Automated scanning + expert review of your web-facing attack surface. Security headers, SSL, DNS, subdomains, exposed files, and JS secrets โ full written report with evidence and exact fixes.
Written report ยท Screenshot evidence ยท Fix verification included ยท Web surface only
These are real, automated checks we run on your domain โ not marketing bullets. Every finding includes the exact evidence we found.
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and CORS. We check presence and validate values โ like whether CSP allows unsafe-inline or HSTS has a too-short max-age.
Certificate validity, days until expiry, negotiated protocol (TLS 1.0/1.1 flagged), cipher strength, and whether HTTP correctly redirects to HTTPS. We verify the full chain.
We probe 40+ common sensitive paths: .env, .git/config, wp-config.php, phpinfo.php, backup archives, admin panels, .htpasswd, and Dockerfile. Any that return HTTP 200 are flagged with severity.
We query your DNS records and validate SPF (including dangerous +all wildcards), DMARC policy enforcement level, and DKIM presence across common selectors. Missing or misconfigured records enable email spoofing from your domain.
We enumerate subdomains via Certificate Transparency (crt.sh) and check each for takeover fingerprints โ GitHub Pages, Vercel, Netlify, S3, Azure, Heroku, and more. A dangling CNAME pointing to an unclaimed service is an open door.
We fetch and scan your JS bundles and inline scripts for embedded API keys, tokens, passwords, and secrets. We check for Google API keys, AWS access keys, Stripe secrets, GitHub tokens, Slack tokens, SendGrid keys, and more.
We verify that your site cannot be embedded in an iframe on a third-party domain โ checking for X-Frame-Options: DENY and CSP frame-ancestors directives.
We follow your redirect chain from HTTP and flag long chains (3+ hops), redirects that pass through plain HTTP mid-chain, and mixed-content redirect issues.
Server header version leakage and X-Powered-By technology disclosure โ both tell attackers exactly what vulnerabilities to target.
Need manual penetration testing? See our Pentest page โ
Our tool runs the checks. A human reviews every finding before it goes in the report.
That's it. No credentials, no access, no installs. We work from the outside โ the same view an attacker has.
Our audit tool runs all checks automatically: headers, SSL, DNS, subdomains, exposed files, JS secrets. Takes 10โ30 minutes per domain.
We review every finding, remove false positives, add context, and rate severity based on actual exploitability โ not just automated output.
You get a full HTML + Markdown report with evidence screenshots, severity ratings, and copy-paste fix instructions for every finding.
Make the fixes. We rerun the checks and issue written confirmation that each issue is closed. No open questions left.
Not a raw scanner dump. A real report reviewed by a human before it reaches you.
Every finding documented with severity rating, evidence, business impact context, and step-by-step fix instructions.
Exact HTTP responses, header values, DNS record data, and JS snippets โ nothing is claimed without proof.
Exact config lines, header values, DNS record formats, and code changes. Your developer can implement each fix directly.
After you fix the findings, we rerun the audit and issue written confirmation. Every closed issue is verified, not assumed.
Plain-language overview for non-technical stakeholders โ risk posture, critical findings, and recommended priority order.
Reports in both formats. HTML for sharing with clients and stakeholders. Markdown for your engineering team and docs.
You know exactly what you're getting and what you're paying before we start.
Core web surface audit for any site
Full audit + expert manual review
Most owners never know. Send us your domain and we'll show you what's there โ written report, evidence included, fixes provided.
Get a Security AuditStarter $497 ยท Pro $997 ยท Retest included ยท Web surface only, no credentials needed