Namespace Security Quiz - How Secure is Your Namespace?

1 Does your organization maintain a complete inventory of all domains and subdomains?

Yes, we have a comprehensive, continuously updated inventory

Partially, but it's incomplete or outdated

No, we don't have a complete inventory

2 Can you identify all third-party services that create subdomains under your namespace?

Yes, we track all third-party integrations and their subdomains

We know about some, but not all

No, we don't track this

3 How often is the Namespace scanned/evaluated?

Continuously with real-time monitoring

Daily or weekly automated scans

Monthly, quarterly, or ad-hoc only

4 How often do you discover "forgotten" or "unknown" assets in your namespace?

Rarely or never - our continuous discovery prevents this

Occasionally during periodic audits

Frequently - we regularly find unknown assets

5 Do you have visibility into certificate issuance across your namespace?

Yes, we monitor certificate transparency logs continuously

Partially, for primary domains only

No, we don't monitor certificate issuance

6 Can you enumerate all email-sending domains and their SPF/DMARC configurations?

Yes, we have a complete inventory with validated configurations

We know our primary email domains but not all sending sources

No, we're not sure of all email-sending infrastructure

7 Have you experienced a subdomain takeover or dangling DNS incident?

No, and we actively prevent it through monitoring

We've had close calls but caught them before exploitation

Yes, we've been compromised or don't actively check

8 Are you in urgent need of finding out how a Zero Day event could be affecting you?

No, we have continuous monitoring and can assess impact immediately

We could assess within 24-48 hours

Yes, we need immediate assistance

9 How many certificates have expired unexpectedly in the last year?

None - we have automated renewal and monitoring

1-2 certificates expired but were quickly renewed

Multiple certificates expired causing service disruption

10 Is your organization aware of upcoming Post-Quantum Cryptography (PQC) requirements and migration deadlines?

Yes, we've assessed PQC impact and have a timeline for migration

We're aware of PQC but haven't assessed our readiness

No, we haven't considered PQC requirements

11 Do you actively monitor for brand abuse and typosquatting?

Yes, continuously with automated tools and takedown procedures

Periodically, when we remember to check

No, we don't actively monitor for brand abuse

12 Have you validated all DNS records to ensure no dangling CNAMEs exist?

Yes, we continuously scan and validate all DNS records

We've done spot checks but not comprehensive validation

No, we haven't systematically checked for dangling CNAMEs

13 Do you regularly track exposed staging/development environments?

Yes, with automated tracking and access controls

Occasionally through manual reviews

No, we don't actively track exposed environments

14 Do you have a risk scoring methodology for namespace assets?

Yes, multi-dimensional scoring across exploitability, business impact, and more

Basic risk categorization (high/medium/low)

No formal risk scoring methodology

15 Can you identify single points of failure (SPOFs) in your infrastructure?

Yes, we have dependency mapping and SPOF analysis

We know some critical dependencies but lack comprehensive mapping

No, we don't have SPOF visibility

16 What elements of your Namespace are currently being monitored/evaluated?

Comprehensive monitoring: domains, subdomains, certificates, DNS, email auth, third-party integrations

Partial monitoring: primary domains and critical certificates only

Minimal or no monitoring

17 Do you understand the business impact of each asset in your namespace?

Yes, assets are tagged with business criticality and revenue impact

We know the impact of major assets but not all

No, we don't systematically assess business impact

18 Have you mapped namespace risks to compliance requirements?

Yes, we map to GDPR, SOC 2, ISO 27001, and other frameworks

We've started mapping but it's incomplete

No, we haven't mapped to compliance frameworks

19 How is your remediation queue prioritized and maintained?

Automatically generated based on risk scoring and updated in real-time or daily

Manually prioritized with weekly or monthly updates

No structured remediation queue or irregular updates

20 Do you have written policies for subdomain creation?

Yes, with approval workflows and automated enforcement

Informal guidelines but not formally documented

No formal policies exist

21 Is there a defined ownership model with clear roles and responsibilities (RACI) for namespace assets?

Yes, every asset has an assigned owner with clear responsibilities

Ownership is defined for major assets but not all

No clear ownership model

22 How comprehensive is your namespace supply chain visibility across procurement, legal contracts, and subsidiaries?

Complete visibility with contracts, SLAs, and governance across all entities including subsidiaries with varying compliance standards

Procurement and Legal believe they have visibility, but known gaps exist in third-party dependencies and subsidiary oversight

Significant blind spots - no formal contracts with many vendors, unclear subsidiary governance, and undocumented dependencies

23 Do you track your digital correlation to Suppliers' suppliers, and if so do you limit the degrees of separation?

Yes, we track multi-tier supply chain dependencies with defined depth limits (e.g., 2-3 degrees)

We track direct suppliers but not their dependencies

No, we only track direct vendor relationships

24 Do you understand governance and compliance risks from subsidiaries or entities operating under different geopolitical or regulatory standards?

Yes, we have documented governance frameworks accounting for all geopolitical and compliance variations

We track major subsidiaries but lack comprehensive governance for all regional variations

No, we have limited visibility into subsidiary governance risks and regulatory conflicts

25 Do you have an automated certificate renewal process?

Yes, fully automated (e.g., ACME protocol, Let's Encrypt)

Partially automated with manual intervention required

No, certificate renewal is entirely manual

26 Do you understand what infrastructure and cryptographic updates are required for Post-Quantum Cryptography (PQC) compliance?

Yes, we've inventoried all cryptographic dependencies and have a PQC migration plan

We've started identifying affected systems but lack a complete plan

No, we haven't assessed our cryptographic infrastructure for PQC readiness

27 Are there approval workflows for DNS changes?

Yes, all changes require approval and are tracked

Informal review process but not enforced

No, anyone with access can make DNS changes

28 Can you enforce policies automatically and detect drift?

Yes, policies are enforced in code with automated drift detection

We detect drift through periodic manual audits

No automated policy enforcement or drift detection

29 Do you have continuous monitoring for namespace changes?

Yes, real-time monitoring with automated alerting

Periodic scanning (weekly or monthly)

No continuous monitoring

30 Can you demonstrate compliance for audits (GDPR, SOC 2, ISO)?

Yes, we maintain audit-ready evidence and documentation

We can, but it requires manual effort and preparation

No, we struggle to demonstrate namespace-related compliance

31 Do you track KPIs for namespace security posture?

Yes, with dashboards tracking MTTD, MTTR, coverage, and trends

Ad-hoc metrics when requested

No, we don't track namespace security KPIs

32 Have you tested your incident response for namespace attacks?

Yes, we conduct regular tabletop exercises and simulations

We have a plan but haven't tested it

No incident response plan for namespace attacks

33 Is namespace security part of your regular security reviews?

Yes, reviewed quarterly with executive stakeholders

Annually or irregularly

No, namespace security isn't formally reviewed

How Secure is Your Namespace?

Phase 1: DISCOVER