Find exposed AWS access keys before hackers do

Continuously monitor your domains, apps, APIs, public JavaScript, and exposed services. Catch new exposures before they become incidents.

surfacedrift.com/overview

Overview

acme.com · 5 root domains · 218 assets

DoneUpdated 2m ago
Domains55 / 5 on plan
Checks12812 today
Priority issues32 critical · 1 high
Review queue71 running · 0 stale

Recent findings

SeverityFindingAssetSeen
CriticalExposed .env with live database URLapi.acme.com/.env4m ago
CriticalAuth bypass — API accepts JWT alg:noneapi.acme.com/v1/auth9m ago
MediumUndocumented admin API reachableapi.acme.com/internal/v21h ago
MediumStaging host publicly resolvablestaging.acme.com3h ago
LowSecurity headers missing on CDN hostcdn.acme.com1d ago

Vulnerabilities

9 open across acme.com

2 critical

Open issues

SeverityIssueAssetState
CriticalExposed .env with live database URLapi.acme.com/.envOpen
CriticalAuth bypass — API accepts JWT alg:noneapi.acme.com/v1/authOpen
HighAdmin panel reachable without authadmin.acme.comOpen
HighSubdomain takeover candidateblog.acme.comTriaging
MediumUndocumented admin API reachableapi.acme.com/internal/v2Open
MediumStaging host publicly resolvablestaging.acme.comTriaging

Hack Agent

Ask about exposure changes and what to fix next

Workspace context
What changed since the last check on acme.com?
SD

Ask about exposure changes…

Secrets

5 exposed in public assets on acme.com

1 high

Exposed secrets

SeveritySecretSource
HighAWS access key (long-lived IAM)AKIAQ4F7XKZ2NB6QF3J · wJalrXUtnFEMI…bPxRfiCY/assets/config.4c2.js
MediumSupabase anon keysb_pub_3f9a1c7e…e21/assets/vendor.4c2.js
MediumStripe webhook secretwhsec_9c41…2d/api/checkout.js
LowSentry DSNhttps://a1b2c3…@o42.ingest.sentry.io/assets/app.8f1c.js
LowGoogle Maps API keyAIzaSyB7…Xk/index.html

Built by a hacker who’s discovered & reported vulnerabilities to

Trademarks belong to their respective owners. Listed organizations run vulnerability disclosure programs where issues were responsibly reported — this is not an endorsement or partnership.

01See what changed

New secrets, API routes, reachable services, header drift, and JWT risks are separated from old findings.

02Open the evidence

Each item keeps the affected host, source file, matched context, first seen time, and recheck path.

03Hand off the fix

States, alerts, PDF proof, and targeted rechecks turn exposure review into an owner-ready packet.

Review loop

A recurring security review for AI-fast product changes.

AI-assisted shipping means public apps change constantly: new routes, client config, JavaScript bundles, and services appear between releases. Surface Drift keeps checking approved domains and hands you the security-relevant changes that need review.

JS

Public assets

Public bundles, source maps, Supabase/Firebase config, webhooks, DSNs, and JWT previews — every token-like value comes with the exact source file it leaked from.

API

API and host exposure

New routes, GraphQL hints, reachable hosts, staging surfaces, and admin panels — the services that actually matter, pulled out of the static-asset noise.

FIX

Posture and proof

TLS, DNS, and security-header drift, changed assets, finding states, PDF evidence, and a targeted recheck that verifies the fix once you ship it.

Capabilities

Everything is built around one question: what changed, and does it matter?

Scope

Your public surface keeps changing. We keep watching it.

AI-assisted shipping can add new routes, client config, JavaScript chunks, and reachable services faster than anyone reviews them manually. Each run compares the live surface against the last known state and pulls out changes with security impact.

  • Weekly or daily checks by plan
  • Security-impacting changes split from old noise
  • Root-domain limits that match each plan

Secrets

Token findings show the source and the likely cleanup path.

JavaScript secrets, Supabase/Firebase exposure, webhook URLs, DSNs, and JWT previews are grouped with evidence attached.

  • Source file and matched context
  • Decoded JWT previews with risky-claim flags
  • Weak signing-secret checks on higher plans

Discovery

New endpoints and services are filtered before they become work.

Owned API routes, GraphQL hints, staging exposure, admin surfaces, and sensitive services stay separate from CDN and image noise.

  • New endpoints flagged on first appearance
  • Reachable services and sensitive ports
  • Broader validation on Scale

Handoff

The output is a triage queue, not a raw scanner export.

States, PDF evidence, alerting, and recheck history keep cleanup moving without a separate spreadsheet.

  • Owner-ready fix packets
  • Exportable PDF evidence on every finding
  • Recheck history proves the fix held

Pricing

Know where your app is exposed and what to fix first.

Each plan watches your public app and turns risky changes into clear action items.

Pro

Daily drift
$199/mo

For teams shipping frequently that need daily drift detection and stronger validation before handoff.

  • 15 monitored root domains with daily JavaScript, API, service, and posture checks
  • Everything in Monitor, plus deeper endpoint validation and higher-frequency drift detection
  • AI Security Agent
  • JWT claim checks, weak signing-secret checks, auth-route signals, and risky client-side token usage
  • CVE and technology exposure hints mapped back to observed hosts and assets
  • Webhook, Slack, Telegram, and email alerts with shared triage workflow
Start Pro

Scale

Broader validation
$499/mo

For larger public surfaces that need broader validation, higher quota, and account-level summary.

  • 40 monitored root domains with priority daily checks across larger environments
  • Broader service and exposure validation across larger scopes
  • Advanced AI Security Agent
  • Expanded JWT weak-signing-secret audit and sensitive-service checks across the full scope
  • Higher-capacity triage queue for multi-domain teams, launches, and frequent production changes
  • Monthly expert exposure summary for leadership and engineering owners
Choose Scale

Surface Drift

Find out what your app is leaking right now.

Start monitoring my domains