Frequently Asked Questions

DDactic is an automated resilience testing and attack-surface analysis platform. We help organizations discover hidden vulnerabilities in their infrastructure protection, test defenses with safe synthetic simulations, and provide actionable hardening recommendations.

It's DDactic - with a double "D" at the start. Common misspellings include "didactic" (a different English word meaning instructional), "dactic", or "ddatic". Our name combines "DD" (Digital Defense) with "tactic" to represent our tactical approach to resilience testing. Remember: DD-actic = Defense Tactics.

Most organizations believe they're protected because they have a CDN or WAF in place. But attackers often find ways to bypass these protections - through exposed origin IPs, unprotected subdomains, or misconfigured firewalls. DDactic finds these gaps before attackers do.

DDactic focuses specifically on resilience testing and attack-surface discovery. We identify how an attacker could bypass your protection layers and overwhelm your infrastructure. For general penetration testing, we recommend working with a full-scope security firm.

We use comprehensive reconnaissance techniques including:

• Certificate transparency log analysis
• Historical DNS record lookup
• Subdomain enumeration
• CDN/WAF fingerprinting
• Origin IP exposure detection
• ASN and IP range mapping

All discovery uses public data sources and does not send traffic to your production systems.

We detect 20+ providers including Cloudflare, AWS CloudFront, Akamai, Fastly, Azure CDN, Google Cloud CDN, Imperva/Incapsula, F5 BIG-IP, Radware, Fortinet FortiWeb, Sucuri, and many more.

Our synthetic simulations are conducted from isolated lab infrastructure with strict controls: signed Authorization to Test documentation, throttled traffic, real-time monitoring, and immediate kill-switch capability. We never attack without explicit written authorization.

Yes. We follow security best practices: all data encrypted at rest (AES-256) and in transit (TLS 1.3), no persistent storage of application responses, and clear data retention policies. SOC 2 Type II compliance is planned.

No. DDactic only analyzes externally-accessible assets. We cannot and do not access internal networks, databases, or private resources.

Yes! Our Self-Check CLI tool is free and open-source. It provides subdomain discovery, CDN/WAF detection, basic risk scoring, and unlimited asset discovery scans. For full simulations and enterprise features, see our paid plans.

Yes! Sign up for our waitlist to get 30 days free access when we launch (vs. 14 days for public launch).

Great question! We don't replace your CDN - we test if it's configured correctly. CDNs protect what's behind them, but our research shows 67% of CDN-protected sites have discoverable origin IPs. If attackers can find your origin and hit it directly, your CDN never sees the attack. DDactic finds these gaps before attackers do.

Compare our pricing to the alternatives: Traditional resilience pentests cost $50,000-$150,000. Enterprise testing services typically start at $100,000/year. A single hour of downtime costs the average company $22,000-$100,000+ depending on size. DDactic quick assessments start at $99. Full discovery assessments start at $2,500 per domain, with Founder's pricing at 30% off. If we find one critical vulnerability that could cause downtime, the ROI is immediate.

You absolutely can! The question is: how long would it take? We use comprehensive reconnaissance techniques mapped to 86 attack patterns. Our automated discovery finds shadow IT, forgotten subdomains, and historical exposures that internal teams often miss because they're too familiar with "known" infrastructure. Most teams tell us DDactic finds assets they didn't know existed. Also, internal testing often lacks the attacker's perspective - we scan like attackers do.

Traditional pentests are general-purpose security assessments that might spend a few hours on resilience. DDactic is purpose-built for resilience testing and vulnerability assessment. We focus exclusively on: (1) Attack surface discovery - finding all your externally-exposed assets, (2) CDN/WAF bypass routes - testing if protection can be circumvented, (3) Origin exposure - identifying if your actual servers can be targeted directly, and (4) Actionable remediation - CLI commands to fix issues, not just PDF reports. Pentests tell you "you have a problem." We tell you exactly how to fix it.

Those are excellent tools for manual reconnaissance - we actually use data from similar sources. The difference is: (1) They provide raw data; we provide risk-analyzed findings, (2) They require expertise to interpret; we provide actionable recommendations, (3) They don't test CDN bypass or protection effectiveness, (4) We provide CLI remediation commands for each finding. Think of DDactic as the analysis layer on top of reconnaissance data, specifically tuned for resilience testing.

