Back to knowledge base

internet.nl is free. So when do you need Exposentry?

Published on July 3, 2026

If you want to run one free test on your domain, internet.nl is a fine choice. It is a public service from the same Dutch ecosystem that OpenKAT comes from, and it neatly checks whether your domain supports modern internet standards. We recommend it ourselves.

So why does Exposentry exist? Because a standards check and an evidence file are two different things. This article explains the difference, so you know when free is enough and when it is not.

In short

What internet.nl does well

internet.nl tests whether your domain, website and mail use the modern, open standards that make the internet safer: IPv6, DNSSEC, HTTPS with a solid TLS configuration, and mail standards like SPF, DKIM and DMARC. The result is a clear percentage with concrete improvements.

For basic standards hygiene there is no reason to pay. If you score poorly there, start there; those are often the cheapest improvements with the most effect.

Where the line is

A free check answers the question "where do I stand on standards right now?" There are five things it does not do, and they are exactly what matters once someone else asks you for evidence.

  1. Continuity. A test you run yourself now and then misses everything that happens between two tests: a certificate that expires, a new subdomain, a service accidentally left open. Continuous monitoring flags it when it happens, not when you happen to think of it.
  2. CVE detection. Standards say nothing about known vulnerabilities in your software. A domain can score 100% on internet.nl while running an outdated application with an actively exploited CVE. What is visible from the outside is covered in what does an attacker see of your domain.
  3. Evidence with timestamps. A screenshot of a test result is not evidence. Exposentry records per finding how and when it was established, in signed and timestamped reports a third party can verify. See how to check whether a security report is real.
  4. History as an evidence file. An auditor or insurer does not want to know how you are doing today, but whether you paid attention all year and what you did with findings. That requires a continuous, dated timeline. Why that is, is covered in forensically grounded evidence.
  5. Independent reporting. Evidence for third parties must go directly from the measuring party to the client, not through the party that manages the environment. Why that matters is covered in independent reporting.

The honest decision rule

Use internet.nl when nobody is asking for evidence and you want to know where you stand on standards. For many small organizations that is enough for a long time.

Look at Exposentry as soon as one of these three situations applies: a large customer sets requirements under the NIS2 supply chain duty of care, an auditor or regulator wants to see demonstrable vulnerability management, or a cyber insurer asks for substantiation at acceptance or claim time. In all three cases the question is not "did you test?" but "can you prove it?" And that is a different service than a free check, however good that check is.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.