What CertPilot Is — and What It Is Not

CertPilot turns public-signal checks and customer-maintained registers into management-ready IT governance evidence reports for lean IT teams, MSPs, and agencies. That sentence — the same one that anchors the CertPilot homepage — is the whole product; everything below is detail and boundary.

This page exists because category labels mislead. CertPilot is adjacent to several tool categories — GRC, monitoring, asset management — without being any of them, and an honest map of what it does and deliberately does not do is more useful than a feature list. Live-feature claims on this page last verified: 2026-06-12.

The condensed version: CertPilot runs automated checks on public signals (SSL, DNS, domain registration, email-authentication records), provides manual-first, CSV-friendly registers (renewals and vendors, people and accounts, assets, access reviews), and generates evidence reports on demand. It is not GRC software, not a SIEM, CASB, MDM, or RMM, not a vulnerability scanner, not compliance certification, and not legal advice. It performs no employee surveillance, no content scanning of email, documents, or chat, and no productivity scoring.

What CertPilot Is

CertPilot implements the Checks + Registers → Evidence Reports model: machines verify public signals, you maintain registers of what machines cannot see, and both render into dated reports. The platform overview covers the modules in depth; here is the live set.

The checks

External Footprint Monitoring runs daily automated checks against publicly observable signals: SSL/TLS certificate status and expiry, DNS records, and domain registration status via RDAP. Email Authentication Monitoring checks the public DNS records that govern email trust — MX, SPF, DMARC, MTA-STS, TLS-RPT, and BIMI — at the domain level only. No mailbox is ever accessed; these records are published in public DNS precisely so they can be read. The methodology page documents exactly what every check reads and how results are interpreted.

The registers

Four customer-maintained, manual-first registers, all CSV-friendly (import and export):

• Renewals & Vendor Register — subscriptions, contracts, and renewal dates with named owners.
• People & Accounts Register — who works at the organization and which systems each person has accounts on, including an accounts matrix view.
• Assets Register — hardware and software the organization possesses.
• Access Reviews — periodic recorded reviews of who has access to what, with a systems catalog, matrix editing, an immutable completion log, and configurable email reminders.

"Customer-maintained" is a design decision, not a missing feature: register knowledge enters on a human's authority, dated and attributed, rather than being inferred by sync or discovery.

The evidence reports

Five report types, generated on demand from live check data and your registers: Domain Health, Renewal Risk, Monthly Proof, Weekly Governance (on-demand — there is no automated weekly email delivery today), and the Access Review Register report. The evidence reports module page describes each, and the sample reports gallery holds fully rendered examples with placeholder data, so you can judge the artifact before creating an account.

Alongside the platform, CertPilot offers seven free public tools — single-purpose checks (domain health, SSL readiness, email authentication, trust signals, and others) that run against public signals with no signup.

What CertPilot Is Not

These are permanent product boundaries, not roadmap gaps. Each exists for a reason.

Not a GRC suite. CertPilot has no risk registers, policy workflows, control frameworks, or audit-management features, and does not intend to grow them. It covers one narrow slice — operational evidence — simply, for companies where a GRC implementation would cost more than the problem.

Not a SIEM, CASB, MDM, or RMM. CertPilot does not collect logs, broker cloud-app traffic, manage devices, or remotely administer endpoints. Nothing is installed anywhere; no agent exists.

Not a vulnerability scanner or security audit. Checks read public signals; they do not probe for weaknesses, test configurations from the inside, or assess security posture. A CertPilot report should never be read as "this organization is secure" — and CertPilot's own reports never make that claim.

Not compliance certification. CertPilot does not certify against NIS2, ISO 27001, SOC 2, GDPR, or anything else, and no output of the product constitutes certification or audit evidence by itself. It helps organize the operational evidence that makes such conversations easier. That is the full extent of the claim.

Not legal advice and not an audit substitute. Evidence reports support internal governance routines and help prepare management-ready evidence; what any regulator, auditor, or court requires is a question for your advisors.

Not employee surveillance — in any form. CertPilot never scans email content, documents, files, or chat messages; never inspects prompts or responses of any AI tool; never tracks activity, keystrokes, or screens; and computes no productivity metrics. The registers contain only what your team deliberately enters. This boundary is architectural: the checks have no access to anything internal to scan.

Roadmap Versus Live

Some capabilities are planned, not live — and this page only ever describes what is live. Connectors to admin-level metadata in systems such as Google Workspace and Microsoft 365 are planned, not live: CertPilot does not connect to Google Workspace, Microsoft 365, or Copilot today. Likewise not live: automatic SaaS discovery, directory sync, an MSP multi-client governance view, and automated weekly report delivery. When any of these ships, this page and its verification date will be updated; until then, assume any capability not listed in the "What CertPilot Is" section above does not exist.

Who CertPilot Is For

• Lean internal IT teams at roughly 50–500-employee companies — the IT manager asked to "show that IT is under control" who has spreadsheets, screenshots, and no appetite for enterprise GRC.
• MSPs that need recurring, client-ready proof of governance work across the domains they manage.
• Web agencies producing monthly proof-of-work reports for client websites and domains — CertPilot's original use case, still fully supported.

A typical first hour: add a domain, watch the checks populate (certificate, DNS, registration, email authentication), import an existing renewals spreadsheet via CSV, and generate a first Domain Health report — a dated PDF you could forward unedited.

| CertPilot is | CertPilot is not | |---|---| | Automated checks of public signals | A vulnerability scanner or security audit | | Manual-first, CSV-friendly registers | Directory sync or SaaS discovery | | On-demand evidence reports (PDF) | Automated weekly report delivery | | Operational evidence support | Compliance certification or legal advice | | Zero internal access by design | Surveillance, content scanning, or productivity scoring |

In Short

• CertPilot turns public-signal checks and customer-maintained registers into management-ready evidence reports, on demand.
• Live today: external footprint and email-authentication checks, four registers, five report types, a sample gallery, and seven free tools.
• Permanently out of scope: GRC, SIEM/CASB/MDM/RMM, vulnerability scanning, certification, legal advice, and every form of employee surveillance or content scanning.
• Planned but not live: Workspace/M365 connectors, SaaS discovery, directory sync, multi-client MSP views, automated weekly delivery.
• When in doubt, trust the boundary: if it would require internal access or watching people, CertPilot does not do it.

Frequently Asked Questions

Does CertPilot connect to Google Workspace or Microsoft 365?

No. Connectors are planned, not live — CertPilot has no integration with Google Workspace, Microsoft 365, or Copilot today. All current checks read public signals only, and all register data is entered or CSV-imported by your team.

Does CertPilot scan email or files?

No, and it never will. Email Authentication Monitoring reads public DNS records (SPF, DMARC, MX, MTA-STS, TLS-RPT, BIMI) about your domain — it has no access to any mailbox or message. No CertPilot feature reads email content, documents, files, or chat.

Is CertPilot a compliance certification tool?

No. CertPilot helps organize operational evidence that supports compliance-adjacent conversations — security questionnaires, insurance applications, management reviews. It does not certify against any framework, and its reports are not audit guarantees or legal advice.

Does CertPilot monitor employees?

No. There is no activity tracking, no device agent, no content inspection, and no productivity measurement anywhere in the product. People appear in CertPilot only as register entries your team deliberately creates — a name, the systems they have accounts on, and access-review records.

How do I get started?

The free public tools run individual checks with no signup, and the sample reports gallery shows finished report examples. The platform overview describes plans and trial access — pricing and signup details live there rather than in this article, so they stay current.