CDN analytics show you traffic that reaches the CDN. They can't show you: (1) Origin IPs that attackers could target directly, (2) Subdomains not routed through the CDN, (3) Historical DNS records that expose origins, (4) Certificate transparency logs revealing infrastructure. The CDN's view is "what goes through us." DDactic's view is "what attackers can see about you."

DDactic uses two complementary scoring standards:

OPI (Open Protection Index) is DDactic's open standard. It scores resilience on a 0-100 scale (grades A-F) across six weighted dimensions: Defense Coverage (20%), L7 Attack Resilience (25%), L3/L4 Resilience (15%), Protocol Resilience (15%), Operational Resilience (10%), and Evasion Resistance (10%). OPI is granular and actionable - each dimension maps to specific hardening recommendations.

DRS (DDoS Resilience Score) is an industry standard (ddosresiliencyscore.org) that rates mitigation capability on a 1-7 scale. It's simpler and widely recognized, making it ideal for executive summaries and vendor comparisons.

How they relate: OPI measures your full attack surface and protection depth. DRS measures mitigation capability. DDactic computes both and shows them side by side - OPI for engineering teams planning remediation, DRS for board reporting and benchmarking. A company might score OPI 72 (Grade C) and DRS 5 (Good), meaning decent mitigation but discoverable gaps in protocol or evasion resistance.

We understand this concern - you're essentially showing us your vulnerabilities. Here's how we protect you: (1) All data encrypted at rest (AES-256) and in transit (TLS 1.3), (2) Strict data retention - findings deleted after 90 days unless you opt to retain, (3) No sharing with third parties ever, (4) We sign NDAs for all enterprise engagements, (5) SOC 2 Type II compliance planned. Our business model depends on trust - we'd never risk it by misusing customer data.

Absolutely not. Your scan data is never shared, sold, or used for anything other than generating your reports. We don't aggregate customer data. We don't share vulnerability trends with vendors. Your security posture is your business alone.

Yes! Our reports are designed to satisfy resilience-related compliance requirements in: (1) PCI-DSS - demonstrates protection testing, (2) SOC 2 - evidence of availability controls, (3) HIPAA - availability safeguards documentation, (4) DORA (EU) - ICT risk assessment for financial services, (5) NIS2 (EU) - network and information security assessment. We provide executive reports formatted for auditor review.

We offer multiple verification methods: DNS TXT record, HTML file upload, meta tag, CNAME record, or email confirmation via WHOIS admin contact.

No. You can only scan domains you own or have explicit authorization to test. Our domain verification system ensures you can only scan verified assets.

Passive scans take 3-5 minutes. Active scans take 10-15 minutes. Full simulations are scheduled and take 15-60 minutes.

Discovery and analysis use only public data sources (certificate transparency logs, DNS records, WHOIS) and never send traffic to your infrastructure. Active simulations only happen with your explicit written authorization, use strictly controlled traffic from our lab, include real-time monitoring with an immediate kill-switch, and are scheduled during your preferred maintenance windows. You stay in full control throughout.

Yes, and we recommend it. You can point DDactic at any domain you own - staging, QA, or pre-production environments. Many customers start with a staging scan to see the methodology before authorizing production assessments. The passive discovery phase works identically on any environment since it uses public data sources.

DDactic operates under a signed Authorization to Test (AoT) agreement that clearly defines scope, limitations, and responsibilities. We find and report vulnerabilities - we don't exploit them. Our engagement follows responsible disclosure principles: findings are reported only to you, with clear remediation guidance. We carry professional liability insurance and operate within the bounds of responsible testing guidelines published on our site.

DDactic's assessments can support evidence collection for SOC 2 (specifically CC6.1 and CC7.1 around logical access and system operations), PCI DSS requirement 11 (network security testing), ISO 27001 Annex A.12 (operations security), and NIST CSF ID.RA (risk assessment). Our reports include compliance-mapped findings that map each vulnerability to the relevant framework control, making it easier for your GRC team to document remediation.

CDN providers (Cloudflare, Akamai, Fastly, etc.) protect traffic that flows through them. But protection only works when traffic is routed through the CDN. DDactic finds what your CDN can't protect: exposed origin IP addresses that attackers can target directly, subdomains not routed through the CDN, DNS misconfigurations that leak origin IPs, and historical records that reveal past infrastructure. Think of it this way: your CDN is the armor. DDactic finds the gaps where the armor doesn't cover.