~/evidence-pack

> evidence pack

audit-grade evidence for the domains you operate

a signed, hash-chained PDF + JSON sidecar covering DNS, email authentication, TLS, redirects, security headers, CORS, and your public-web surface — for one root and up to 100 subdomains, delivered in 10–30 minutes. for compliance consultants, SOC 2 / ISO 27001 prep teams, audit responders, and the MSPs who receive the questionnaires.

what's in a pack

10 free checks (included)

  • DNS records (A, AAAA, NS, SOA, CAA, TXT) are authoritative DNS records published correctly for this domain? (SOC 2 CC6.6 · ISO 27001 A.8.20 · NIST SC-20)
  • MX (mail exchangers) which mail servers are authoritative for receiving email at this domain? (SOC 2 CC6.7 · ISO 27001 A.8.21 · NIST SC-8)
  • SPF (sender authentication) does this domain publish an SPF record limiting authorised senders? (SOC 2 CC6.7 · ISO 27001 A.8.20 · NIST SC-8)
  • DMARC (email policy) does this domain enforce a DMARC policy (quarantine or reject)? (SOC 2 CC6.7 · ISO 27001 A.5.14 · NIST SC-8)
  • DKIM (signing selectors) are outgoing emails DKIM-signed under a published selector? (SOC 2 CC6.7 · ISO 27001 A.8.24 · NIST SC-8)
  • TLS certificate is data in transit protected by a valid, current TLS certificate? (SOC 2 CC6.1 · ISO 27001 A.8.24 · NIST SC-8(1))
  • HTTP→HTTPS redirect chain does the public site redirect HTTP to HTTPS without dropping the user? (SOC 2 CC6.6 · ISO 27001 A.8.23 · NIST SC-7)
  • security headers (HSTS, CSP, etc.) are HSTS, CSP, X-Frame-Options, and related headers configured? (SOC 2 CC6.6 · ISO 27001 A.8.23 · NIST SC-7(8))
  • CORS preflight are cross-origin policies appropriately restrictive at this origin? (SOC 2 CC6.6 · ISO 27001 A.8.23 · NIST AC-4)
  • public web surface (robots, sitemap, meta) what robots.txt, sitemap, and meta the domain advertises publicly. (SOC 2 CC6.6 · ISO 27001 A.8.9 · NIST CM-7)

5 paid checks (Evidence Pack only)

  • MTA-STS (SMTP downgrade prevention) does this domain enforce MTA-STS to prevent SMTP downgrade attacks? (SOC 2 CC6.7 · ISO 27001 A.8.24 · NIST SC-8)
  • TLS-RPT (SMTP-TLS reporting) does this domain receive TLS-RPT reports for SMTP failures? (SOC 2 CC7.2 · ISO 27001 A.8.16 · NIST AU-6)
  • DNSSEC (zone signing) is DNSSEC signing enabled for this zone? (SOC 2 CC6.6 · ISO 27001 A.8.20 · NIST SC-20)
  • WHOIS (registration + expiry) who owns this domain and when does the registration expire? (SOC 2 CC2.3 · ISO 27001 A.5.20 · NIST PE-2)
  • Certificate Transparency log discovery which subdomains have certificates issued in CT logs for this root? (SOC 2 CC7.2 · ISO 27001 A.8.16 · NIST SI-4)

artifact format

  • up to 100 CT-discovered subdomains (DNS, TLS, headers per subdomain)
  • severity-graded findings (info / low / medium / high / critical)
  • plain-English remediation per finding
  • ISO-8601 UTC timestamps on every line
  • SHA-256 hash + Ed25519 detached signature over the artifact
  • JSON sidecar for machine consumption + signed manifest
  • public, versioned methodology document linked from each pack

sample pack

a signed sample pack ships when the first paid pack is generated end-to-end. until then, this page is the canonical specification of what a pack contains.

what this is not

the Evidence Pack is supporting technical evidence for public-facing domain controls. it is not a SOC 2 audit report and does not replace an auditor; it gives them less to chase. it is not a penetration test, not a risk register, and not a substitute for compliance tooling like Vanta, Drata, or SecureFrame — those tools manage the audit programme; the pack documents the public domain surface they reference.

pricing — usd

Pack

recommended
$29

one-time, per pack

  • 1 root domain + up to 100 CT-discovered subdomains
  • 10 dossier checks + per-subdomain DNS, TLS, headers
  • Signed PDF report + JSON sidecar (SHA-256 + Ed25519)
  • ISO-8601 timestamps; valid forever
  • Public methodology + open-source check library
buy a pack

Solo

$19 / month

5 root domains, monthly packs

  • 5 root domains under continuous watch
  • Monthly fresh evidence pack per domain
  • Email alerts on regression (TLS expiry, SPF change, DMARC weakening)
  • Customer dashboard at /dashboard
start solo

Team

$79 / month

25 roots, weekly packs

  • 25 root domains, weekly fresh packs
  • Slack + webhook alerts in addition to email
  • Per-domain change history
  • API access for the dashboard
start team

Agency

$249 / month

100 roots, daily TLS, white-label

  • 100 root domains, daily TLS checks, weekly full packs
  • White-label: agency logo + custom subdomain on packs
  • Scheduled client reports
  • MCP API quota for AI-driven workflows
start agency

100+ root domains, SSO, audit log, or contract terms? contact us for custom.

faq

What's the difference between the free dossier and the Evidence Pack?

The free /d/<domain> dossier is an ephemeral 10-check snapshot designed to be shared. The Evidence Pack adds: a signed PDF report + JSON sidecar with SHA-256 + Ed25519 signature, ISO-8601 timestamps on every finding, severity grading and remediation prose, subdomain coverage (up to 100 per pack via Certificate-Transparency logs), and a public, versioned methodology document linked from each pack. Auditors and procurement teams want the artifact, not the dashboard.

How is the pack signed?

Each pack carries a SHA-256 hash of the PDF + JSON sidecar, an ISO-8601 UTC timestamp, and a detached Ed25519 signature over the hash. The drwho.me public key is published at /.well-known/evidence-pack-pubkey.pem. This is rung-(a) attestation: third-party signed, but not RFC 3161 trusted-timestamp authority and not append-only public log. Those are tracked for v2.

What's the subdomain cap and why?

100 subdomains per pack, sourced exclusively from Certificate-Transparency logs (crt.sh). No DNS brute-forcing, no port scanning, no active probing — strictly public surface. The cap is a fairness lever: roots with thousands of CT-discoverable subdomains would otherwise need a multi-pack run.

How fast is delivery?

10–30 minutes per pack. You'll get an email with the signed PDF + JSON sidecar plus a portal at /dashboard where you can re-download for the lifetime of the artifact.

Can I monitor a domain instead of buying one-shot packs?

Yes. The Solo / Team / Agency subscriptions add daily re-scans, regression alerts (TLS expiry, SPF change, DMARC weakening), and monthly fresh packs. One-shot packs are zero-commitment; subscriptions are the recurring layer above them.

Is the underlying check library auditable?

Yes. The 10 dossier checks ship as the open-source @drwhome/dossier-checks npm package (MIT). Anyone can audit exactly what we scan, run it locally, or include it in their own pipeline.

What if a check errors out?

Each check has retries built in. If a check still fails after retries, the pack flags it as 'inconclusive' rather than a finding, and the order is partially refunded. No silent omissions.

read more