Help
Using Ferrum Sentinel
Ferrum Sentinel checks your organisation's public security posture with safe, non-invasive checks, turns the result into a clear score and prioritised findings, and produces reports you can share. This guide walks through the main features.
- Getting started
- Free preview
- Verifying a domain
- Running a scan
- Score & findings
- The checks
- Reports
- Monitoring
- For MSPs
- FAQ
Getting started
Create an account, then create an organisation (your workspace) and add a domain to it. Everything in Ferrum Sentinel is organised under an organisation, so you can keep separate clients or business units apart.
The free preview
You can run a free public preview from the landing page without an account — enter a domain and see basic, publicly-visible DNS and email-security signals in under a minute. It's a taste of the full scan and is not a complete assessment.
Verifying a domain
Basic checks run on any domain you add. To unlock the deeper, verified-domain checks, prove you control the domain: open the domain page, choose Start verification, publish the DNS-TXT record we show you, then choose Check now. Once verified, the deeper checks become available.
Running a scan
On the domain page, choose Run safe checks. The default scan always runs the core safe checks. On a verified domain you can additionally tick the deeper checks you want. A progress bar shows the scan as it works; results appear automatically when it completes.
Your score & findings
Each scan produces a weighted 0–100 score and an A–F grade per category, so progress is measurable. Findings are prioritised and each one carries:
- a severity (critical / high / medium / low / info);
- a confidence (confirmed vs inferred) — we distinguish evidence from inference and never overstate;
- the evidence behind it, plain-language business impact, and concrete remediation steps.
Language is deliberately careful: you'll see "detected", "not detected", or "appears to", never "you are hacked" or "you are safe".
The checks
The default scan covers core hygiene; verified domains unlock deeper, opt-in checks (some are premium add-ons).
| Check | What it looks at |
|---|---|
| DNS hygiene | DNS record health and common misconfigurations |
| Email security | SPF, DMARC, MTA-STS, TLS-RPT, BIMI |
| TLS / HTTPS | Certificate validity and HTTPS posture |
| HTTP headers | Security headers present or missing |
| Domain lifecycle | Registration and expiry signals |
| TLS configuration | Which protocol versions the server accepts (incl. deprecated TLS 1.0/1.1) |
| Deep email authentication | DKIM selector keys and the MTA-STS policy file |
| Security headers (graded) | CSP and policy headers graded, plus security.txt |
| Subdomain discovery & takeover | Discovered subdomains and dangling-DNS takeover risk |
| Typosquat monitoring | Look-alike domains registered against your brand |
| IP reputation | Whether your web/mail IPs are on a blocklist |
| Cloud storage exposure | Brand-named buckets that are publicly listable |
| Outdated libraries | Known-vulnerable front-end JavaScript library versions |
Reports
From a completed scan you can generate executive and technical reports in HTML and PDF. Client-audience reports can be shared via a one-time link, and MSP users can apply their own branding.
Monitoring & alerts
Set your alert preference (immediate, daily/weekly digest, or off) to be notified of new critical or high findings. Monitoring is what turns a one-time scan into ongoing visibility.
For MSPs & consultants
A parent organisation can manage many client organisations from one portfolio view — each client's grade, open findings, and trend at a glance — with strict isolation so one client's data never appears in another's.
FAQ
Is scanning safe to run against my production domain?
Yes. Checks are passive, rate-limited, and non-invasive — no exploitation, no credential guessing, no denial-of-service.
Does a good score mean I'm secure?
No. It means the safe public checks didn't find a problem. It does not assess your internal network, endpoints, or application logic.
Can I scan a domain I don't own?
You can run the free public preview on any domain, but the deeper verified-domain checks require you to prove ownership, and you must only assess domains you're authorised to.
Do I need a penetration test as well?
Ferrum Sentinel tells most businesses whether they need that conversation yet. When you do, our team offers manual testing — get in touch.
More questions? Contact us at funwayinteractive.com/contact. See also our Privacy Policy and User Agreement.