Olimpio is an automated external security scanner. Understanding what it does and does not do helps you use it effectively and set appropriate expectations with your team, clients, and insurers.
What Olimpio is
Olimpio performs automated external reconnaissance — it checks your domain and services from the public internet, the same way an attacker would before attempting to target your business. It identifies misconfigurations, exposed services, weak security headers, email authentication gaps, and known vulnerabilities in internet-facing infrastructure.
What Olimpio is not
Not a penetration test. A penetration test involves a human security professional actively attempting to exploit vulnerabilities, chain findings together, test business logic, assess internal systems, and think creatively about attack paths that automated tools miss. Olimpio identifies what is exposed and misconfigured — it does not attempt to exploit anything it finds.
Not an internal security assessment. Olimpio only scans publicly routable addresses. Private IP ranges are blocked at the API level. We cannot see inside your network, assess internal systems, or test anything that is not reachable from the public internet.
Not a code security tool. Olimpio does not analyse source code, dependencies, container images, or infrastructure configuration files. For code-level security, dedicated tools such as static analysis scanners and software composition analysis are appropriate.
Not a guarantee. The absence of findings in an Olimpio report does not mean your systems are secure. Automated scanning has inherent limitations — it cannot find every vulnerability, and new vulnerabilities are discovered continuously. A clean scan result reflects the state of your external attack surface at a point in time, not a permanent certification of security.
Known limitations
Subdomain coverage is capped at 20. Large organisations with many subdomains will see partial coverage. We scan the first 20 subdomains discovered, not every subdomain that exists.
WAFs and CDNs reduce findings. If your infrastructure sits behind an aggressive web application firewall or DDoS protection service, scanner traffic may be rate-limited or blocked. This produces fewer findings, not false positives — but it also means genuine issues behind the WAF may not surface.
IP scanning has reduced coverage. Scanning a bare IP address skips all DNS hygiene checks (SPF, DMARC, DKIM, CAA, DNSSEC). For full coverage, scan the associated domain name.
Cloud provider IPs return minimal findings. IPs belonging to Google Cloud, AWS, Azure, or Cloudflare are protected by their provider's network perimeter. Scanner traffic rarely reaches your actual service. Scan the domain instead.
Template coverage is curated, not exhaustive. We run a carefully selected set of vulnerability templates rather than the full community template library. New vulnerabilities may not be covered until templates are updated.
No TLS cipher suite enumeration. We check certificate expiry and basic TLS issues but do not perform full cipher suite analysis. For a complete TLS audit, use a dedicated tool such as testssl.sh.
Results are point-in-time. Your security posture changes continuously. A finding that is not present today may appear after a software update, configuration change, or the discovery of a new vulnerability. Scheduled scans help maintain ongoing visibility.
Disclaimer
This report was produced by Olimpio Security based on a point-in-time automated scan. Automated scanning identifies technical vulnerabilities in externally reachable services. It does not replace a manual penetration test, internal network assessment, physical security review, or social engineering assessment.
Remediation guidance provided is for informational purposes only. Before making changes to production systems, test in a staging environment and consult a qualified IT professional. Olimpio Security Ltd accepts no liability for changes made on the basis of scan results without appropriate professional review.
This service is provided in accordance with our Terms of Service and Privacy Policy.