Security Tools & Scanners
Free, read-only Recon for any domain · the Full Scan engine that confirms real vulnerabilities with proof-of-concept · and Analyze tools that audit a repo, API, or app you hand us.
Non-intrusive, read-only checks you can run on any domain right now — observe without touching. No account needed (SSL/TLS Deep Audit, WordPress & GraphQL scans are Pro).
Recon tools are free, no sign-in — SSL/TLS Deep Audit, WordPress & GraphQL scans are Pro. View pricing →
Security Headers Analyzer
Grade your CSP, HSTS, X-Frame-Options, Referrer-Policy and COOP headers and get exact fixes. Runs as part of the free recon scan.
SSL/TLS Inspector
Certificate validity, expiry, issuer, SAN, TLS version, cipher strength and Perfect Forward Secrecy — all in the free recon scan.
DNS Records Lookup
Inspect A, AAAA, MX, NS, TXT, CAA and SOA records and spot DNS misconfigurations for any domain. Free, instant, no sign-in.
Email Security Checker
Verify your SPF, DKIM and DMARC records to confirm your domain is protected against spoofing and phishing — graded with exact fixes.
Technology Stack Detector
Fingerprint the server, CMS, frameworks and JavaScript libraries a website runs on — and surface the software versions it discloses.
Exposed Files & Directory Finder
Check for publicly exposed .git, .env, backups, config files, server-status and phpinfo that leak secrets or hand attackers a head start.
Website Reputation & Blacklist Check
See whether a domain's IP is flagged on major security blacklists (DNSBLs) and confirm it resolves and serves HTTPS.
CORS Misconfiguration Checker
Detect dangerous Cross-Origin Resource Sharing — arbitrary origin reflection, null-origin trust, wildcard ACAO, and the critical credentials-with-permissive-origin combination.
Redirect Checker
Trace the full redirect chain hop by hop — HTTP→HTTPS upgrade, insecure HTTPS→HTTP downgrades, redirect loops and the final destination.
WHOIS & Domain Age Lookup
Registrar, registration date and domain age, expiry, nameservers and transfer locks via RDAP — flags newly-registered and soon-to-expire domains.
security.txt Checker
Validate /.well-known/security.txt against RFC 9116 — Contact and Expires fields, Policy, Encryption, Canonical and PGP signature.
Mixed Content Checker
Find insecure http:// scripts, stylesheets, iframes, images, media and form actions loaded on an HTTPS homepage — active vs passive.
robots.txt & Sitemap Checker
Analyze robots.txt and sitemap.xml — Disallow rules, sensitive paths that leak structure, whole-site blocks and sitemap discovery.
Subdomain Finder
Discover subdomains from public Certificate Transparency logs (passive, non-intrusive) and flag sensitive names like dev, staging, admin and vpn.
SSL/TLS Deep Audit
Per-version TLS probing (1.0→1.3), certificate chain & key strength, forward secrecy, HSTS preload and OCSP — a deep, read-only TLS posture report.
WordPress Security Scanner
Read-only WordPress assessment — core-version disclosure, exposed wp-config backups & debug.log, REST/author user enumeration, XML-RPC and plugin detection.
GraphQL Security Scan
Auto-discovers a GraphQL endpoint and checks introspection, field-suggestion leaks, GET-based execution (CSRF) and array batching amplification.