Events and Findings
Understand the difference between recorded change and evaluated issues.
Events and findings are closely related, but they are not the same thing.
Events
An event records that something changed.
Examples:
- a port appeared
- a DNS record changed
- a certificate was updated
- a similar domain was newly observed
An event is useful because it preserves sequence and history. It explains how the current state came to be.
Findings
A finding records that a condition is significant enough to be treated as an issue.
Examples:
- an observed condition suggests elevated risk
- a configuration state violates an evaluation rule
- a page, certificate, DNS, or runtime condition deserves review as an issue rather than only as history
A finding is useful because it supports review, tracking, and disposition over time rather than forcing teams to re-interpret the same condition from scratch each time they revisit it.
The difference in practice
In short:
- events describe what happened
- findings describe what deserves attention
Some events are also easier to understand when separated by intent:
- operational events emphasize meaningful surface and posture change
- intelligence events preserve lower-noise discovery history, such as curated similar-domain observations
Not every event becomes a finding, and not every change should be treated as a problem. That distinction is one of the most important ideas in Asset Intelligence.
Rules and interpretation
Asset Intelligence is not intended to overwhelm you with every raw signal. It applies interpretation so the product can distinguish between background noise and material conditions.
That interpretation depends on rules and policy decisions such as:
- whether a change should be treated as noteworthy
- whether an observed condition should create a finding rather than only an event
- whether a signal should be treated as baseline, drift, or a newly introduced condition
This is important because useful asset intelligence is not just collection. It is collection shaped by judgment, with enough structure that teams can return to a finding later and still understand its status and context.
Finding rules
The table below summarizes the main finding types Asset Intelligence can raise today.
These descriptions are intentionally written for product users. They explain what the rule is meant to highlight, not every internal exception, suppression rule, or implementation detail.
| Type | Source | Condition |
|---|---|---|
| Domain expiration | Domain registration data | The monitored domain is expired or close enough to expiry that it should be reviewed. |
| Missing registrar lock | Domain registration data | Expected registrar lock protections are not visible in the observed domain status. |
| DNSSEC not enabled | DNS configuration | The domain does not appear to have DNSSEC enabled. |
| WHOIS status anomaly | Domain registration data | The observed registration status looks unusual enough to merit review. |
| SPF missing or too permissive | DNS email posture | SPF is missing or allows mail-sending behavior that is too open. |
| DKIM missing | DNS email posture | Mail-related DNS signals suggest DKIM should be present, but it was not observed. |
| DMARC missing or monitor-only | DNS email posture | DMARC is missing or left in a monitor-only state where stronger enforcement may be expected. |
| Missing CAA record | DNS certificate posture | No CAA record is present to limit which certificate authorities can issue certificates for the domain. |
| Deprecated DNS record type | DNS records | A deprecated or outdated DNS record type was observed. |
| Sensitive data in TXT record | DNS records | A TXT record appears to expose content that may be sensitive or risky to publish. |
| Weak TLS protocols enabled | TLS configuration | The service still supports TLS versions that are considered weak or outdated. |
| TLS certificate expired or expiring | TLS certificate | The certificate is expired or approaching expiry. |
| TLS certificate name mismatch | TLS certificate | The certificate does not properly match the observed hostname. |
| TLS certificate missing SAN | TLS certificate | The certificate does not include the expected Subject Alternative Name coverage. |
| Self-signed certificate | TLS certificate | The observed certificate is self-signed. |
| Untrusted certificate issuer | TLS certificate | The certificate chain or issuer does not appear to be trusted. |
| Weak key or signature | TLS certificate | The certificate uses a weak key size or weak signature algorithm. |
| TLS 1.2 only | TLS configuration | TLS 1.3 is not available even though TLS 1.2 is supported. |
| Legacy TLS fallback cipher | TLS configuration | The service still offers legacy fallback cipher options even though modern cipher support is available. |
| Weak or outdated cipher posture | TLS configuration | The service presents cryptographically weak cipher options or lacks a modern AEAD-based posture. |
| Incomplete certificate chain | TLS certificate | The certificate chain appears incomplete. |
| CSP in report-only mode | Page headers | A Content Security Policy is present, but it is only reporting and not enforcing. |
| Unsafe CSP directives | Page headers | The Content Security Policy includes directives that materially weaken browser protections. |
| Missing CSP directive without fallback | Page headers | The Content Security Policy omits directives that are expected to be defined directly rather than inherited. |
| Missing HSTS | Page headers | An HTTPS page does not present Strict-Transport-Security. |
| HSTS max-age too short | Page headers | HSTS is present, but the retention period is shorter than the expected minimum. |
HSTS missing includeSubDomains |
Page headers | HSTS is present, but does not extend to subdomains. |
Invalid X-Content-Type-Options |
Page headers | X-Content-Type-Options is present with an unsupported value. |
| Missing Content Security Policy | Page headers | A document-like page does not present a Content Security Policy. |
| Missing Permissions-Policy | Page headers | A document-like page does not present a Permissions-Policy header. |
