This Winter, Red Sift Certificates introduces Private PKI Monitoring, expanding certificate visibility beyond the public internet and into private networks and internal environments. This release helps teams close long-standing visibility gaps in private PKI and manage certificates more consistently across modern, hybrid infrastructure.
In addition to this update, we’ve also delivered improvements to Red Sift OnDMARC, including:
- Improvements to DMARC Reports that reduce noise and make it easier to investigate authentication results and maintain enforcement.
- New threat-based event feeds via Event Hub, enabling DMARC intelligence to be streamed directly into SIEMs and security workflows for faster detection and response.
Red Sift Certificates
Introducing Private PKI Monitoring: Closing blind spots in certificate management
Private certificates deployed inside private networks are not visible to Certificate Transparency logs or public internet scanning, yet they underpin critical internal services, applications, and infrastructure.
The risks are fundamentally the same as those in public PKI, including expired certificates, broken trust chains, and unexpected issuance, but are often more acute in private environments. Internal certificate issuance is typically less constrained, ownership is harder to establish, and large enterprises may be managing orders of magnitude more certificates across internal systems.
Private PKI Monitoring in Red Sift Certificates brings these internal certificates into view by allowing teams to discover and monitor them alongside publicly exposed certificates, using the same inventory and workflows already in place.
By combining on-premise scanning with existing discovery capabilities, internal certificates, including those issued by private CAs and deployed on internal hosts, are surfaced in a single inventory. The result is consistent visibility across public and private environments, without relying on manual tracking or fragmented processes.
“By using the Private PKI Agent in Red Sift Certificates, we were able to discover active internal certificates we believed had already been decommissioned, including expired ones still in use. That level of visibility is exactly what we need to avoid blind spots in our PKI environment.”
Martin Tierney, IT Infrastructure Administrator at William Fry LLP
Why it matters
Public certificate discovery relies heavily on Certificate Transparency logs, which provide visibility into certificates issued for internet-facing services. Private PKI certificates used inside private networks, however, are not recorded in CT logs and cannot be discovered through external scanning.
As a result, private PKI often depends on manual tracking or static documentation to understand where certificates are deployed and which trust anchors apply. As environments scale and change, this approach becomes difficult to maintain, creating blind spots that increase the risk of expired certificates, broken trust chains, and service disruption.
How private PKI monitoring in Red Sift Certificates works
Customers deploy lightweight scanning agents within their private infrastructure, where they can safely discover internal hosts and the certificates deployed on them. These findings are then securely integrated into the same inventory used to track publicly exposed certificates, providing a single, unified view of certificate usage across environments.
Each certificate is tagged with its discovery source, making it clear whether it was observed via public transparency logs, network scanning, private infrastructure, or seen across multiple sources. This context helps teams quickly distinguish internal assets from internet-facing ones and understand where visibility gaps previously existed.
See it in action
Private PKI Monitoring is enabled by default for existing Red Sift Certificates customers. To see it in action and learn how to prepare for broader PKI ecosystem changes in 2026, join the Red Sift webinar on February 25, 2026.
High-assurance certificate transparency monitoring
Red Sift Certificates strengthens Certificate Transparency monitoring by helping teams distinguish expected certificate issuance from genuine misissuance with a higher degree of confidence.
By accounting for known-good certificates identified through integrations and API uploads, the application isolates the certificates that remain. When fully configured, any certificates outside this known set can be treated as true misissuances, rather than noise that requires manual validation.
Teams are alerted when a certificate has not been explicitly endorsed within a defined time window, allowing them to investigate unexpected issuance early. Alerting can also be scoped to high-value domains, ensuring attention is focused where the risk and impact are greatest.
Read more on this subject in the dedicated guide by Ivan Ristic, Red Sift’s Chief Scientist, and author of “Bulletproof TLS and PKI,” the de facto SSL/TLS and PKI reference manual.
Red Sift OnDMARC
DMARC Reports improvements
We’ve made a series of targeted improvements to DMARC Reports to help teams reach and maintain p=reject faster, with less noise and less manual analysis.
These updates are designed to make it easier to answer the two questions that matter most when reviewing DMARC data: are your authorized sources behaving as expected, and is there anything new you need to investigate?
Clearer, more complete results
DMARC Reports now surface a full view of authentication outcomes, not just failures. By showing passes and failures together, and grouping related SPF and DKIM signals, it’s easier to understand what’s working, what isn’t, and why, without jumping between views or exporting data.
Faster investigation with focused filtering
Quick filters make it easy to narrow in on the results you care about, whether you’re validating successful authentication or digging into a specific issue. This reduces time spent scanning large datasets and helps teams move from insight to action more quickly.
A more structured view of email sources
The sources table has been reorganized to prioritize relevance and reduce clutter, bringing the most important sources and summary statistics into clearer focus. This makes it easier to assess the health of known senders while keeping an eye on anything that may require review.
Threat feeds via Event Hub
To help security teams act on email threats more quickly, OnDMARC now surfaces additional threat-based events through the Event Hub capability. These events allow DMARC intelligence to be streamed directly into your SIEM or broader security tooling for correlation and response.
Forensics events offer detailed visibility into emails that fail DMARC authentication, often serving as an early indicator of phishing activity targeting employees, customers, or suppliers.
At an aggregate level, threat and probable-threat events can be used to alert teams to suspicious sending behaviour associated with known or suspected threats, helping surface patterns that may warrant investigation.
By ingesting these events into your existing security workflows, teams can take proactive steps to reduce risk, for example, identifying and blocking malicious URLs or email infrastructure before they can be used to deliver phishing attacks.
