MERLONIX
Sign inStart free

Website Security Monitoring for Marketing Agencies: What to Check and When

Marketing agencies are increasingly responsible for website security beyond the code they wrote. When a client's site goes down, their forms stop submitting, or their checkout shows an error, the first call is to the agency — regardless of whether the agency controls the hosting, the DNS, or the third-party integrations that failed.

Security monitoring for agencies covers the layer between "the code is correct" and "the site is working securely for real users." It is the discipline of watching infrastructure and configuration rather than application logic.

What Security Monitoring Covers in an Agency Context

Website security monitoring is often conflated with penetration testing or vulnerability scanning. Those are useful, but they are one-time assessments. Security monitoring is continuous — it watches for configuration changes, expiry events, and anomalies that emerge over time even when the underlying code has not changed.

For marketing agencies, practical security monitoring covers five areas:

1. SSL Certificate Health

SSL certificates are the most common source of security-related incidents on client sites. They expire on a fixed schedule, and browsers are unforgiving: the day a certificate expires, the browser shows a full-screen warning that blocks users from proceeding.

Security monitoring for SSL means watching:

  • Expiry dates — alerting at 30 days and again at 7 days, not just when the certificate has already expired
  • Certificate authority validity — whether the CA that issued the certificate is still in browser trust stores
  • Key algorithm and size — certificates using deprecated algorithms (SHA-1, RSA-1024) should be flagged for replacement even if they are technically valid
  • Subject Alternative Names — whether all the domains the certificate claims to cover match the domains actually being served
  • HSTS configuration — whether the site correctly enforces HTTPS for all connections and subdomains

A certificate problem that takes 48 hours to resolve costs the client in conversions and reputation. A monitoring system that gives 30 days of warning makes it a non-event.

2. DNS Configuration Integrity

DNS is the access control layer for a domain. The DNS records define where traffic goes, which servers handle email, and which certificate authorities are allowed to issue SSL certificates for the domain.

Unexpected DNS changes are a security event. They can indicate:

  • A registrar account compromise (attacker changing NS or A records)
  • An accidental change by the client or a third-party contractor
  • A vendor migration that was not communicated to the agency

Security-relevant DNS monitoring watches NS records (control of DNS itself), MX records (where email goes), A and CNAME records (where web traffic goes), and CAA records (which CAs can issue certificates). A change to any of these warrants immediate investigation.

The security posture of DNS also includes checking that the client has a CAA record at all — without one, any certificate authority can issue a certificate for the domain, which is a meaningful expansion of the attack surface.

3. Domain Ownership and Registration

A domain that expires or is transferred is an instant and total brand incident. The domain becomes available for registration by anyone. Competitors, squatters, or malicious actors can register it and direct traffic wherever they choose.

This sounds extreme, but it happens. Clients forget to renew. Auto-renewal breaks when a credit card expires. Registrar accounts get locked. The agency is managing the brand but does not control the registrar.

Security monitoring for domain ownership means watching:

  • Registration expiry dates — with advance warning at 60 and 30 days
  • WHOIS registrar — if the registrar changes unexpectedly, it may indicate a transfer or an attack
  • Name server changes — a sudden NS record change often precedes or accompanies a domain transfer

4. Third-Party Vendor Security Incidents

Most modern websites depend on external vendors for critical functions: payment processing, authentication, CDN delivery, customer support, and analytics. When those vendors have security incidents — data breaches, service outages, or configuration changes — they affect the client's site even when nothing in the agency's code has changed.

Agencies need to know about vendor security incidents before their clients do. If Stripe has an active payment outage, the agency should know within minutes, not when a client calls asking why their checkout is broken.

Vendor monitoring watches the official status pages of third-party dependencies and classifies incidents by severity and relevance to the client's stack.

5. Brand Asset and Certificate Integrity

Agencies managing brand identity work often hold documentation of client brand ownership: trademark registrations, certificate of authenticity records, domain ownership attestation. These records need periodic verification.

A trademark that lapses for non-payment of maintenance fees, or a certificate of authenticity that was issued three years ago and never verified, creates legal and brand risk. Security monitoring for brand assets means maintaining a documented, timestamped chain of verification for each asset.

Why Portfolio Monitoring Is Different

A solo developer monitoring one site checks their single dashboard and responds to alerts personally. A marketing agency managing 40 clients cannot do this manually.

The failure mode at agency scale: alerts go to a shared inbox, nobody owns triage, alerts get addressed only when they escalate to client complaints, and "monitoring" becomes a checkbox that provides false assurance rather than actual coverage.

Portfolio security monitoring requires:

Per-client escalation paths — alerts for Client A's certificate expiry go to Client A's account manager, not to a shared inbox where they compete with Client B's vendor alert.

Severity triage — a certificate expiring in 25 days is a medium-priority action item. A certificate that expired yesterday is an emergency. An NS record change at 2 AM is an immediate escalation. These require different responses and different notification methods.

Regular reporting separate from alerts — clients need visibility into their security posture between incidents, not just when something goes wrong. Monthly reports showing current certificate validity, DNS stability, and domain registration status serve as documented evidence of ongoing security oversight.

Getting Started

Minimum viable security monitoring for an agency portfolio:

  1. Enumerate all domains per client — apex domain, www, mail subdomains, and any other public-facing subdomains
  2. Set SSL expiry alerts at 30 days and 7 days for every certificate
  3. Capture DNS baselines — current state of all A, CNAME, MX, NS, and CAA records for each domain
  4. Add vendor monitoring for each client's payment processor, CDN, and email platform
  5. Schedule monthly security summary reports for each client — even if no incidents occurred, the documentation matters

Merlonix monitors SSL certificates, DNS integrity, domain ownership, and vendor health across your full client portfolio. Severity-routed alerts and per-client monthly reports are built in. Start monitoring →

→ Complete guide: Agency Monitoring: The Complete Guide to Monitoring Client Websites at Scale