What we check

Forty plus checks across your perimeter.

Three areas: your sites, your mail, your edges. Plain English findings, ranked by what to fix first. If a check is on this page we run it. If it is not, assume we don't, and ask us.

Start a scan View sample report
At a glance

The three areas, in summary.

Click a card to jump to the full check list for that area. Every check has a one-line subtitle, with the longer explanation behind a click.

Your sites

Public web, platforms, exposed files.

  • Tech stack and known CVEs across 10,000+ signatures
  • Security headers and cookie hygiene
  • Exposed admin panels, .git, .env, backups
  • CMS-specific checks (WordPress, Shopify, Drupal, Magento, Joomla)
  • Bounded unauthenticated DAST and source map exposure
Jump to your sites
Your mail

SPF, DKIM, DMARC, and the records beneath them.

  • SPF, DKIM, DMARC presence and policy
  • MTA-STS and TLS-RPT for inbound mail
  • BIMI eligibility
  • Mail provider detection
  • Look-alike domain monitoring
Jump to your mail
Your edges

Discovery, certificates, dangling assets.

  • Subdomain enumeration and DNS records
  • Live host detection and port scanning (top 100 TCP)
  • Subdomain takeover detection
  • TLS posture and certificate hygiene
  • Public cloud storage and CT log monitoring
Jump to your edges
Your sites

Sites and platforms.

Public-facing websites, the platforms that run them, and the configuration details an attacker probes first.

10 checks in this area

  • Tech stack fingerprintingServer, framework, CMS, CDN, analytics.

    We identify what runs your site so every other check knows where to look. Keeps false positives low and remediation advice specific to your stack.

  • Known CVEs across 10,000+ signaturesUpdated daily, matched to detected components.

    Every detected component is matched against its disclosed security holes. We prioritise findings where a public exploit exists, so you fix what matters first.

  • Security headers and cookie flagsCSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy.

    Browser hardening every modern site should ship. We also check cookie Secure, HttpOnly, and SameSite attributes on session and login cookies.

  • Secrets in public JavaScriptAPI keys, Stripe and Mapbox tokens, internal URLs.

    We extract and flag credentials accidentally shipped to the browser. The classic source of unexpected billing surprises and account takeovers.

  • Exposed admin panels, .git, .env, backupswp-admin, phpMyAdmin, Jenkins, Grafana, leftover archives.

    The high-impact misconfigurations that show up in real breach post-mortems. A .git directory is treated as critical because anyone can clone your source.

  • WordPress, Shopify, Magento, Drupal, JoomlaPlugin and theme versions, known-CVE matches, exposed endpoints.

    Bounded plugin and theme version enumeration, xmlrpc exposure, wp-json user enumeration, app-proxy fingerprinting. CMS-specific because the attacks are CMS-specific.

  • Bounded unauthenticated DASTReflected HTML input, open redirects, insecure form actions.

    A bounded crawl plus a small fuzz pass. We do not log in, we do not test business logic, we do not claim full OWASP Top 10. Anything deeper is pentest territory.

  • GraphQL introspectionIf introspection is on, the whole schema is public.

    We detect introspection and surface the queryable types. Production GraphQL endpoints almost always want introspection disabled.

  • Source map exposureBrowser-readable maps revealing your unminified source.

    JavaScript source maps in production let anyone read your original module structure. We detect and flag them so you can ship them only to authenticated users or strip them entirely.

  • Error and stack-trace disclosureFramework versions and file paths leaked on bad input.

    Pages that leak framework version, file paths, or database errors when probed with malformed input. Useful reconnaissance for an attacker, easy to suppress in production config.

Your mail

Mail and impersonation.

Domain auth, deliverability hygiene, and the records that decide whether attackers can impersonate you.

7 checks in this area

  • SPF record presence and validityWhich mail servers are authorised to send from your domain.

    We verify the SPF record exists, is syntactically valid, fits within the 10-lookup limit, and ends with a -all or ~all hard fail rather than a permissive policy.

  • DKIM selector discoveryActive selectors, key length, and signing in practice.

    We discover active DKIM selectors via common provider naming and confirm the published key signs outbound mail. Weak keys (under 1024 bits) and unused selectors are flagged.

  • DMARC policy enforcementp=none, p=quarantine, or p=reject.

    We surface the policy and flag domains with no DMARC or with p=none only, which are spoofable in practice. We also check the reporting addresses are reachable.

  • MTA-STS and TLS-RPTWhether your inbound mail enforces TLS.

