C
CertPilot

Methodology

How CertPilot works

CertPilot is built from three primitives: automated checks on public technical signals, customer-maintained registers of the things your team tracks, and management-ready evidence reports built from both. It helps lean IT teams, MSPs, and agencies prove governance work without requiring login credentials, registrar access, or any privileged access to the systems it monitors.

The model: checks + registers → evidence

CertPilot has two inputs and one output. The checks read public technical signals automatically, on a daily schedule, with no access to your accounts. The registers are records your team maintains — CertPilot does not discover or sync them from your internal systems. The evidence reports combine the latest check results and your register records into a management-ready PDF you can hand to a manager, client, or auditor as proof of work. Reports are generated on demand; there is no scheduled report delivery or automated report email today.

What CertPilot checks automatically

SSL/TLS certificate validity and expiry

CertPilot connects to each domain over HTTPS and reads the public TLS certificate chain. It records the certificate expiry date, issuer, and whether the certificate is valid. No site content is accessed — only the certificate handshake data that any browser would see.

RDAP / domain registration expiry

CertPilot queries public RDAP (Registration Data Access Protocol) endpoints for each domain. RDAP is the modern, structured replacement for WHOIS and provides domain expiry dates and registrar information. CertPilot does not access registrar accounts or modify any registration data.

DNS records

CertPilot queries public DNS for A, AAAA, MX, NS, TXT, and CAA records on each domain. These are public records that any DNS lookup tool can return. CAA records are recorded for certificate-authority context. When a previous DNS snapshot exists, CertPilot compares the current records to it and flags changes — record removals, new entries, or value changes — so unexpected DNS modifications surface before they cause problems. For older snapshots taken before CAA was captured, CertPilot waits until the next snapshot before alerting on CAA changes, so historical gaps do not trigger false-positive drift alerts.

Email authentication DNS records

CertPilot reads the domain-level DNS records that govern email authentication — MX, SPF, DMARC, MTA-STS, TLS-RPT, and BIMI. This is public DNS metadata only. CertPilot does not scan mailboxes, read message headers or bodies, or send email on your behalf.

Public vendor status feeds

CertPilot caches official, public status feeds published by a fixed list of vendors and surfaces their current state. These are the vendors’ own public pages — CertPilot performs no synthetic uptime probing, makes no tenant-specific impact claims, and uses no customer credentials.

The registers you maintain

Registers are records your team keeps current by hand, with CSV import/export available on most of them. CertPilot does not discover, sync, or auto-populate this data from your internal systems.

Renewals & vendors

Contracts, renewal dates, costs, and decision and ownership context for the software, hosting, and licenses your team is responsible for.

People & accounts

The people in your organisation and the system accounts they hold, including an accounts matrix view.

Assets

Hardware and software your team tracks. Manual-first — no MDM, endpoint monitoring, or automatic SaaS discovery.

Access reviews

Who has access to which systems, reviewed on a cadence, with an immutable completion log of finished reviews.

Systems catalog

The manual list of systems that defines the columns in your access-review matrix. No connectors, discovery, or CMDB.

Domain governance metadata

Customer-entered owner, purpose, lifecycle status, and renewal-decision notes per domain. This metadata is evidence only and does not change technical health scoring.

SSL readiness metadata

How each domain’s certificate renewal path is handled, for planning around shorter certificate lifetimes. Planning evidence only — CertPilot does not issue, install, renew, or automate certificates.

Email sending sources

The systems that send email from each monitored domain, with their type, sending method, and customer-judged authentication alignment. Customer-entered metadata only — no mailbox scanning and no email sending on your behalf.

The evidence reports you can generate

Each report is a management-ready PDF built from your latest checks and registers. All are generated on demand.

Domain Health

SSL, DNS, domain expiry, and DNS changes, plus a domain-governance review summary.

Renewal Risk

Upcoming and overdue renewals with cost and decision/ownership risk context.

Monthly Proof

A monthly management summary of governance activity, including a DNS-changes section.

Weekly Governance (on-demand only)

A weekly-format governance summary you generate when you need it. There is no weekly cron and no automated email digest.

Access Review Register

The current access-review state plus the latest completed-review block.

Governance Evidence Pack

A cross-module executive summary; people/accounts, assets, and vendor status appear as summary counts only.

These reports document operational work. They are not a compliance certification and not an audit guarantee.

What CertPilot does not do

  • Does not provide compliance certification (NIS2, ISO, SOC 2, or any other)
  • Does not provide legal advice or any legal guarantee
  • Does not perform vulnerability scanning or security audits
  • Does not monitor uptime, availability, or response time
  • Does not test page speed or performance
  • Does not monitor employees or score productivity
  • Does not scan email content, documents, or chat messages
  • Does not inspect AI prompts or AI responses
  • Does not connect to Google Workspace or Microsoft 365 — no such connector is live yet
  • Does not restore, roll back, or make DNS changes
  • Does not issue, install, renew, or automate SSL/TLS certificates
  • Does not access login credentials or admin panels
  • Does not scrape private pages or site content
  • Does not require registrar, DNS provider, or website admin access

Status meanings

Green — Healthy

All checks passed. SSL is valid with sufficient runway, domain registration is active, and DNS records match the previous snapshot.

Yellow — Attention needed

Something requires review before it becomes a problem. Common causes: SSL or domain expiry within the warning window, or a DNS record change detected.

Red — Action required

A check has failed or an issue is critical. Common causes: SSL expired or expiring very soon, domain registration lapsed or expiring imminently.

Limited data

A public data source returned incomplete information or a check could not complete. This may be a transient issue with the public data source, or the domain may not have a public record available.

Data and privacy

CertPilot stores the domain names you add, the results of each public check (certificate expiry dates, DNS records, RDAP data), the alerts generated from those results, and the register records your team enters (which can include names and account identifiers). Register data is scoped to your account and is not shared across customers. It does not store site content, login credentials, or any private account data, and it does not read your mailboxes, documents, or chats.

  • No registrar credentials required or stored
  • No DNS provider API keys required or stored
  • No website admin credentials required or stored
  • All data used is from public technical records

For more detail on data handling, see the Privacy Policy.

Questions about methodology? hello@certpilot.app