What an attacker sees before they touch your site
Everything an outsider learns about you without sending a single malicious request.
What can someone learn about your site without hacking it?
Before anyone tries the door, they read your whole site from the street. Here is what an outsider learns about you without ever touching your backend.
Your tech stack is public. Does that matter?
Attackers don't guess your framework, your headers announce it. What fingerprinting reveals, why version numbers are a shopping list, and how to quiet it down.
What does "passive scanning" actually mean, and why is it legal?
The scan that never touches your backend is the one that finds the most. What passive scanning is, how it differs from active testing, and why it's legal.
What is a security grade and what does an A vs an F mean?
A stranger can grade your site's security in two minutes from the outside. What an A means, what an F means, and what actually moves the needle between them.
Passive scanner, DAST, or pentest: which one do you actually need?
A passive external scan, a DAST, and a pentest find different things and cost wildly different amounts. What each one sees, what it misses, and when to use which.
What your page source says when you're not looking: internal hosts, dev notes, emails
Your HTML and JS carry leftovers: internal IPs, staging hostnames, TODO comments, scraped-ready emails. None of it is a breach, all of it is intel. How to find it.
Your staging site is public, and Certificate Transparency just told everyone where
Every HTTPS cert you've ever issued is in a public ledger. That's how attackers find the forgotten staging, dev, and admin subdomains you never meant to expose. How to find them first.
Sitecore and the sample machine key: an exposed ViewState surface attackers are using now
CVE-2025-53690 is a live, actively-exploited Sitecore RCE rooted in a leaked sample ASP.NET machine key. How to spot an exposed ViewState surface from outside, and how to shut it.
Your WordPress is handing out its usernames, and the login page is right where bots expect it
WordPress publishes its author list through the REST API by default, login names and all. Pair that with the standard login page and an attacker has half a credential already. How user enumeration works, and how to stop it.
Your Elasticsearch is answering the public internet, and it has no password by default
Elasticsearch and OpenSearch normally listen on a port nobody scans, until a reverse proxy puts the raw cluster on 443. Then the cluster root, every index, and search are open to anyone. How the banner gives it away, and how to shut it.
Your /metrics endpoint is a live readout of your internals, and it's public
The raw Prometheus /metrics endpoint isn't a dashboard, it's the machine-readable feed behind one. Left public, it leaks internal hostnames, versions, request paths, and sometimes credentials in scrape labels. How it leaks, and how to gate it.
Find it before someone else does.
Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.