How it works
Every Decloak scan runs seven independent security checks simultaneously. The free tier gives you a complete snapshot of one page in 15 seconds. The paid tier deploys an AI agent that keeps investigating until it has covered your entire site.
Single-page snapshot
All 7 layers on one URL. No account. Results in under 15 seconds. Good for a quick check on any page.
AI-guided site coverage
The agent reads findings and decides what to investigate next - crawling pages, fetching scripts, checking domains - until it has complete coverage.
The free scan
No setup, no account, no browser extension. Paste a URL and every scanner fires at once.
No account, no browser extension, no configuration. Just the URL you want to check. HTTPS is added automatically.
HTTP analysis, HTML parsing, headless browser capture, JavaScript CVE checks, tag manager analysis, domain intelligence, and AI synthesis all run simultaneously.
An A-F graded report with severity-ranked findings, an AI executive summary, and a shareable public link. Ready in under 15 seconds.
The 7 scan layers
Most scanners check one thing. Decloak runs seven independent analysis engines in parallel and correlates findings across them - a missing CSP header combined with a third-party script reading form fields is a different risk level than either finding alone.
HTTP & Transport
HTTPS enforcement, certificate validity, HSTS, redirect chains, security response headers (CSP, X-Frame-Options, Referrer-Policy), cookie flags, CORS, and server version disclosure.
HTML Analysis
All external scripts, hidden iframes, suspicious form fields, 1x1 tracking pixels, HTML comments containing credentials or internal paths, base tag hijacking, and data URIs.
Network Traffic
Headless browser captures every network request on page load - third-party domains, WebSocket connections, dynamically injected scripts, GTM container IDs, and storage writes.
JavaScript
Library fingerprinting via Retire.js and OSV database, hardcoded secrets and API key detection, suspicious postMessage calls, and eval usage patterns across every JS file found.
Tag Manager
Fetches and parses every GTM container found. Lists all active tags, their firing triggers, and domains they send data to - including unrecognised or recently-registered destinations.
Third-party
Every external domain contacted categorised by purpose (analytics, CDN, ad network, unknown). WHOIS registration age, subdomain patterns, and known threat intelligence signals.
All findings from Layers 1-6 are passed to an LLM that reads them holistically, weighs severity in context, and produces a plain-English executive summary readable by anyone - developer, CTO, or auditor. The free tier produces a one-shot summary. The paid agent uses reasoning to decide what findings warrant further investigation before writing the final report.
The full investigation
The free scan shows you one page. The paid tier deploys an AI security agent that behaves the way a skilled analyst would: run the initial scan, read the findings, decide what is worth investigating further, follow the threads, and keep going.
Initial 7-layer scan on the root URL
Same scan the free tier runs - but this is just the starting point, not the result.
Agent reads findings and decides what to investigate next
An exposed source map? Worth fetching. A GTM container with unknown tags? Worth parsing. A suspicious domain? Worth checking WHOIS and threat intel.
Parallel investigation of threads
Multiple investigation actions run in parallel - fetching scripts, scanning new pages, checking domains - while the agent monitors progress.
Re-reads accumulated findings - decides what comes next
Not a fixed checklist. The agent dynamically adjusts based on what it finds. A credential in a source map leads to different next steps than a CSP header gap.
Per-finding remediation guidance
Once investigation is complete, the agent writes specific, actionable remediation steps for every finding - not generic advice.
Free vs full
Single page - no account required
Starter from £29/mo
Try it now
Free scan takes 15 seconds. No account. No setup. If you find something worth digging into, upgrade and let the agent follow the thread.