External Review Methodology.
Clear, bounded, reproducible.
Our approach focuses on analyzing what is visible and accessible from the outside, without intrusive interaction with your production environment.
Framework
Main Steps
Passive reconnaissance
Mapping of subdomains, API routes, pages, documents, configurations and exposed access points.
Sensitive exposure detection
Identification of data, exports, roles and configurations that are visible or poorly protected.
Evidence and reproduction
Each finding is documented with a reproducible proof or a verifiable context.
Business prioritization
Linking vulnerabilities to your real data (employee records, payslips, contracts, etc.).
Reporting and action plan
Clear reporting with your team and delivery of a prioritized list of fixes.
Key Principles
- No modification to your production.
- Responsible disclosure aligned with ANSSI / ISO 29147.
- Clear language, adapted for CTOs and executives.
- Focus on real risks, exploitable tomorrow.
What we verify in practice
External attack surface
Subdomains, staging environments, forgotten services, technical routes, panels, docs, and public metadata.
Bundles and source maps
Auth flows, roles, data models, endpoints, webhooks, internal URLs, public variables, and sensitive client-side logic.
API and technical exposure
REST, GraphQL, Swagger/OpenAPI, schemas, back-office routes, response differences, and apparent access-control boundaries.
Auth, roles, and data isolation
RLS, tenant separation, permissions, admin flows, reset logic, magic links, and incomplete policies.
Storage and automation
Buckets, signed URLs, webhooks, n8n/Make, HMAC signatures, admin flows delegated to automation, and direct file access by URL.
Business and compliance context
Personal data, health, finance, HR, legal data, enterprise questionnaires, CNIL, HDS, DORA, and PCI-DSS implications.
What we do not do without explicit authorization
- No brute force, credential stuffing, stress testing, or aggressive fuzzing.
- No account creation, no sensitive-flow execution, no data deletion.
- No large-scale download or extraction of personal data.
- No internal pivoting, no active intrusion, nothing that should be treated as a formal pentest.
What you receive
External Review
One critical flaw surfaced with a clear attack scenario and evidence the client can understand immediately.
Detailed report
Findings ranked by severity, real impact, confidence level, evidence, recommendations, and fix priority.
Owner action summary
An executive-facing summary: what is serious, what must be fixed now, and what should be planned next.
Remediation framing
A fix-oriented view for engineers, with the logic behind each fix and the areas to revisit first.
Read next
Full Audit
The right fit when you need to fix several issues and keep due-diligence evidence.
External Review
The right format when you want the single most critical flaw nailed down first.
External review vs pentest
A clear comparison of scope, cost, and use cases for both approaches.
About
CleanIssue's approach and the logic driving the audits.