| Missing Referrer-Policy | Page headers | A document-like page does not present a Referrer-Policy header. |
| Referrer-Policy too permissive | Page headers | The Referrer-Policy allows more URL detail to be shared than expected. |
| Missing MIME sniffing protection | Page headers | A page does not present X-Content-Type-Options protection. |
| Missing clickjacking protection | Page headers | A document-like page does not present an anti-framing header such as X-Frame-Options. |
| Third-party cookie observed | Page cookies | Third-party cookies were observed in browser runtime evidence. |
Cookie missing Secure |
Page cookies | A cookie that should be protected in transit does not use the Secure attribute. |
Cookie missing HttpOnly |
Page cookies | A cookie that should be restricted from client-side JavaScript does not use the HttpOnly attribute. |
SameSite=None without Secure |
Page cookies | A cookie uses SameSite=None without the Secure attribute that modern browsers expect. |
| Excessive cookie lifetime | Page cookies | A cookie persists longer than expected for its apparent purpose. |
| Invalid secure cookie prefix | Page cookies | A cookie uses a __Secure- or __Host- prefix without meeting the expected requirements. |
| Broad cookie path scope | Page cookies | A cookie is scoped more broadly across paths than expected. |
| Persistent non-essential cookie | Page cookies | A non-essential cookie appears to persist longer than expected. |
| Browser console error | Browser-observed page behavior | Runtime errors or other important console signatures were observed in the page experience. |
| Failed browser network request | Browser-observed page behavior | The browser console showed failed network requests that remained significant after normalization. |
| Browser security warning | Browser-observed page behavior | The browser console showed security warnings that remained significant after normalization. |
| Unhandled promise rejection | Browser-observed page behavior | The browser console showed unhandled promise rejections after normalization. |
| Deprecated browser API warning | Browser-observed page behavior | The browser console showed deprecated browser API warnings after normalization. |
| Missing source map | Browser-observed page behavior | JavaScript assets exposed missing source maps in browser runtime evidence. |
| CSP-blocked tracker request | Browser-observed page behavior | The browser console showed tracker or analytics requests being blocked by Content Security Policy. |
| Third-party identity runtime failure | Browser-observed page behavior | The browser console showed failures from third-party identity widgets. |
| Third-party challenge runtime failure | Browser-observed page behavior | The browser console showed failures from anti-bot or challenge runtimes. |
| Default page exposed | Page content | The page appears to be a server, framework, or placeholder default page rather than intended content. |
| Repeated collector failure | Monitoring health | A collector is failing often enough that visibility for that target may be incomplete. |
| Collector never succeeded | Monitoring health | A collector has not completed successfully for the target, creating a likely monitoring blind spot. |
Snapshot event rules
Snapshot events describe material change over time. They explain what changed between observations, even when that change does not rise to the level of a finding.
| Type | Source | Condition |
|---|---|---|
| DNS change | DNS collector | DNS records were added, removed, or changed in a meaningful way. |
| WHOIS change | Domain registration collector | Registrar, status, dates, contact details, or other important registration fields changed. |
| Similar-domain change | Similar-domain discovery | A new lookalike or related domain candidate was observed after Asset Intelligence normalization and screening. |
| Open port change | Port and HTTP discovery | Open ports or observed service fingerprints changed on the monitored target. |
| TLS certificate change | TLS collector | The active certificate changed in a meaningful way, such as identity, issuer, SAN, serial, or validity changes. |
| TLS configuration change | TLS collector | The observed TLS posture changed, such as supported features or related configuration details. |
| Page content hash change | HTTP discovery | The tracked page content hash changed, indicating the page body changed. |
| Page technology change | Technology detection | The set of detected technologies or their versions changed in a stable, meaningful way. |
| Page browser/runtime change | Browser-observed page behavior | Browser-visible page behavior changed, such as headers, metadata, cookies, resources, console signals, or consent-related runtime state. |
| Page service change | Browser-observed third-party footprint | Durable third-party service usage changed based on stable runtime evidence. |
| Page surface instability | Correlated page history | Repeated instability was observed across page behavior, page technologies, or related service exposure, and was summarized as a higher-level instability signal. |
| Organization profile change | Organization enrichment | Important organization details such as name, aliases, contacts, ownership, industry, or location changed. |
| Organization security incident change | Organization enrichment | Security incidents associated with the organization were added, removed, or materially updated. |
| Organization trust page change | Organization enrichment | Trust or compliance pages associated with the organization were added, removed, or materially changed. |
A practical way to use them
A useful working pattern is:
- review recent events to understand what changed
- review findings to understand what may require attention
- inspect supporting evidence in ports, pages, DNS, certificates, and similar domains
- decide whether the current state reflects baseline, drift, or an issue that needs follow-up
- record or update the finding disposition once the issue has been reviewed