Wide Watch is in private beta. SSL + Uptime are live. New monitors landing monthly. ·
Wide Watch
Join waitlist
Wide Watch
Sign in Join waitlist
All products External Attack Surface
Category 01 · External Attack Surface Live

SSL Monitor certificates

Never lose a customer to a $0 problem.

Wide Watch checks every certificate behind every name on your domain — every hour, from four regions, against the live transparency log. We catch chain mistakes, weak ciphers, issuer changes, and "the renewal email went to the wrong inbox" before your visitors hit a red browser warning.

Try it free See pricing
How it works

Four checks per domain. Every hour.

Each monitor performs a full TLS handshake from a probe in US-East, US-West, EU-West, and APAC every 60 minutes. We chase redirects, follow SNI, and pin the certificate chain — so an A record that resolves "fine" but serves the wrong cert still fires an alert.

Expiry tracking
180/90/60/30/14/7/3/1-day alerts at the thresholds you configure. Alerts go to email, Slack, Teams, PagerDuty, Opsgenie, Discord, or webhook — your choice per group.
Chain validation
We rebuild the chain from the leaf up using Mozilla's NSS root store. Missing intermediates, wrong order, expired roots — all surface as warnings, not just errors.
Issuer change detection
If the issuer changes (Let's Encrypt → ZeroSSL, or Sectigo → DigiCert), we alert immediately. New issuer = new attack surface.
TLS version + cipher audit
TLS 1.0/1.1 still enabled? Weak ciphers? Renegotiation flaws? We grade like SSL Labs and explain the fix.
SAN drift
Track the Subject Alternative Names listed on every cert — when one drops or a new one appears unexpectedly, you find out the same day.
Multi-region consensus
Four regions probe every endpoint. We don't fire a critical alert until at least 3 of 4 agree the cert is broken — so transient ISP weirdness doesn't wake you at 3am.
Why teams switch

The problems other tools miss.

Traditional uptime tools tell you the site is "up" — they don't tell you the cert chain is broken on iOS but works on Chrome desktop. Free CA-side reminders only fire if the renewal email hits the right inbox. Wide Watch is the second pair of eyes that doesn't depend on your DNS, your email, or your CA.

Mid-renewal mistakes
Operator pasted the wrong intermediate. Cert installed on www but not the apex. Auto-renewal skipped a SAN. We catch all of these the same hour.
Behind-the-LB weirdness
Your load balancer serves cert A, but one node still serves cert B. We probe with full SNI and detect the divergence.
Forgotten subdomains
Pair SSL Monitor with Asset Discovery (Q1 2027) and we cover every name on every cert in your CT log — including ones you forgot you owned.
Plans + pricing

Bundled with the platform.

SSL Monitor is metered, not gated — every feature is included on every paid account, with a $5/mo minimum and a graduated per-domain rate as you add more. No tiers, no per-cert add-on. Free for 3 domains, then it scales smoothly: $5/mo up to 9 domains, $19/mo for 25, $64/mo for 100, $224/mo for 500. Pay annually and two months are free. See full pricing →

More in External Attack Surface

Pair SSL Monitor with the rest.

Live
Uptime Monitor
HTTP, ICMP, TCP, and DNS checks from distributed probe nodes with 60s granularity.
Q2 2026
Domain Expiry
Registrar renewal + WHOIS/RDAP change tracking. 180/90/60/30/7-day alerts. Auto-renew status.
Q2 2026
DNS Monitor
A/AAAA/MX/TXT/CNAME drift. DNSSEC validation. Multi-resolver consensus. Nameserver health.
Q1 2027
Port & Service Scanner
Detect exposed services: RDP, SMB, admin panels, leaked databases. Banner-grab + CVE enrichment.
Live today

Add your first domain in five minutes.

Wide Watch is in private beta. Sign up free, add your first domain, receive your first alert the same day.

Join the waitlist Email us