Method

How ThreatScope Check produces a result

ThreatScope Check reads public domain-layer signals and presents a point-in-time view of a domain’s visible trust surface. It separates observed evidence from interpretation, and explains the limits of what can be concluded from public signals alone.

Why this matters

Digital trust is partly visible from the outside. Domains publish signals through DNS, mail, web delivery and registration infrastructure. Those signals do not tell the whole story, but they can help people ask better questions, confirm basic posture, and understand where follow-up may be needed.

ThreatScope Check makes those public signals easier to read without turning them into a score, audit or claim of safety.

How a check is produced

  1. A domain is submitted.
  2. ThreatScope Check performs live checks against public domain-layer signals.
  3. Observed signals are grouped into DNS posture, email authenticity, web delivery, certificate surface and registration visibility.
  4. The result separates evidence from interpretation.
  5. The result is presented as a point-in-time snapshot with limits.

Signal areas

DNS posture

Looks at public DNS signals such as name resolution, DNSSEC-related visibility and basic domain-layer configuration.

Email authenticity

Looks at public mail authentication signals such as MX, SPF, DMARC and bounded DKIM selector observability where visible.

Web delivery

Looks at externally visible web delivery signals such as HTTPS availability, redirects and security headers.

Certificate surface

Looks at the domain’s public certificate footprint, such as certificate visibility in public Certificate Transparency logs, observed issuers and issuance timing. When a certificate cannot be observed, that is reported as a source condition rather than a domain weakness.

Registration visibility

Looks at publicly available registration or RDAP-style information where supported and visible. When registration data is not returned, that is reported as a source condition, not a negative signal about the domain.

Checked / not checked

CheckedNot checked
  • Public DNS records and resolution signals
  • Public email authentication records where visible
  • Public web delivery signals
  • Public certificate-surface signals from Certificate Transparency logs where available
  • Public registration / RDAP-style visibility where supported
  • Internal systems or private controls
  • Authenticated application areas
  • Private technical control testing
  • Malware or sender reputation classification
  • Full content or application control review
  • Legal, regulatory or contractual compliance
  • Whether internal controls are effective

Evidence model

ThreatScope Check separates what was observed from what may be inferred. Evidence describes public signals that were visible at the time of the check. Interpretation helps explain why those signals may matter, but it should not be treated as a complete assessment of the domain or organisation.

The absence of a visible signal does not always mean misconfiguration, negligence or risk. Some signals may be unavailable, intentionally unpublished, temporarily unreachable, unsupported by the domain, or outside the scope of the check. Confidence and source diagnostics explain evidence completeness separately from posture status.

To keep this distinction clear, each surface records an evidence state:

Observed
The signal was returned and read successfully at scan time.
Not observed
The source answered authoritatively that no such record exists, for example a registry reporting no published registration.
Unavailable
The source could not be read at scan time - a timeout, transport condition, or non-standard response. This is a condition of the source, not a finding about the domain.
Not applicable
The signal does not apply to this domain or cannot be gathered in the current runtime, so it is noted rather than scored.

An unavailable source is never treated as a negative signal about the domain. Surfaces that could not be observed are excluded from posture scoring rather than counted against the domain, unless there is a clear domain-side finding in its own right.

Result anatomy

Summary
A plain-English point-in-time overview of what ThreatScope Check observed.
Findings & signals
Grouped observations that may warrant review, confirmation or follow-up.
Evidence & sources
The visible public signals and source material used to support the result.
Method & limits
Context explaining how the result was produced and what should not be inferred from it.
Export
A lightweight way to preserve or share a point-in-time snapshot, subject to the same interpretation limits.

Limits

ThreatScope Check cannot tell you whether internal controls are effective, whether email is fully protected, whether a website has complete application coverage, whether a domain has harmful content, or whether a domain operator is compliant with any legal, regulatory or contractual requirement.

It can only describe selected public signals that were visible from the outside at the time of the check.

The certificate surface is read from public Certificate Transparency logs rather than from a live TLS handshake, so it reflects what has been publicly logged rather than the exact certificate served at scan time. Where a certificate or registration record could not be observed, the result says so plainly and treats it as a limit of visibility, not as evidence of a problem.

.au and .auDO context

ThreatScope Check is built with .au context in mind, but it is not limited to .au domains. It provides a point-in-time reading of one domain’s visible public signals.

A single lookup shows a moment. Repeated observation shows behaviour.

Related work through .auDO observes public signals across a curated .au panel over time. ThreatScope Check does not use .auDO data to produce results, and a ThreatScope Check result should not be treated as longitudinal monitoring.

ThreatScope Check surfaces public domain-layer signals. It does not determine whether an organisation is well governed. For a practical governance conversation, the Domain Governance Baseline provides a separate self-assessment around ownership, accountability and visible public signals.

Visible trust surface

ThreatScope Check is aligned with a TrustSurface view of digital trust: it looks at the public signals a domain presents from the outside, separates evidence from interpretation, and explains the limits of what those signals can prove.

Related: Changelog, Privacy notice, and Terms / acceptable use.