100+ checks · result in < 5 min

See what attackers see
when they look at your website.

Plug in your domain. We run the same external probes a pentester's first hour would — open ports, leaked secrets, misconfigured TLS, exposed admin panels — and hand you a prioritised fix list before anyone else finds them.

$scan
first scan free read-only probes ownership verified no install
cyber report://probe — recon-pass-001
live

Real findings.
Severity-sorted. Fix included.

A sample of what shows up in a typical first-pass report. Every item ships with a one-paragraph fix and links to the upstream advisory.

critical · cvss 9.8

Database port exposed to the public internet

MySQL, Postgres, Redis, or MongoDB reachable from any IP. The #1 mass-compromise vector — attackers scan the entire IPv4 space for open DB ports continuously.

:33060.0.0.0/0→ fix
high · cvss 8.1

Leaked AWS / Stripe / GitHub credentials in page source

Secret keys committed to a public JS bundle or HTML comment. One of the fastest paths from "website" to "compromised cloud account."

AKIA…app.bundle.js→ fix
high · cvss 7.4

Expired or untrusted TLS certificate

Browsers warn users; some click through and become MITM-able. API clients just break silently. We catch chain issues and weak ciphers too.

CN mismatchTLS 1.0→ fix
medium · cvss 5.3

WordPress admin reachable without rate limiting

Default install ships with no brute-force protection. A target for credential-stuffing from day one if not behind a WAF or login-limit plugin.

/wp-adminno captcha→ fix
medium · cvss 4.9

Missing email authentication (SPF, DMARC)

Without these, attackers can send phishing that appears to come from your domain. Your brand becomes the attack vector.

spf=nonedmarc=none→ fix
medium · cvss 6.1

Outdated WordPress / jQuery / third-party library

Every one has published CVEs. Automated exploit tools target them the moment a vulnerability lands in public databases.

[email protected]CVE-2020-11023→ fix
+ 100 more — TLS ciphers · security headers · exposed .git / .env · CORS misconfig · subdomain takeover candidates · …

Three steps.
Under five minutes.

No agent install. No source-code access. Just the domain you want a second set of eyes on.

› step.01

Enter your domain

Five seconds. No credit card. Just the hostname you want scanned — we'll handle the rest.

domain acme.io
scan_type external_full
› step.02

Verify you own it

Drop a TXT record into DNS or upload a file. We never probe a site you haven't claimed — this rule is load-bearing, not a formality.

_cyber-report-verify TXT
"verify=4f2a…b73c"
› step.03

Get your report

Prioritised findings with a fix for each, a PDF export, and OWASP / PCI / SOC 2 mappings if you need them. Rescan weekly, monthly, or on demand.

findings 23 · critical 2 · high 5
report acme-io-2026-04-25.pdf

"But I already have…"

The two most common objections — and why neither closes the gap.

"I have Cloudflare / a WAF"

Cloudflare blocks bots. It doesn't fix what's behind it.

A WAF won't renew your expired TLS cert, won't notice a developer commit a .env with AWS keys, and won't stop your WordPress admin from getting brute-forced. We probe what sits behind the CDN — and we tell you when the WAF blocked one of our scanners, so you know your real coverage.

"I don't have anything worth stealing"

They aren't after your data. They want your server.

Attackers rent your box into a botnet, use your domain to send phishing that bypasses filters, or hold your content hostage for a ransom demand. "Nothing to steal" doesn't mean "nothing to exploit" — and the automated scanners doing this work right now don't care how small your site is.

Four things the
other scanners don't do.

Most tools either underreport (so they look polite) or fire-hose you with noise. We did neither.

!

Honest when blocked

If a CDN or WAF blocked our scanner, we surface it — so a "clean" report isn't just the WAF being polite to us.

CVSS-scored priority

Every finding rated. CVSS 7.5 vs est. 5.0 — you know what's sourced and what's our estimate.

Scan-to-scan diff

See exactly what's new, resolved, and unchanged since last time — so fixing something actually shows up as progress.

AI plain-English explainer

Every finding has an "explain" button. Claude translates the technical description for you or your dev team — on demand, no extra cost.

Frequently asked.

Is this legal to run against my website?+
Yes — you verify you own the domain (or have permission to scan it) before any active probe runs. We only do passive checks until ownership is proven.
Will you break my website?+
No. All probes are read-only, rate-limited per target, and follow the same etiquette a polite crawler would. We never send anything that modifies state, attempts to log in, or writes data.
What if my site is behind Cloudflare or another CDN?+
The scan still works against the published hostname. We test what the CDN serves, flag any scanner that got blocked at the edge (so you see your real coverage), and look for origin-IP leaks in public DNS and certificate transparency logs.
How is this different from other scanners?+
We focus on the outside view of a single website — no agents, no source-code access, no enterprise sales call. One URL, one report, one invoice. Large platforms sell the kitchen sink and price to CISOs; we sell one clear thing and price to the person who runs the website.
Do you store my data?+
We store the report and a fingerprint of your site (response headers, HTML metadata, observed technologies) so scan-to-scan diffing works. We never store full page bodies, cookies, or anything that could contain your users' data.
Can I scan again later?+
Yes — on demand, or scheduled daily / weekly / monthly. You get the diff against the previous scan every time.
What happens when I type my domain above?+
You'll be asked to register (so you can come back to the report and we can email you when it's ready), then to prove you own the domain. Then the scan runs. The whole thing takes about 5 minutes of your attention.

Five minutes now,
or a bad Tuesday later.

The scan's free. Your website already has the problems — the only question is whether you see them first.

$scan