Never lose a customer to an expired certificate again.
WASViking continuously discovers your public TLS certificates, tracks expiration on a policy your team controls, and grades transport posture per subdomain. Outage prevention and audit evidence in one place, with no spreadsheet to chase.
A certificate that expires on a Sunday is a Monday-morning incident.
Most teams still track TLS expiration in a spreadsheet maintained by whoever left the company last. The result is predictable: a public service goes down, customers see browser errors, and the security team explains a self-inflicted outage to the board.
Certificate Monitoring closes that gap with auto-discovery, a configurable alert policy, and a transport-posture grade per subdomain. The same evidence that prevents the outage also answers PCI DSS req 4.2.1 and ISO 27001:2022 control A.8.24.
[discovery] api.acme.com, SANs: api.acme.com, www.api.acme.com
[posture] issuer: DigiCert TLS RSA SHA256 2020 CA1
[posture] protocol: TLS 1.2, cipher: ECDHE-RSA (256 bits)
[alert] api.acme.com expires in 9 days (Expiring Soon)
→ alert routed per org policy: 30 / 15 / 7 days
→ evidence retained for audit and posture share
Discovery, expiration, and transport posture, on one timeline.
Every monitored subdomain is observed continuously. Findings are scored, deduplicated, and persisted in the same workflow your team already uses for scan results, with first-seen, valid-until, and reappeared events tracked over time.
Auto-discovery via SANs
Subdomains are discovered from the certificate's Subject Alternative Names as scans run, then promoted into the monitored inventory. New SANs are surfaced as drift events, not silent additions.
Multi-band expiration policy
Three configurable alert thresholds per organization, defaulted to 30, 15, and 7 days. Routed through the same notification channels as findings: email, Slack, Teams, webhook.
Transport posture per host
Issuer, protocol version, cipher suite, and key strength are recorded on every check. A weak protocol or an unexpected issuer is treated as a posture finding, not a cosmetic flag.
SAN drift and ownership
A new SAN on a known certificate, or a known SAN appearing on a new certificate, are both surfaced. The CISO sees the shadow asset before the attacker does.
Risk classification per subdomain
Each host carries a status (Valid, Expiring Soon, Expired) and a risk level derived from days remaining, protocol, and cipher. The dashboard ranks by risk, not by alphabet.
Monitoring toggle per host
Mark a subdomain as out of scope and the evidence is preserved with a clear audit trail. No silent removals, no quiet exceptions.
Outage prevention is a CISO outcome, not a checklist.
The cost of a single expired certificate on a customer-facing service is rarely the certificate. It is the support tickets, the SLA credits, the brand hit, and the post-incident review. Certificate Monitoring removes that class of incident from the table.
Continuity
No more lapsed certificates on production hosts. The team renews on time because the platform tells them when, not because someone remembered.
Audit evidence
Per-subdomain history of issuer, expiration, and posture grade. Attaches directly to the SBOM Evidence Bundle and Posture Share for vendor due diligence.
Attack surface clarity
The SANs list is an inventory of what is publicly bound to your brand. Drift on that list is an early indicator of an asset the security team did not know about.
Mapped to the controls your auditor already asks about.
Certificate posture is named explicitly in modern frameworks. WASViking surfaces the evidence in the same Compliance tab where the rest of your control mapping lives.
| Framework | Control | What Certificate Monitoring contributes |
|---|---|---|
| PCI DSS v4.0 | Req 4.2.1, inventory of trusted keys and certificates for PAN transmission | Live inventory of monitored hosts with issuer, protocol, cipher, and expiration evidence per subdomain |
| ISO 27001:2022 | Annex A.8.24, use of cryptography | Per-host record of TLS version and cipher suite, with policy-driven alerts on expiring or weak material |
| NIST CSF 2.0 | PR.DS-2, data in transit is protected | Continuous attestation that public endpoints carry valid, in-policy certificates and acceptable transport posture |
| LGPD · GDPR | Article 46 · Article 32 technical measures | Demonstrable encryption-in-transit control over time, exportable as evidence to data controllers and DPOs |