About Moat Watcher
Moat Watcher, operated by Cutaway Security, is a passive external attack-surface (EASM) and OSINT monitoring service built for cooperatives and smaller critical-infrastructure businesses - electric, water, gas/oil, and manufacturing.
What it monitors
- Exposure - discovers your internet-facing services and reconciles them against the assets you declare, flagging unexpected exposure and configuration drift.
- Vulnerabilities & advisories - matches your declared edge devices to CISA KEV (actively exploited), ICS advisories, and NVD CVSS - even for devices that are not externally visible.
- Certificates - tracks your TLS certificates for expiry, weak or self-signed certs, and unexpected changes.
- Look-alike / typosquat domains - domains registered to resemble yours, highlighting the mail-capable ones used for payment-diversion and phishing.
- Credential exposure - breach exposure for the people you choose to monitor.
- Email authentication - SPF / DKIM / DMARC / MTA-STS gaps.
How it works
A deterministic engine runs weekly, normalizes and diffs the results against history, risk-tiers the changes, and a narrow AI layer turns each change into a plain-language recommendation grounded in a Cutaway-authored playbook. You receive an emailed report (a human-readable PDF plus machine-readable formats, delivered encrypted) and a login portal. It is passive - no active scanning of third-party infrastructure - human-gated at setup, and autonomous in operation.
Principles
- Authorization first - collection runs only after you attest that you own or are authorized to monitor the assets in scope.
- Your data is yours - strict per-tenant isolation; Cutaway account administration cannot read your findings through the application.
- Bring your own keys - you provide your OSINT source API keys, encrypted at rest.
Powered by
Moat Watcher integrates the OSINT sources and tools below. Sources marked with a key tier are bring-your-own-key: you supply the API key (encrypted at rest) on the Scope & keys page, and Moat Watcher only queries your own assets. The others require no key.
| Service / tool | What it adds | API key |
|---|---|---|
| Shodan | internet-exposed service discovery | API key (paid/free tier) |
| Netlas | exposure and TLS-certificate discovery | API key (free tier available) |
| Have I Been Pwned | credential-breach exposure for monitored accounts | API key (paid) |
| NVD - NIST National Vulnerability Database | CVE and CVSS vulnerability data | free API key |
| CISA Known Exploited Vulnerabilities (KEV) | actively-exploited CVE catalog | none needed |
| dnstwist | look-alike / typosquat domain detection | none needed |
| Email authentication (SPF / DKIM / DMARC / MTA-STS) | mail-security posture via public DNS | none needed |
Source names and marks are the property of their respective owners; each is credited on the findings it produces.