How it works

Seven layers.
One investigation.

Every Decloak scan runs seven independent security checks simultaneously. The free tier gives you a complete snapshot of one page in 15 seconds. The paid tier deploys an AI agent that keeps investigating until it has covered your entire site.

Free scan

Single-page snapshot

All 7 layers on one URL. No account. Results in under 15 seconds. Good for a quick check on any page.

Full investigation

AI-guided site coverage

The agent reads findings and decides what to investigate next - crawling pages, fetching scripts, checking domains - until it has complete coverage.

The free scan

Ready in 15 seconds

No setup, no account, no browser extension. Paste a URL and every scanner fires at once.

01

Paste any URL

No account, no browser extension, no configuration. Just the URL you want to check. HTTPS is added automatically.

02

Seven scanners fire at once

HTTP analysis, HTML parsing, headless browser capture, JavaScript CVE checks, tag manager analysis, domain intelligence, and AI synthesis all run simultaneously.

03

Scored report - no account needed

An A-F graded report with severity-ranked findings, an AI executive summary, and a shareable public link. Ready in under 15 seconds.

The 7 scan layers

Every attack surface. Simultaneously.

Most scanners check one thing. Decloak runs seven independent analysis engines in parallel and correlates findings across them - a missing CSP header combined with a third-party script reading form fields is a different risk level than either finding alone.

01

HTTP & Transport

HTTP & TLS Security

HTTPS enforcement, certificate validity, HSTS, redirect chains, security response headers (CSP, X-Frame-Options, Referrer-Policy), cookie flags, CORS, and server version disclosure.

02

HTML Analysis

Static HTML Analysis

All external scripts, hidden iframes, suspicious form fields, 1x1 tracking pixels, HTML comments containing credentials or internal paths, base tag hijacking, and data URIs.

03

Network Traffic

Rendered Page & Network

Headless browser captures every network request on page load - third-party domains, WebSocket connections, dynamically injected scripts, GTM container IDs, and storage writes.

04

JavaScript

JavaScript Vulnerability Scan

Library fingerprinting via Retire.js and OSV database, hardcoded secrets and API key detection, suspicious postMessage calls, and eval usage patterns across every JS file found.

05

Tag Manager

Tag Manager Intelligence

Fetches and parses every GTM container found. Lists all active tags, their firing triggers, and domains they send data to - including unrecognised or recently-registered destinations.

06

Third-party

Third-Party Domain Intel

Every external domain contacted categorised by purpose (analytics, CDN, ad network, unknown). WHOIS registration age, subdomain patterns, and known threat intelligence signals.

07

AI Synthesis & Executive Summary

Layer 7

All findings from Layers 1-6 are passed to an LLM that reads them holistically, weighs severity in context, and produces a plain-English executive summary readable by anyone - developer, CTO, or auditor. The free tier produces a one-shot summary. The paid agent uses reasoning to decide what findings warrant further investigation before writing the final report.

The full investigation

It doesn't scan.
It investigates.

The free scan shows you one page. The paid tier deploys an AI security agent that behaves the way a skilled analyst would: run the initial scan, read the findings, decide what is worth investigating further, follow the threads, and keep going.

1

Initial 7-layer scan on the root URL

Same scan the free tier runs - but this is just the starting point, not the result.

2

Agent reads findings and decides what to investigate next

An exposed source map? Worth fetching. A GTM container with unknown tags? Worth parsing. A suspicious domain? Worth checking WHOIS and threat intel.

3

Parallel investigation of threads

Multiple investigation actions run in parallel - fetching scripts, scanning new pages, checking domains - while the agent monitors progress.

4

Re-reads accumulated findings - decides what comes next

Not a fixed checklist. The agent dynamically adjusts based on what it finds. A credential in a source map leads to different next steps than a CSP header gap.

5

Per-finding remediation guidance

Once investigation is complete, the agent writes specific, actionable remediation steps for every finding - not generic advice.

agent - investigation log
live
00:01statusStarting investigation of example.com
00:04pageLayer 1-7 scan complete - 4 findings
00:06agentExposed source map at /dist/app.js.map
00:08fetchFetching source map - 1,847 source files found
00:11findingHardcoded API key in src/utils/analytics.ts
00:13agentGTM container GTM-X4K9P2 detected - fetching
00:16page14 active tags - 3 firing to unknown domains
00:19findingcdn-analytics-2847.io - registered 6 weeks ago
00:22doneInvestigation complete - 12 findings, 2 critical

Free vs full

What changes when you upgrade

Free scan

Single page - no account required

  • All 7 scan layers on one page
  • Security score and A-F grade
  • AI executive summary
  • Shareable public link
  • HTTP header checklist
  • Third-party domain map
  • Network request analysis
  • Results in under 15 seconds

Full investigation

Starter from £29/mo

  • Everything in Free, across every page
  • AI agent that investigates findings
  • Source map reconstruction and analysis
  • GTM container deep-dive
  • Per-finding remediation guidance
  • Scheduled recurring scans
  • Scan history and comparison reports
  • Email and Slack alerts for new criticals
  • PDF evidence packages for auditors
  • Multi-domain dashboard
  • Team access and finding assignment
  • ISO 27001 / SOC2 compliance mapping

Try it now

See what's running on your site.

Free scan takes 15 seconds. No account. No setup. If you find something worth digging into, upgrade and let the agent follow the thread.