Does the Promptbook replace a pentest?

No. It helps identify signals and organize review. Impact validation, exploitation chain, and fix confirmation stay in the Manual Pentest.

Why is the Manual Pentest not sold through public checkout?

Because scope, authorization, environment, and operational risk need to be evaluated before a proposal.

Cybersecurity

Public exposure: what your SaaS shows before login

Domains, subdomains, files, headers, and old pages tell a story. The founder needs to know whether that story builds trust or creates risk.

Gabriel Ferreira

RET TECNOLOGIA EM INFORMÁTICA LTDA

Mar 23, 20269 min

What appears before invasive testing

Plenty of exposure does not require intrusion. It appears in DNS, forgotten routes, old pages, published files, metadata, and error messages. For a small SaaS, this is often more useful than hunting rare issues.

What to review first

Domains, redirects, and old subdomains.
Public files, maps, backups, and forgotten routes.
Error messages with service names or internal paths.
Headers exposing unnecessary technology or incorrect cache.
Documents with names, directories, or versions.

RET starts with visible points because fast-built SaaS often leaves clues there. The goal is to reduce exposure before opening a larger scope.

Tags:#Public exposure#SaaS#Headers#DNS#LGPD

Gabriel Ferreira

Founder & Lead Pentester

Gabriel Ferreira reviews production SaaS with focus on login, billing, data, and evidence founders can act on.

Need this?

Talk to RET

Request scope

Keep reading

View all

Pentesting AI-built SaaS: when automated review stops being enough

7 min

Edge security: get the basics right before the big language

8 min

Secure deploys for AI-built SaaS: what belongs in CI

6 min

Secure deploys for AI-built SaaS: what belongs in CI

Least privilege for small SaaS: start with the right access

RETSegurança para SaaS

Preparando a próxima tela com calma e sem perder o contexto.