Continuous monitoring

Get paged when your TLS posture degrades.

A one-time TLS scan grades your cipher, protocol, and chain today. But the dangerous change is the config regression that weakens them after you last looked — with the same certificate in place. Merlonix re-assesses the live handshake on your schedule and alerts you the moment the posture gets worse.

How it works

01

It rides your existing SSL check

TLS-posture assessment runs as part of the SSL certificate check you already have on every asset — no separate check to enable, no extra cost, no AI. Every plan, every asset.

02

We grade the live handshake

On each SSL check, Merlonix reads the negotiated cipher and protocol version from the live handshake and inspects the presented certificate chain, recording a cipher strength, a protocol flag, and any chain issues over time.

03

We compare against last time

A server can keep the exact same certificate but be reconfigured to a weaker cipher, drop below TLS 1.2, lose forward secrecy, or start presenting a broken chain. We compare the current posture against the last observed one and look only for a worsening change.

04

You get paged on a degradation

A strong→weak transition — cipher weakened, forward secrecy lost, protocol downgraded, chain broken, or a SHA-1 signature that appeared — fires a deterministic alert naming exactly what regressed. An improvement, an unchanged posture, or an unknown handshake never alerts.

What we grade

Three dimensions of your live handshake, re-graded on a schedule.

We assess the same cipher, protocol, and chain a good TLS scanner does — then keep assessing them, so a posture that quietly weakens becomes an alert instead of a surprise on your next manual scan.

Cipher suiteGraded strong / acceptable / weak from forward secrecy (ECDHE/DHE) and AEAD (GCM/CHACHA20). Neither present — an RSA-key-exchange CBC/RC4/3DES suite — is the weak posture worth flagging.
Protocol versionAnything below TLS 1.2 — SSL 3.0, TLS 1.0, TLS 1.1 — is flagged weak. The probe is a TLS-1.2 handshake, so it catches a server stuck below 1.2 (it makes no TLS 1.3 claim).
Certificate chainA structural leaf→intermediate→root linkage check, plus a SHA-1/MD5-anywhere signature check and expired-intermediate detection — the two misconfigs that break real clients.

Why continuous beats a one-time grade

Catch the config regression a cert diff misses

The certificate can be untouched while an ops change swaps the cipher list, disables ECDHE, or turns TLS 1.2 back off on an old load balancer. A cert-expiry monitor sees nothing. A posture comparison sees the downgrade the moment it happens.

SSL-Labs depth, on a schedule

SSL Labs grades cipher, protocol, and chain — once, when you run it. No uptime monitor grades them at all. Merlonix is the monitor that assesses the same three dimensions and keeps assessing them, so a degradation becomes an alert instead of a finding at your next manual scan.

One panel with the rest of your posture

A TLS-posture degradation lands in the same alert stream and asset detail as your SSL expiry, DNS, DNSSEC, security-header, and uptime checks — reaching the same person, the same way, as everything else you monitor.

What we promise — and what we don’t

We grade what the server presents. We’re precise about the limits.

Merlonix grades the cipher and protocol from your live TLS-1.2 handshake and checks the presented certificate chain structurally— linkage, SHA-1/MD5 signatures, and expired intermediates. It is not a full RFC 5280 trust-store validation, and it makes no claim about TLS 1.3 support. It is informational — the grade is not folded into a pass/fail score — and it alerts only on a genuine degradationbetween two observed checks; an unknown or unreachable handshake is never read as a regression. We tell you, continuously and precisely, what got worse; the fix — the cipher list, protocol config, or chain at your origin, proxy, or CDN — lives on your side.

Common questions

How is this different from running SSL Labs or a one-time TLS scan?

A scan grades your cipher, protocol, and chain at the moment you run it. Merlonix re-assesses the same three dimensions on your asset’s SSL-check cadence and alerts you when the posture degrades — a cipher that weakens, forward secrecy that is lost, a protocol that drops below TLS 1.2, or a chain that breaks. It is the continuous, alerting version of an SSL Labs grade, and no uptime monitor offers it.

What exactly do you grade?

Three things from the live handshake. Cipher: strong when it has both forward secrecy (ECDHE/DHE) and an AEAD bulk cipher (GCM/CHACHA20), acceptable with one of the two, weak with neither. Protocol: anything below TLS 1.2 (SSL 3.0 / TLS 1.0 / TLS 1.1) is weak. Chain: a structural leaf→intermediate→root linkage check plus a SHA-1/MD5-anywhere signature check and expired-intermediate detection.

Is the chain check a full trust-store validation?

No — and we are precise about that. The chain check is structural: it verifies the subject/issuer linkage between the certificates the server actually presented, flags a SHA-1 or MD5 signature anywhere in the chain, and detects an expired intermediate. It does not cryptographically validate every signature against a bundled Mozilla/CA trust store. It reliably catches the two most common real-world misconfigurations — a missing or out-of-order intermediate and a weak-signature certificate — without claiming full RFC 5280 path validation.

When does it alert me?

Only on a worsening transition between two observed checks: the cipher strength dropped, forward secrecy was lost, the protocol was downgraded below TLS 1.2, the chain became incomplete, or a weak (SHA-1/MD5) signature appeared that was not there before. An improvement or an unchanged posture does not alert. If a handshake could not be observed (for example a CT-log fallback), the posture is treated as unknown — never as degraded — so it cannot manufacture a false alert.

Does the TLS grade affect a pass/fail score?

No. TLS-posture is informational: the grade and the degradation alerts stand on their own and are not folded into any aggregate health or compliance score. That keeps it consistent with how the free tools and the audit report present certificate detail.

Do I need a specific plan or an add-on?

No add-on. TLS-posture assessment rides the SSL certificate check that runs on every monitored asset, on every plan — so it is included wherever your SSL monitoring is. The pricing page shows which plan fits the number of assets you want to watch.

Stop finding out at your next audit.

Turn on SSL monitoring and TLS-posture assessment rides along on every asset — get paged the moment your cipher, protocol, or chain degrades. Start the full-workspace trial — 14 days, no card.