jQuery 1.9.1 on the public site, with 13 known CVEs.
Their website was loading a JavaScript library version with thirteen public security holes. The fix was a single line in their site theme. Five minutes of work.
A regular security checkup for your website and business email.
We check your website, domain records, email setup and public systems, then give you a plain-English fix list for your IT provider, MSP or web developer.
safe external checksSend-to-IT reportscancel anytime
app.attackedge.io/scans/latest● SCANNING
0Grade C
Top findings
5 newExposed .git directoryshop.example.com
Dangling CNAME takeover riskdocs.example.com
DMARC missing, spoofableexample.com
Priority fix listThinking
The exposed
.git directory on shop.example.com is your highest priority. It can leak your entire source code and any committed secrets.Show me the fixSend to my IT
Built for
- Accountants
- Bookkeepers
- Dental practices
- Veterinary clinics
- Allied-health clinics
- Physiotherapists
- Web agencies
- Marketing agencies
- MSPs and IT providers
- Law firms
- Conveyancers
- Real-estate agencies
- Plumbers
- Electricians
- Locksmiths
- Cleaning services
- Ecommerce stores
- Online florists
- Cafes and bakeries
- Personal trainers
- Yoga studios
- Childcare centres
- Art galleries
- Photographers
- Independent consultants
- SaaS startups
- Drone services
- Auto repair shops
- Insurance brokers
What we check
What we check on every scan.
Plain-English findings, ranked by what to fix first. No 200-page PDF.
Website and public systems
- Expired certificates
- Exposed admin pages
- Old software with known issues
- Risky security headers
- Exposed files and backups
- Forgotten staging sites
Email and domain trust
- SPF anti-spoofing
- DKIM signing
- DMARC enforcement
- MTA-STS for inbound mail
- DNS records and posture
- Look-alike domain monitoring
Evidence and handoff
- Owner summary in plain English
- Technical fix notes for IT
- Dated PDF and shareable link
- New / fixed / ongoing tracking
- Send-to-IT one-click email
- Your cadence, no fuss
How it works
Four steps. No homework.
1
Tell us your domain
Type the address of your website. That’s it. No agents, no IT request.
2
We do the looking
In the background, politely. The same things an attacker would notice, and a few more.
3
You get the list
Plain English, ranked. A clear “do this first” at the top. Five minutes to read.
4
We watch over time
Every month we re-scan. We email you when something new appears, including on emerging-threat days.
Sample report
See the report before you buy.
A realistic report shows the owner summary, findings, evidence, technical fix notes and who should fix each issue.
Between scans
Emerging-threat checks between your scheduled scans.
You set the cadence. Emerging threats break it on purpose. When a new vulnerability is published, we check your stack against it. If your stack appears affected, we run an extra check and notify you quickly.
A new CVE drops
- We track CISA KEV, NVD, and vendor advisories as they publish.
- Each one is matched against the software fingerprints we already keep for the sites you scan.
It matches your stack
- An extra check runs against only the affected assets, off cycle, no extra cost to you.
- You get an email shortly after. Plain English. Severity, fix, and how long it usually takes.
It doesn't match
- No noise. We only email you when something actually applies to you.
- We still log the check so your evidence pack shows cadence + emergency coverage for the insurer.
Honestly
Most small businesses do not need to start with an A$20,000 pen test.
A penetration test has its place. AttackEdge is different: it gives you regular checks on the public parts of your business, so simple issues do not sit unnoticed for months.
AttackEdgeAnnual pen testDIY scanner
What it costsFrom A$39 / monthA$8,000–40,000 onceFree + your weekend
How long to set up60 seconds4–8 weeksHours, then more
How often it runsEvery month + emerging-threat triggersOnce a year, maybeWhen you remember
Who it’s written forYouYour IT teamYou, in raw output
What you do next“Fix this first”Schedule a meetingGoogle the errors
Plans
Plans for solo businesses, small teams and one-off reports.
Pay monthly or annually. Cancel any time. Annual is two months free.
Most chosen
SMB
A$99/month
50 scan units per month. Small teams with a few sites, a mail domain and some public systems.
StartSnapshot
A$149 once
One purchase, one comprehensive report covering up to 15 of your sites. Share with a client, insurer or IT provider.
StartPrices shown in AUD. Add-ons and the full feature matrix on the pricing page.
MSP / Agency
Managing client sites?
Pooled scan units across client workspaces, co-brandable PDF reports, central reporting, custom seat counts. Bespoke pricing depending on size and cadence.
Talk to us
A note from the founder
“Most security tools aren’t built for you. This one is.”
I’ve been an offensive security practitioner since 2012 and I still spend my weeks finding weak spots in big systems as technical director at SilentGrid, an Australian offensive security firm trusted by government, ASX-listed companies, and large enterprises. The same simple problems come up almost every time.
Small businesses get hit by exactly those things. They just can’t afford the people who’d catch them. AttackEdge is my attempt to fix that. Proper offensive security checks, made friendly, priced for a coffee shop or a dental practice.
— Claudio Moletta · Founder
From AttackEdge scans this week
Three things we caught.
Real anonymised findings from AttackEdge scans of Australian small businesses. If your stack looks like one of these, you probably have one too. Rotated weekly.
Stripe live key sitting in a public JavaScript bundle.
We found a live Stripe payment key in the source of their public website. Anyone with a browser could read it. They rotated it within the hour.
A subdomain pointing at a deleted Azure resource.
An old staging.clinic-anon.com.au was still in their DNS, pointing at nothing. Anyone could claim that subdomain and serve content as them. Removed in one click.
Common questions
Honest answers.
- No. AttackEdge is recurring external security monitoring. We do not log in, exploit vulnerabilities, brute-force accounts or stress-test your systems. If your insurer or a large client requires a pen test, that is still a separate engagement; AttackEdge runs alongside it.
Better safe than sorry
See what attackers see. Before they do.
Most checks come back with three things to fix and an hour of work. Worth a Monday morning.
Setup in 60 seconds · First report in 24h · Cancel anytime