Every scan runs up to 15 automated security checks on your domain, and delivers a plain-English PDF report with a prioritised action plan.
Here's exactly what we look at on every scan and why it matters for your business.
Grades your encryption A–F, checks the expiry date, and flags outdated protocols like TLS 1.0 that leave customer data exposed in transit.
Checks for 6 critical HTTP headers that protect your site against XSS attacks, clickjacking, and content injection from malicious scripts.
Verifies your DNS email records. Without these, anyone can send emails pretending to be your business — the foundation of most phishing attacks.
Scans 30+ common subdomains like admin, staging, vpn, and dev — and flags any that are publicly reachable when they shouldn't be.
Checks that your site forces visitors to the encrypted version. Without it, passwords and form data sent over plain HTTP are visible on the network.
Checks that your cookies have Secure, HttpOnly, and SameSite flags. Missing flags let attackers steal session tokens and impersonate logged-in users.
Identifies your platform (WordPress, Shopify, Wix, etc.) so we can flag version-specific vulnerabilities and known exploits in the report.
Checks your domain registrar and expiry date. A lapsed domain can be registered by someone else and used to impersonate your business overnight.
Searches breach databases for every incident involving your domain — and lists exactly which emails and data types were exposed.
Checks for DNSSEC signing and CAA records. Without these, attackers can hijack your DNS traffic or issue fraudulent SSL certificates for your domain.
Crawls your homepage and checks every internal link. Broken links damage trust and can expose old, unpatched pages still sitting on your server.
Scans 17 common ports and flags anything risky that's open to the internet — like RDP, Telnet, or exposed database ports that invite direct attacks.
Checks if your domain is flagged by Google for malware or phishing. A flagged domain shows a full-page warning to every visitor in Chrome and Firefox.
Generates and checks 50 lookalike versions of your domain. Registered lookalikes are a common tool for phishing your customers and staff.
Validates your full certificate chain end-to-end. A broken chain causes browser security warnings that drive visitors away and kill trust immediately.
Pick a plan and we'll run the scan, write the report, and have it in your inbox — usually the same day.