# Decloak > Decloak is an automated web security intelligence platform. A user submits a URL and receives a scored, graded report covering HTTP/TLS posture, page content, network behaviour, JavaScript vulnerabilities, tag managers, third-party domains, DNS/TLS/subdomain exposure, vibe-coded platform misconfigurations (Supabase, Lovable, Base44, Bubble, Next.js), and (on Enterprise) active security testing, tied together with an AI-written executive summary. ## What Decloak checks Decloak runs 10 scan layers against a target website - the first 7 plus layer 10 run on every scan including the free tier (8 total), 2 more (layers 8 and 9) are paid-tier only: 1. **HTTP & Transport Analysis** - security headers, TLS configuration, cookie flags, and transport-level misconfigurations. 2. **Static HTML Analysis** - page markup, inline scripts, and asset extraction. 3. **Rendered Page & Network Traffic Analysis** - a real browser (via Playwright) renders the page and records every network request it makes. 4. **JavaScript Vulnerability Scanning** - detects known-vulnerable JavaScript libraries (via the Retire.js vulnerability database) and dangerous code patterns, with CVE IDs linked to NVD. 5. **Tag Manager Intelligence** - inspects Google Tag Manager and similar containers for what they load and where data flows. 6. **Third-Party Domain Intelligence** - maps every third-party domain a page talks to and flags known-malicious infrastructure. 7. **AI Executive Summary** - a large language model synthesizes the findings from layers 1-6 and 10 into a plain-English executive summary with remediation guidance. 8. **Active Security Testing (DAST)** - Enterprise only. Safe, non-destructive active probes: forced browsing, CORS misconfiguration checks, reflected-input canaries, and authenticated scans behind a real login. Scored as an independent Active Testing Score. 9. **DNS, TLS & Subdomain Discovery** - Starter and up. SPF/DMARC/DNSSEC/CAA records, certificate issuer/expiry/cipher strength, and wordlist-based subdomain enumeration. 10. **Vibe-Coded Platform Security** - free tier included, runs on every scan. Fingerprints Supabase, Lovable, Base44, Bubble, and Next.js, then checks for the misconfigurations most commonly reported for that stack: publicly readable database tables via a leaked anon key, exposed Supabase service_role keys, Bubble Data API exposure, and known platform CVEs (e.g. the Next.js middleware authorization bypass, CVE-2025-29927). ## Tiers - **Free** - single-page scan, no login required, results in about 15 seconds, produces a shareable public report link, includes vibe-coded platform security checks. - **Starter (£29/mo)** - an AI agent crawls up to 50 pages of a site, decides what to check next, adds DNS/TLS/subdomain analysis, scheduled scans, and per-finding remediation. - **Pro (£79/mo)** - up to 200 pages, ISO 27001/SOC2 compliance control mapping, remediation tracking, team accounts, API and MCP access, Slack and webhook integrations. - **Enterprise (£99/mo)** - everything in Pro, plus Active Security Testing (DAST), authenticated scan mode via a browser extension, and a standalone executive DAST report. ## Who uses it - **Vibe coders & solo builders** - free instant checks for AI-built apps, including detection of common Supabase, Lovable, and Base44 misconfigurations (like a publicly readable database). - **Small & growing businesses** - scheduled scans and DNS/TLS/subdomain monitoring without an enterprise scanner budget. - **Compliance & security teams** - SOC2/ISO 27001 evidence mapping plus Enterprise-tier active security testing. - **Agencies & MSPs** - one dashboard across every client domain, with team seats and API/MCP access. ## Learn more - How it works: https://decloak.dev/how-it-works - Full feature list: https://decloak.dev/features - Integrations (Slack, webhooks, API, MCP): https://decloak.dev/integrations - Frequently asked questions: https://decloak.dev/faq - For vibe coders & solo builders: https://decloak.dev/for-vibe-coders - For small & growing businesses: https://decloak.dev/for-small-business - For compliance & security teams: https://decloak.dev/for-compliance - For agencies & MSPs: https://decloak.dev/for-agencies Decloak is operated by Sparrow Technology Ltd, a company registered in England and Wales.