About SentryScout

Passive security reconnaissance for Indonesian web properties

What is SentryScout?

SentryScout is an automated, passive-only security reconnaissance tool built into the Sentry monitoring platform. It discovers publicly-accessible Indonesian websites from the Tranco top-1M ranking list and performs non-intrusive checks to surface common security misconfigurations.

The goal is to identify websites that may benefit from a security review — not to exploit, attack, or access any systems.

How it identifies itself

Every request made by SentryScout uses the following User-Agent:

Mozilla/5.0 (compatible; SentryScout/1.0; +https://sentry-dev.modulus1.co/about-scout)

This means you can find SentryScout in your server access logs by searching for SentryScout.

What SentryScout DOES

A single HTTPS GET request to your homepage to check security response headers
HEAD requests to a short list of well-known paths (e.g. /.env, /.git/config) to check for accidental exposure — HEAD means no data is downloaded
A DNS TXT record lookup to check for SPF and DMARC records
Reads and respects your robots.txt — if User-agent: * with Disallow: / is set, SentryScout skips your domain entirely

What SentryScout NEVER does

Never sends exploit payloads or attack traffic
Never attempts to authenticate, log in, or bypass access controls
Never downloads or exfiltrates file contents (HEAD requests only for path probes)
Never runs active scanning tools (no ZAP active, no Nuclei active templates)
Never brute-forces passwords, IDs, or API keys
Never visits pages beyond the homepage and the fixed path whitelist
Never crawls your entire site

Scope of checks

SentryScout only checks the following — nothing beyond this list:

HTTP headers on your homepage: presence of HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy; Server and X-Powered-By version leaks
Exposed paths (HEAD requests, status code 200 check only): /.git/config, /.git/HEAD, /.env, /.env.local, /.env.production, /.DS_Store, /wp-config.php.bak, /wp-config.php~, /wp-config.old, /phpinfo.php, /info.php, /server-status, /server-info, /.well-known/security.txt, /sitemap.xml
DNS records: SPF and DMARC TXT record presence (via Cloudflare DNS-over-HTTPS)
TLS: basic HTTPS connectivity and certificate validity
Page body (first 200 KB only): source map references, mixed content links, CMS generator meta tag

Frequency

SentryScout scans the Tranco .id / .co.id domain list at a rate of approximately 50 domains per hour. Each domain is rescanned at most once every 14 days. Your domain appears in the queue only because it is listed in the publicly available Tranco top-1M ranking.

Who operates this?

SentryScout is operated by Dam Arfadillah, an independent developer and founder of Modulus1, based in Jakarta, Indonesia. Findings are used for internal market research and outreach — no data is sold or shared with third parties.

Opt-out

You can opt out in two ways:

robots.txt (recommended): Add the following to your /robots.txt to block all automated tools including SentryScout:

User-agent: *
Disallow: /
Or to block only SentryScout:
User-agent: SentryScout
Disallow: /
SentryScout checks and respects robots.txt before scanning.
Email opt-out: Send an email with the subject line Scout opt-out: [your domain] to request removal from the scan queue.

Want to opt out of SentryScout scans for your domain?

Email opt-out request

Replace [your-domain] in the subject line with your domain name. We'll add it to the permanent exclusion list within 48 hours.