Weak Node Classification & Detection System

Reverse
Reachability.
Zero footprint.

WNCDS traverses trust relationships backward from your protected assets to find every node that holds an unprotected path to your crown jewel data — using only publicly observable information. No authenticated access. No systems touched. No disruption.

CROWN JEWEL PA-1/2/3 WN-01 CRITICAL WN-02 CRITICAL WN-03 HIGH WN-04 HIGH WN-05 HIGH REVERSE REACHABILITY MAP
16
Total findings identified
3
Case studies completed
<20min
Per full reconnaissance
0
Systems touched
Methodology

Reverse reachability.
Not forward exploitation.

Every other security methodology starts with the attacker and works forward. WNCDS starts with what matters — your protected assets — and traverses backward through every trust relationship to find every node that can reach them. The result is a consequence-classified map of your real exposure, derived entirely from public data.

01
Declare protected assets
Identify the data and systems whose compromise would trigger regulatory liability, client harm, or material reputational damage. These are the crown jewels.
02
Passive DNS enumeration
Enumerate all internet-facing infrastructure from publicly observable data — DNS A, MX, TXT, NS records and service banners. No credentials. No connections. No footprint.
03
Backward traversal
Traverse every authorised and trusted relationship from each node back to the declared protected assets. Every node that can reach a crown jewel is in scope for classification.
04
Consequence classification
Classify each reachable node by the maximum consequence reachable through its paths — not what it locally stores. WEAK_NODE · CONSEQUENCE_GOVERNED · UNCLASSIFIED_REACHABLE_NODE.
05
Evidence-grade reporting
Deliver a SDPF v1.3.1 conformant specification — classified findings, consequence paths, regulatory mapping, and a prioritised remediation plan. Signed. Auditable. Actionable.
// sample classification output
WN-01 → WEAK_NODE sub: PENTEST_TOOL_ON_PRODUCTION_DNS
path: SSRF → EC2 metadata → IAM creds
priority: IMMEDIATE
↓ traversal
WN-02 → WEAK_NODE sub: SUBDOMAIN_TAKEOVER_CANDIDATE
path: OAuth harvest → M365 full access
priority: IMMEDIATE
↓ traversal
WN-03 → WEAK_NODE sub: ANOMALOUS_HOSTING
path: Direct server compromise
priority: HIGH
↓ traversal
WN-04 → WEAK_NODE sub: EXPOSED_ADMIN_PANEL
path: WHM → all hosted domains
priority: HIGH
↓ traversal
WN-05 → WEAK_NODE sub: EMAIL_SPOOFING_PERMITTED
path: Phishing → credential harvest
priority: HIGH
wncds — passive recon
$ wncds scan --domain target.org --passive
// enumerating DNS records...
nodes_found: 7
reachable_nodes: 5
weak_nodes: 5
consequence_governed: 0
systems_touched: 0
authenticated_access: false
→ report generated: WNCDS-20260605.docx
Research Findings

The substrate is unverified.

Three case studies across the security sector reveal a consistent pattern. The organisations that teach, certify, and advise on security carry the same weak node exposure as the clients they serve. Security expertise does not self-immunise internal infrastructure.

// FINDING 01
Security sector organisations are not self-immunising
Expertise in client-facing security work does not transfer automatically to internal asset governance. The gap between what is sold and what is practised is the attack surface.
// FINDING 02
Passive DNS is sufficient to map the full attack surface
Everything a threat actor needs is publicly observable in under twenty minutes. The only variable is whether the defender or the threat actor looks first.
// FINDING 03
Governance failure is the root cause — not technical failure
Every weak node across all three case studies traces to an absent process. The controls that would close the exposure are standard practice. Their absence is a governance problem.
// FINDING 04
Certifications test knowledge, not substrate verification
Current industry certifications verify knowledge at a point in time. They do not verify that the observable infrastructure matches what those certifications claim. The substrate is unverified.
Case Studies

Three sectors.
One finding.

Three organisations assessed using passive DNS reconnaissance only. No systems accessed. All findings derived from publicly observable data. Organisation identities are withheld — the methodology, findings, and remediation patterns are the research contribution.

