (3 × 20) = 30 + 180 + 60 = 270 credits per quarter ≈ 90 credits/month

Fits Starter ($29/mo, 500 credits) with significant headroom for ad-hoc third-party due-diligence.

Mid-market regulated org — 10 domains, monthly scan, ~40 assets each

(10 × 10) + (10 × 40 × 3) + (10 × 20) = 100 + 1,200 + 200 = 1,500 credits/month

Fits Professional ($99/mo, 2,500 credits) comfortably, with room for incident-driven ad-hoc scans.

Bank or critical-infra operator — 40 domains, monthly scan, ~60 assets each

(40 × 10) + (40 × 60 × 3) + (40 × 20) = 400 + 7,200 + 800 = 8,400 credits/month

Exceeds Professional — move to Enterprise (unlimited credits, on-premise option, custom SLA).

Frequently asked

Q / 01

Is this a certified NIS2 / DORA compliance product?

No — neither directive certifies individual tools. NIS2 and DORA place obligations on regulated entities; this platform is one piece of evidence an entity can use to demonstrate attack-surface oversight. Your auditor looks at your process and artifacts, not a vendor logo.

Q / 02

What data does /v1/exposure/scan actually return?

Domains and subdomains resolved for the target, TLS certificates and their SANs, exposed services observed via passive sources, and the source each finding came from. Structured JSON — you parse it, you own it, you archive it.

Q / 03

Do you store our scan results?

Scan history is persisted under your organization so you can diff quarter-over-quarter and regenerate reports. On Enterprise, an on-premise deployment is available if data residency rules out the SaaS.

Q / 04

How is this different from a CVE scanner?

Exposure scanning maps what is externally visible — the asset inventory side. CVE / vulnerability scanning decides whether what is visible is patched. The two are complementary; this platform focuses on the former and leaves authenticated patch scanning to tools that do it well.

Q / 05

Can I automate this against 50 third-party suppliers?

Yes — the endpoint is stateless and rate-limited only by your credit balance. Third-party risk teams typically wire it into a GRC platform or a simple cron job that posts a weekly digest into a Slack channel.

Q / 06

Does the AI narrative make factual claims?

The narrative summarizes the scan and enrichment JSON you feed it. Treat it as a first draft — a human analyst signs off before anything reaches a risk committee. That is also what the regulators expect.

Attack surface visibility for NIS2 and DORA

Attack-surface oversight is required, tooling is priced for F500

The endpoints that solve it

External exposure scan

Multi-source asset enrichment

AI threat profile

Public exposure scanner

A quarter-ending compliance scan in three calls

Scope

Scan

Enrich

Narrate

Archive

Pricing that tracks your workload

Small in-scope entity — 3 domains, quarterly scan, ~20 assets each

Mid-market regulated org — 10 domains, monthly scan, ~40 assets each

Bank or critical-infra operator — 40 domains, monthly scan, ~60 assets each

Three ways to evaluate

Create a free account (100 credits/mo)

Try /exposure-scanner — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Email Security Automation via API

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Stop triaging by hand.

Attack surface visibility for NIS2 and DORA

Attack-surface oversight is required, tooling is priced for F500

The endpoints that solve it

External exposure scan

Multi-source asset enrichment

AI threat profile

Public exposure scanner

A quarter-ending compliance scan in three calls

Scope

Scan

Enrich

Narrate

Archive

Pricing that tracks your workload

Small in-scope entity — 3 domains, quarterly scan, ~20 assets each

Mid-market regulated org — 10 domains, monthly scan, ~40 assets each

Bank or critical-infra operator — 40 domains, monthly scan, ~60 assets each

Three ways to evaluate

Create a free account (100 credits/mo)

Try /exposure-scanner — no signup

API reference

Frequently asked

Other teams solving adjacent problems

Email Security Automation via API

Automated Phishing Triage for SOC Teams

IOC Enrichment for Incident Response

Stop triaging by hand.