>_ see what attackers see,
before they do.

We run the same reconnaissance toolkit a real adversary would — against a domain you own — and hand back one triaged report of what's exposed, what's weak, and what to patch first.

sample reportwhat we check

recon · report.secuorascan #4A71 · 7m 22sfinished

target

acme.co

verified·apr 21 · 14:07 UTC

critical

high

medium

low

critical
/.env exposed at root
paths · http 200 · 1.2 kb
restrict · deploy
high
Session cookie missing Secure + HttpOnly
cookies · set-cookie · sid=…
add flags · redeploy
high
Subdomain takeover vector · staging.acme.co
subdomains · cname → unused heroku app
reclaim or remove dns
medium
HSTS header missing on primary
headers · strict-transport-security · absent
set max-age≥31536000

24 findings · 16 probes rundownload · pdf / json

what's in the scanner

Every scan runs the same stack.

Each chip is one module in the scanner. Free and paid tiers run the identical set — higher tiers just raise the scan / domain quota.

headershsts · csp · x-frame

tlsexpiry · weak ciphers

cookiessecure · httponly · samesite

paths/.env · /.git · /backup

subdomainscrt.sh enumeration

dns recordsspf · dmarc · dkim

sri auditintegrity on 3rd-party scripts

sqlierror-based + blind

reflectionxss indicators

open redirectauth-flow hijack

corswildcard + credentialed

graphqlintrospection + field leaks

path traversal../ through to secrets

host headercache poisoning + reset-url

debug panels/actuator · /phpinfo · /.vscode

headershsts · csp · x-frame

tlsexpiry · weak ciphers

cookiessecure · httponly · samesite

paths/.env · /.git · /backup

subdomainscrt.sh enumeration

dns recordsspf · dmarc · dkim

sri auditintegrity on 3rd-party scripts

sqlierror-based + blind

reflectionxss indicators

open redirectauth-flow hijack

corswildcard + credentialed

graphqlintrospection + field leaks

path traversal../ through to secrets

host headercache poisoning + reset-url

debug panels/actuator · /phpinfo · /.vscode

coordinated probes

passive + active

< 10min

median scan time

for a small site

unified report

pdf + json, per finding

agents to install

external recon only

N°01 — The Scan

It runs. You watch.

Our own modules — subdomains, paths, tls, headers, and more — orchestrated inside pinned-IP, SSRF-guarded containers.

scan · acme.co

elapsed 00:07:12

01·initializing scan · acme.co

02›[subdomains] crt.sh enumeration…

03·discovered www.acme.co

04·discovered api.acme.co

05·discovered staging.acme.co

06›[paths] probing exposed files…

07H/.env served at api.acme.co root

08›[headers] inspecting response headers…

09MMissing Strict-Transport-Security header

10›[debug-panels] checking framework endpoints…

11CExposed admin panel @ staging.acme.co/admin

12LServer banner leaks version: nginx/1.18.0

13›[tls] inspecting certificate + ciphers…

14MWeak TLS 1.0 ciphers accepted

15·done · 23 findings in 7m 12s

what we check

Seven kinds of trouble, one scan.

We don't do a single narrow check. Each scan runs a coordinated set of open-source tools used by professional pentesters, then stitches the output into one prioritized report.

n°01

Exposed files

Secrets and source code left on a public server. The single most common way small sites get breached.

→ /.env · /.git/config · backup.sql

n°02

Missing headers

The headers browsers need to protect your users from hijacking, clickjacking, and MIME sniffing.

→ no HSTS · no CSP · server leaks version

n°03

TLS & certificates

Expired or weak SSL configuration that makes your site trivial to impersonate.

→ cert · 11d left · tls 1.0 accepted

n°04

Cookie hygiene

Session cookies without Secure, HttpOnly, or SameSite — the quiet prerequisite for most session-hijack bugs.

→ session · missing Secure + HttpOnly

n°05

DNS auth records

Missing or permissive SPF / DMARC / DKIM — the records that stop attackers spoofing mail from your domain.

→ no SPF · DMARC p=none

n°06

Subdomain sprawl

Forgotten dev and staging subdomains enumerated from public certificate logs — often running older, more vulnerable versions of your code.

→ staging.acme.co · unverified cname

n°07

Injection & XSS

SQLi, reflected XSS, open redirects, path traversal, CORS misconfigs, host-header tricks — deep-scan only, behind domain ownership.

→ ?q= reflected · ORDER BY 1 → SQL error

N°03 — The Report

Findings, not just noise.

Every scanner produces output. Few produce a report — sorted by severity, deduplicated across modules, explained in plain language, and bundled with a concrete fix per finding.

Severity-sorted, deduplicated finding list
Concrete fix per finding, not 'consult the docs'
Evidence: the exact URL, payload, or header
Downloadable PDF — share it with your team

Highexposure · paths

f.a3c12…

Generic Env File Disclosure

Asset

https://api.acme.co/.env

Detected by

paths probe · http 200 · 1.2 kb

What it is

A production .env file is served at /.env. Any visitor — or search engine — can read it. It contains your database URL, third-party API keys, and the app secret used to sign sessions.

Fix

# nginx — block dotfiles under public root
location ~ /\. {
    deny all;
    return 404;
}

# Then rotate everything in .env that just leaked.

N°05 — Questions

Answered, plainly.

If your question isn't here, the short version is: it probably works, it's definitely legal, and it costs $19 after the free tier runs out.

01authorisation

Can I scan any domain?

No. You can only scan domains you prove you own. We give you a token to add as a DNS TXT record or upload as a file. Until you verify, we refuse the scan. This is non-negotiable — scanning a site you don't control is illegal in most jurisdictions.

02scope

Is this a replacement for a real pentest?

No. This is an automated external scan — the first 80% of what a pentester would check before digging in. It catches the common, costly misconfigurations (exposed .env, missing headers, weak TLS, cookie flags, DNS auth records) that cause most small-site breaches. An annual pentest is still smart for anything handling customer data.

03safety

Will the scan knock my site over?

No. The passive pass only does things a browser or Googlebot already does — fetch headers, read TLS, resolve DNS, check a list of known paths. The deep pass fires non-destructive probes (single malformed query string, one reflected-XSS canary, one SQLi-shaped parameter) and only after you've proved you own the domain. No credential brute-force, no payloads designed to modify state.

04compatibility

What stack do you support?

All of them. The scanner is stack-agnostic — it talks HTTP, DNS, and TLS from the outside, so nginx / Apache / Caddy and WordPress / Laravel / Rails / Next / anything else are all fair game. Evidence returned with each finding (the response header, the served body, the cert detail) tells you what to fix without us having to guess your framework.

05privacy

What happens to my scan data?

Stored in a Postgres database under our account, encrypted at rest. Only you can read your scans (row-level security). We never share, sell, or use your findings for anything except showing them to you. Export and delete at any time.

06footprint

Do I need to install anything?

No agents, no browser extensions, no SDK. Just enter your domain, verify ownership, click scan. Everything runs from our pinned-IP containers — nothing touches your servers beyond normal HTTP requests.

Ready

>_ find what's exposed.
today

Magic-link sign-in, then ownership verification in under a minute — a DNS TXT record or a dropped file. Free tier runs one scan per month, no card.