// CASE STUDY I
5/5 weak nodes
Global Payments Platform
Payments · Fintech · PCI DSS regulated
A payments processing organisation with a global merchant base. Passive reconnaissance revealed five weak nodes including a subdomain pointing to an orphaned cloud distribution and an unauthenticated API endpoint with direct path to cardholder data and merchant records.
5
Weak nodes
2
Critical
<15min
Recon time
Subdomain takeover Unauth API SPF absent DMARC absent PCI DSS exposure
// CASE STUDY II
6/8 weak nodes
Crypto Security Analytics Firm
Blockchain · Security Analytics · Crypto intelligence
A security analytics organisation operating in the blockchain and cryptocurrency investigation space. Cloudflare-heavy perimeter masked significant asset sprawl. Six of eight assessed nodes classified as WEAK_NODE. Blockchain analytics data and client investigation records at risk.
6
Weak nodes
1
Critical
<20min
Recon time
CDN subdomain takeover Asset sprawl DMARC absent Version disclosure Cert gap
// CASE STUDY III
5/5 weak nodes
Security Compliance Training Organisation
Compliance · HIPAA · PCI DSS · Security training
An organisation that trains and advises other organisations on HIPAA, PCI DSS, and related security compliance frameworks. Five of five nodes classified WEAK_NODE — the highest risk profile of the three studies. Client compliance data, M365 organisational data, and hosted platform infrastructure all exposed. A live penetration testing tool was found running on a production DNS subdomain.
5
Weak nodes
2
Critical
<11min
Recon time
Live pentest tool exposed Firebase takeover WHM internet-accessible SPF softfail HIPAA exposure
Governing Principles

The rules that govern the work.

Consequence governs protection level
A node's required protection level is determined by the maximum consequence reachable through its paths — not by what it locally stores. A subdomain that can harvest M365 credentials requires M365-level protection.
Defenders must look first
Every weak node across all three case studies was visible in under twenty minutes from public data. The only variable is whether the defender or the threat actor finds it first.
Governance over technology
Technical fixes without governance fixes reproduce the same exposure. Every weak node identified traces to a process failure. Fix the process, not just the symptom.
Continuity over point-in-time
A single assessment produces a snapshot. The target state is continuous detection — the substrate verified as an ongoing condition, not a periodic compliance exercise.
Non-invasive by design
WNCDS is built on passive reconnaissance. No systems are touched. No authenticated access is made. Every finding derives from publicly observable data. Zero footprint.
Specification first. Verification always.
Every assessment is governed by an SDPF v1.3.1 specification. Every finding is verifiable, traceable, and regulatory-mapped. Evidence-grade output, not advisory opinion.
HA
Hamza Abdullah
WNCDS · Security Research · Weak Node Detection
Methodology WNCDS v1.0
Framework SDPF v1.3.1
Case Studies 3 completed
Findings 16 total
Reconnaissance Passive only
Systems touched Zero
About the Research

Building the verification methodology the industry lacks.

The cybersecurity industry operates on an unverified substrate. Organisations hold certifications, adopt frameworks, and write policies. But the actual observable state of their internet-facing infrastructure — the ground truth — is rarely verified continuously against those claims.

WNCDS was developed to close that gap. By starting with protected assets and traversing backward through every trust relationship to every reachable node, the methodology produces a consequence-classified map of real exposure — derived entirely from publicly observable data, without touching a single system.

"Three case studies. Three security sector organisations. One consistent finding: the substrate is unverified. The organisations that teach security carry the same exposure as the clients they serve."

The research is ongoing. Each case study builds the evidentiary base for a finding that has implications for how the industry certifies, audits, and verifies security posture. WNCDS provides the verification instrument.

Contact

Request a passive assessment.

Assessments are offered on a complimentary basis to organisations in the security, compliance, and regulated data sectors. The output is a complete WNCDS report — classified, consequence-mapped, and remediation-ready. No systems touched. No disruption to your operations.

HA
Hamza Abdullah
WNCDS Security Research · Weak Node Classification and Detection
Available on request
in
LinkedIn — Hamza Abdullah
SDPF Framework — sdpf.dev
Research

Download the Methodology

The WNCDS methodology document is available for download. It details the full Weak Node Classification and Detection System — the reverse reachability framework, classification rules, consequence path analysis, and the governance principles derived from three case studies across the security sector.

WNCDS Methodology Document
Weak Node Classification and Detection System · v1.0 · 2026
The complete WNCDS methodology — reverse reachability framework, classification rules, consequence path analysis, governance principles, and remediation framework. Derived from three case studies across the payments, crypto security, and compliance training sectors.
Methodology Classification Rules Remediation Framework SDPF v1.3.1 Conformant
Download PDF ↓