Capability architecture
ReconDelta: context, validation and evidence.
This capability contributes to the same platform outcome: understanding realistic attacker exposure and proving what matters.
01Why it matters
- Most exposure risk comes from change: new services, test environments, expired certificates, shifted DNS and forgotten deployments.
- Point-in-time scanning misses drift between assessments.
- Teams need to know what changed, not just what exists.
02ThreatCanary approach
- Track first-seen, last-seen, times-seen and change events for assets and services.
- Compare current exposure against previous state and highlight meaningful deltas.
- Route drift to owners and validation workflows based on risk.
03What it validates or reveals
- Newly exposed services or APIs.
- Removed, flapping or reappearing assets.
- Changes that require retesting, ownership review or escalation.
04Evidence and outputs
- A clear explanation of the exposure, affected assets and likely attack path.
- Reproducible evidence suitable for analysts, developers and risk owners.
- Prioritisation based on exploitability, business impact, sensitive data and chainability.
- Owner, remediation and workflow context that can move into Jira, Slack, SIEM or reporting.
