Features
11 features available on the free tier. 22 more unlock with a paid account. Filter below to see exactly what you get at each level.
Scanning
Paste any URL and get a complete security snapshot across all 7 layers in under 15 seconds. No account, no setup.
Scanning
HTTP/TLS, HTML, network traffic, JavaScript CVEs, tag managers, third-party supply chain, and AI synthesis all run simultaneously on every scan.
Scanning
Retire.js + OSV database checks against every JS library identified on the page. Pinpoints the exact file and version with the CVE ID linked.
Scanning
Every external domain your page contacts - categorised by purpose, checked for registration age, and flagged if they match threat intelligence signals.
Scanning
Full checklist of CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, cookie flags, CORS, and server version disclosure.
Scanning
Identifies every GTM container, lists all active tags and their firing triggers, and flags tags sending data to unrecognised or newly-registered domains.
Scanning
Every scan produces a weighted 0-100 score and A-F grade calculated from finding severity across all 7 layers. Comparable across scans over time.
Scanning
Headless browser records every request made on page load - third-party scripts, WebSocket connections, dynamically injected tags, and storage writes.
AI Investigation
An AI agent crawls your entire site - or a defined scope - running all 7 layers on every page it decides is worth investigating.
AI Investigation
Watch the agent explain every decision in real time as it investigates. Each step is logged with the finding that triggered it - useful as an audit trail.
AI Investigation
When an exposed .map file is found, the agent fetches it and reconstructs original source to check for hardcoded secrets and internal architecture leaks.
AI Investigation
Goes beyond identifying the container ID - fetches and parses the full tag configuration, including nested tags, custom HTML tags, and variable definitions.
AI Investigation
WHOIS lookup, registration age, subdomain enumeration, and threat reputation checks for every third-party domain your site contacts.
AI Investigation
AI-written remediation steps specific to each finding - not generic advice. Tells your developer exactly what to change and why.
Reports
Plain-English summary of your security posture written by an LLM that has read all findings holistically. Readable by a CTO, auditor, or board member.
Reports
Every free report gets a public URL you can send to a developer, client, or auditor. Sign up to save reports to your account permanently.
Reports
Timestamped, formatted PDF with your scan details, findings, and an attestation block. Accepted by auditors for SOC2 and ISO 27001 evidence.
Reports
Every scan you run is preserved indefinitely. Filter by domain, date, or severity to find any past report instantly.
Reports
Side-by-side diff between any two scans of the same site. See exactly what findings are new, what has been resolved, and what has changed severity.
Reports
Export a date-range ZIP of all scan history - formatted for auditor handoff. Includes all PDFs, finding logs, and scan attestation metadata.
Compliance
Every finding is automatically tagged to the relevant ISO 27001 Annex A controls. Filter your report to show only findings relevant to a specific control.
Compliance
Findings tagged to SOC2 Trust Services Criteria (Security, Availability, Confidentiality). Makes it straightforward to respond to auditor questions by control.
Compliance
Mark each finding as Open, In Progress, Resolved, or Accepted Risk. Auditors need to see that findings are being acted on - this closes that loop.
Compliance
Every scan is stamped with who triggered it, when, from where, and with which configuration. Full chain of custody for compliance evidence.
Automation
Set a daily, weekly, or monthly cadence and scans run automatically. Never miss a monthly security check-in for SOC2 or ISO 27001 again.
Automation
Get notified when a scheduled scan completes or when a new critical or high severity finding is detected - before your next scheduled check.
Automation
New critical findings delivered to a Slack channel of your choice within minutes. Useful for security channels and on-call workflows.
Automation
Push findings to any system - Jira, Linear, PagerDuty, or your own. Configurable payload with finding severity, title, and evidence.
Automation
Trigger scans from GitHub Actions, GitLab CI, or any pipeline via the API. Block merges if a new critical finding is introduced.
Team
Your account shows all scans organised by domain - current grade, last scanned, open findings. Free for all accounts. Pro adds team sharing and bulk actions.
Team
Invite team members with role-based permissions. Developers see findings and remediation; managers see scores and reports; admins manage everything.
Team
Tag any finding to a specific team member. They get notified and can update the remediation status. Closes the loop between security report and dev ticket.
Team
Full REST API for programmatic scan triggering, result retrieval, and status polling. Includes client libraries for Node.js and Python.
33 of 33 features shown
No account needed. Paste a URL on the homepage and get your report in 15 seconds.
Scan free nowAI agent investigation, scheduled scans, team access, compliance reporting, and everything above.