Proof-Backed Security Operations
Every operation witnessed. Every result verifiable.
WitnessOps produces signed, timestamped, offline-verifiable receipts for every governed operation. Deployments, promotions, approvals, and exceptions become portable proof objects — not just logs.
Verification does not depend on WitnessOps. Receipts can be checked independently using standard cryptographic signatures and timestamp proofs.
Built for teams that need to prove what was executed, what was approved, and what stayed in scope.
See the System in Action
Free Governed Reconnaissance
Enter your business email. We verify your domain, run a governed assessment of externally visible assets, and deliver a security report plus a signed receipt. No intrusive testing is performed without explicit approval.
Business email only. No Gmail, Outlook, or Yahoo.
Verify Your Email
One-time token to your business email. Confirms control of a mailbox on the business domain.
DOMAIN VERIFIEDAuthorize the Test
You see exactly what will be tested. You approve the scope. This is the policy gate.
APPROVAL GATEGet Your Report
Governed recon runs against your domain. You get a report and signed receipt.
RECEIPT SIGNEDEvery Engagement Produces
A Signed Receipt with a Clear Verification Path
Receipts can be verified with the correct public key. Proof bundles extend this into portable, offline verification.
What You Receive
Report + Receipt + Evidence Path
Security Report
DNS, exposed services, TLS posture, security headers, subdomain inventory. Plain language findings with severity.
Signed Receipt
Signed record of the governed action: operator, policy gate, timestamp, chain link, and execution hash.
Evidence Chain
Receipts preserve continuity across governed steps. Changes to the signed record or its execution binding become detectable.
Verification Path
Verify the receipt signature with the correct public key. Full proof bundles are available for portable offline verification.
Without governed execution
Services
Governed Security at Every Scale
Every engagement runs through the same governed pipeline. The difference is depth.
TIER 1
Recon
See what's exposed. Get a signed receipt.
- ✓ External reconnaissance
- ✓ DNS + subdomain inventory
- ✓ TLS + headers review
- ✓ Signed receipt
- ✓ Security report
TIER 2
Assessment + Proof Bundle
Most teams start here
Full assessment. Portable proof. Independent verification.
- ✓ Everything in Recon
- ✓ Active vulnerability scanning
- ✓ Web application testing
- ✓ Multi-phase campaign
- ✓ Campaign receipt chain
- ✓ Portable proof bundle
- ✓ Independent verification link
- ✓ Executive report
TIER 3
Continuous
For regulated and high-trust environments
Ongoing governance. Recurring proof. Compliance-ready.
- ✓ Everything in Assessment
- ✓ Ongoing monitoring
- ✓ Incident response runbooks
- ✓ Receipt continuity review
- ✓ Recurring proof bundles
- ✓ Compliance-ready evidence
Documentation
Understand the System
Every concept is documented. Receipts, policy gates, trust boundaries, and failure modes.
ARCHITECTURE
Governed Execution
How WitnessOps wraps tooling in policy-gated, scope-enforced runbooks.
RUNBOOKS
Runbook Format
YAML workflow structure: steps, policy gates, approval controls, evidence output.
EVIDENCE
Receipt Model
How execution produces signed receipts, what the current public shape includes, and what stays in adjacent artifacts.
VERIFICATION
Receipt Verification
How to verify a receipt signature and executionHash, and how portable proof bundles enable offline verification.
TRUST
Threat Model
What WitnessOps controls, what it delegates, and where the trust assumptions are.
REFERENCE
Scope & Policy
Domain binding, target authorization, freemail rejection, and scope enforcement rules.
Your next pentest should produce proof.
Not screenshots. Not notes. Signed receipts that record what ran, who approved it, and whether it stayed in scope. Start with a free governed scan. See the receipt. Then decide.