    The pieces most operators forget after SPF, DKIM, and DMARC. Without MTA-STS, your inbound mail can be downgraded to plain text by an attacker on the path.

  • BIMI eligibilityThe inbox icon next to your sender name.

    Brand Indicators for Message Identification need DMARC at p=quarantine or stricter plus a verified mark certificate. We flag whether you qualify and what is missing.

  • Look-alike domain monitoringCommon typo-squat and homoglyph variants.

    Variants of your domain that an attacker could register and use for invoice fraud or customer impersonation. We flag the ones that have been registered.

  • Mail provider detectionMicrosoft 365, Google Workspace, Zoho, self-hosted.

    Useful context for the rest of the report and for shaping remediation advice. Provider-specific fix steps are easier to follow than generic ones.

Your edges

Edges and discovery.

The discovery layer: subdomains, hosts, services, certificates, and the supply chain around them.

8 checks in this area

  • Subdomain enumerationPassive sources plus light active probing.

    CT logs, search engines, and code search, paired with bounded active probing. We surface forgotten subdomains before the attacker does.

  • DNS records inventoryA, AAAA, MX, NS, TXT, CAA, CNAME.

    A complete record of your DNS posture. Surfaces dangling records, weak CAA policies, and provider drift that nobody notices until something breaks.

  • Live host detection and port scanningTop 100 TCP ports across discovered hosts.

    CDN, cloud provider, and ASN context attached to each result. We do not full-port-sweep your edge by default; that is intrusive and not useful at this cadence.

  • Subdomain takeoverDangling CNAMEs at deleted cloud resources.

    Azure, Heroku, GitHub Pages, S3, and similar. We verify both DNS evidence and an unclaimed-site marker before flagging, so this finding is real every time it ships.

  • TLS postureVersions, ciphers, certificate validity and chain.

    TLS versions supported, weak ciphers, certificate expiry and rotation hygiene. We detect Heartbleed, POODLE, BEAST, and Sweet32 conditions on legacy endpoints.

  • Public cloud storageBounded enumeration of public buckets and containers.

    S3, Azure Blob, and GCS lookups under exact and common domain-derived names. We only flag verified public listings, not guesses.

  • Certificate-transparency monitoringNew certificates issued for your domains.

    Continuous passive discovery of new CT log entries. Catches shadow IT and unauthorised issuance the moment it shows up in a public log.

  • Third-party script inventoryEvery external script loaded by your site.

    A live inventory of your supply chain in the browser, with provider context. Helps trace stale integrations and supply-chain risk.

Cadence

Monthly by default. Emerging-threat triggers in between.

The full scan runs on the schedule you choose. When a major vulnerability hits we re-run the affected modules across every customer and email you if you are exposed.

Monthly full scan
  • All three areas, every active asset
  • Report delivered within 24 hours
  • Diff against the previous cycle
Emerging-threat triggers
  • We watch CISA KEV and vendor advisories
  • Affected modules re-run within hours
  • Email alert only if you are exposed
What we don't claim

Six things this scan is not.

We would rather be the tool you trust on what we cover than overclaim and disappoint. If any of these matter for your compliance position, tell us and we can recommend who handles them well.

We do not claim Essential Eight coverage
  • The Essential Eight is a maturity model for internal controls (patching, MFA, application control, daily backups). Our scan checks external-only exposure. They sit next to each other, not on top.
We are not a PCI DSS approved scanning vendor
  • We are not ASV-certified. If your merchant bank requires a PCI ASV quarterly scan, you need an approved vendor. We can complement that engagement, not replace it.
We do not produce HIPAA evidence
  • HIPAA is a US healthcare framework. Our scan and report shape are designed for the Australian Privacy Act and APRA-aligned questionnaires, not HIPAA Security Rule attestation.
We do not produce GDPR evidence
  • GDPR Article 32 references reasonable technical measures; our scan helps demonstrate them, but the report is not a GDPR conformity assessment and we do not act as a DPA-named processor for that purpose.
We do not claim APRA CPS 234 coverage
  • CPS 234 applies to APRA-regulated entities (banks, insurers, super funds) and requires internal controls and board-level reporting we do not provide. Our scan is an evidence input, not a CPS 234 control.
We do not claim NIST CSF certification
  • The NIST Cybersecurity Framework is a control-mapping framework, not a scan output. Our findings can be mapped to specific subcategories, but we do not deliver a NIST CSF assessment.
Run the full list

Know what attackers can see. On a monthly schedule.

One subscription. All three areas. Emerging-threat triggers in between. Cancel anytime from the Stripe portal.

Start a scan See pricingView sample report