One platform, four data planes, six modules
ScruteX is a unified CTEM and CTI platform. Four continuous data planes feed an AI-augmented Exploit Context Layer, which drives the modules your team uses every day. This page explains how the architecture fits together and what the platform actually does behind the dashboards.
Four continuous signals feed the platform
Each data plane runs independently and feeds the Exploit Context Layer. No plane is optional, because each one supplies information the others cannot. Together they answer the question every CISO actually wants answered: what can an attacker do to us, today, given everything we have.
External attack surface
Continuous discovery of internet-facing assets, ports, certificates, web technologies, and DNS configurations. The starting point for every other module, because you cannot defend what you cannot see.
Threat intelligence
Live feeds of threat actors, TTPs, campaigns, and IOCs. Mapped to your sector and geography, enriched with VirusTotal, OTX, Shodan, AbuseIPDB, Passive DNS, and WHOIS context.
Dark web and data exposure
Continuous scanning of forums, marketplaces, Telegram, paste sites, and breach corpora. Stealer logs, leaked credentials, and exposed source code surface against your domains and employees.
Vendor and brand signals
Third-party posture data, lookalike domains, fake mobile apps, and impersonation infrastructure. Continuous signals from outside your perimeter that affect your customers and supply chain.
The Exploit Context Layer
The four data planes produce more raw signal than any team can read. The Exploit Context Layer is the AI pipeline that turns volume into context. For every finding, it asks three questions before the alert reaches a human: is there a working exploit, is it being used in the wild against organisations like yours, and is the affected asset reachable from where an attacker can actually get to it.
That answer is what arrives in your queue. Not a CVE number with a 9.8 CVSS score and no context, but a finding that has already been correlated against active threat actor TTPs, KEV listings, EPSS scores, and your own asset criticality. Most findings die in the layer. The handful that emerge are the ones that an attacker could genuinely use against you, not theoretically.
The same AI substrate powers two human-facing surfaces inside the platform. The AI Pen Testing Agent takes a target and a goal, drafts a scan plan, and waits for a human to approve before executing. The AI Vendor Questionnaire tool takes a supplier’s questionnaire spreadsheet and drafts responses from your existing trust evidence. Both are agentic, both run with mandatory approval gates, and both exist for the same reason: the boring work in security operations is the work most likely to get skipped, and skipping it is where breaches start.
What ScruteX delivers in practice
The architecture above produces three categories of value. We talk about them as pillars because they are the framings buyers tend to think in.
Continuous Exposure Management
Real-time attack surface mapping that keeps pace with how your environment and the threat landscape actually change. Not a snapshot. Not a quarterly scan. A live picture, every day.
AI-Augmented Threat Intelligence
Exploit context that moves beyond CVSS to answer the question that matters: is this vulnerability exploitable in my environment, against my assets, right now? The Exploit Context Layer enriches every finding with weaponisation status and active campaign data before it reaches your queue.
Intelligence-Led Red Teaming
Scope, execute, and track adversarial simulations using live threat intelligence about who is targeting your sector. Closes the loop between the once-a-year red team exercise and continuous monitoring, so assessment value compounds instead of expiring with the contract.
Four convictions behind every product decision
When the engineering and product teams disagree about a feature, these are the principles we use to break the tie. They are not slogans. They are the reason ScruteX is built the way it is.
Intelligence-led, not noise-driven
Every finding carries exploit context. CVSS scores in isolation tell you a vulnerability exists. They do not tell you it is being weaponised against your stack right now. That distinction is the entire product.
Continuous, not periodic
Your attack surface changes every deployment. The threat landscape changes every day. A six-month-old assessment is a liability dressed as a deliverable. The platform is built to operate at the same tempo as the attackers.
Context-aware prioritisation
The same vulnerability ranks differently for a bank than for a SaaS startup. Findings are weighted against your sector's active threat actors, the criticality of the affected asset, and whether anything is genuinely reachable from outside.
Unified, not fragmented
Attack surface, data exposure, brand, vendor, and threat intelligence sit on one platform. One contract, one data model, one set of integrations. This is where teams find the time to actually act on findings instead of running an integration backlog.
Five stages, run continuously
Gartner’s CTEM framework defined the five stages. Most security programmes run them as discrete projects. ScruteX runs them as a continuous loop, every day, across every module.
- 01
Scoping
Engagement starts with client-shared inputs: domains, brand keywords, executive identities, business context. Bounding the attack surface and defining what matters comes first, not last.
- 02
Discovery
Continuous external discovery of internet-facing assets and exposures across the dark web, Telegram, OSINT, and your live attack surface. New assets surface within hours.
- 03
Prioritisation
Findings are enriched with threat intelligence and mapped to MITRE ATT&CK techniques, then cross-referenced against active campaigns in your sector and geography.
- 04
Validation
Prioritised findings are validated through AI-driven CART and automated penetration testing, confirming exploitability before escalation.
- 05
Mobilisation
Two-way ticketing integration with takedown support. Findings flow into the workflows your team already uses. Agentic remediation is in build for selected categories.
Six modules sit on the platform
Each module exposes a different facet of the same underlying architecture. Customers usually start with two or three modules and expand from there. A seventh module, AppSec Insights, is in beta.
Vulnerability Insights
External attack surface scanning, prioritised by exploitability.
Data Exposure Insights
Dark web, paste site, and breach corpus monitoring.
Brand Insights
Lookalike domains, fake apps, and impersonation campaigns.
Vendor Insights
Continuous third-party posture and questionnaire workflow.
Threat Insights
Curated threat actor and IOC intelligence for your sector.
Red Teaming and Pen Testing
Continuous Automated Red Teaming with on-demand pen tests.
Managed SaaS, agentless, no infrastructure required
ScruteX runs as a managed SaaS platform. Onboarding does not require agents, network sensors, or VPN tunnels. The platform sees what an external attacker would see, which is the entire point.
The onboarding timeline is deliberate. Day one is a scoping call to share domains, brand keywords, and executive identities. Week one is asset discovery and baseline mapping. Week two delivers your first prioritised assessment. Week three onwards is continuous monitoring, advisories, validation, and ticketing integration.
Fits into your stack, doesn’t replace it
Findings need to land in the workflow your team already uses. The integration roadmap covers SIEM and SOAR platforms, ticketing systems, chat and paging, cloud and identity providers, and BI tools. A REST API and webhook layer covers anything not on the integration roadmap.
See the integration roadmapFrom scoping call to continuous monitoring in three weeks
The first prioritised threat assessment lands in week two. Continuous monitoring takes over from week three.
Scoping call
Share domains, brand keywords, and executive identities. Define what is in scope.
Asset discovery
Guided discovery of internet-facing assets and baseline exposure mapping across modules.
Baseline assessment
First prioritised threat assessment delivered, with findings ready for review and action.
Continuous monitoring
Ongoing surveillance, advisories, validation, and ticketing integration live and running.
See the platform in your environment
Book a live demo and we'll run a baseline scan against your domains during the call. Output by the end of the session, not next quarter.