Does the scanner check pages behind a login?

No. Permissions and data exposure inside admin areas or member-only sections are out of scope — those need a human reviewer with credentials.

Do you run active exploit attempts?

No. We don't try SQL injection, command execution, or brute force. Suspicious patterns are flagged, but actually proving exploitation requires a separate penetration test.

Can the scanner catch business-logic flaws?

No. Whether a checkout total can be tampered with client-side, or coupons can be replayed — these are site-specific and impossible to test generically.

Is this report a compliance certification?

No. ISMS-P, PCI DSS, and similar certifications need their own audits. This report covers "close the obvious externally-visible holes first" — a starting point, not a finish line.

← Services

Methodology

How the 13 scanners decide

We publish what each scanner looks at and exactly how the score is deducted. Scoring is rule-driven, not a magic number — so when you forward the report to a developer, "why did this site score 47?" is an answerable question.

#	Area	What it checks
01	Security headersheaders	Checks HSTS · CSP · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy. Recommends a value for whatever is missing.
02	TLS / certificatetls	TLS version · cert expiry · chain trust · weak cipher suites. Risk escalates as expiry approaches.
03	Exposed credentialssecrets	Looks for common secret patterns (API keys, tokens, DB credentials) leaked in static assets or responses.
04	JavaScript library CVEslibraries	Extracts the version of every JS library on the site and matches against known CVE databases.
05	Exposed pathspaths	Checks reachable hot paths like .env / .git / config.json / phpinfo.php / /admin / /backup.
06	Content riskcontent	Detects injected suspicious scripts, iframes, cryptojackers, and other content-side signals.
07	DNS / SPF · DMARC · DKIMdns	Email-spoofing protections (SPF · DMARC · DKIM) plus DNSSEC and CAA records.
08	Discovery / robots.txtdiscovery	robots · sitemap · humans.txt · ads.txt — checks both their presence and the integrity of the contents.
09	Active probesactive	Identifies middleware / proxy / CDN chains from response patterns and flags likely misconfigurations.
10	Tech stacktech	Fingerprints the underlying stack — fed back into precise CVE matching.
11	.well-known metadatawellKnown	Checks presence + integrity of standards like security.txt and openid-configuration.
12	Source-map leakssourceMap	Detects production source maps that expose the original source for extraction.
13	Subdomain takeoversubdomains	Flags subdomains with dangling CNAMEs or expired third-party services as takeover candidates.

Score breakdown

Start at 100. Each finding deducts based on severity.

Critical
-35
High
-20
Medium
-10
Low
-4
Info
0

The same issue surfacing across multiple paths only deducts once. Floor is 5 so even badly-broken sites still render a readable result page. Grades map A (90+) · B (75+) · C (60+) · D (40+) · F (<40).

Patterns we see over and over

Risks that show up repeatedly on SMB sites. Listed by likelihood of appearing in your scan.

Critical
Publicly listable .env / .git folder
Contractor forgot to clean up after deploy, or the host config never blocked dotfiles. DB passwords, Stripe keys, and session secrets walk out the front door.
Critical
Vulnerable jQuery / Bootstrap versions
WordPress themes and legacy templates often ship a 5–10 year old library. Several XSS and prototype-pollution CVEs match instantly.
High
DMARC missing or p=none
Anyone can spoof email from your company domain. One phishing message landing in a client's inbox and your reputation falls off a cliff.
High
Admin page reachable from the public internet
/wp-admin · /admin · /phpmyadmin · /manager exposed without IP restriction is the top target for brute-force bots.
Medium
Missing security headers (CSP · HSTS · X-Frame)
The exact items PG security reviews flag. Signals that your XSS and clickjacking defenses aren't in place.
Medium
TLS certificate near expiry
Anything expiring within 30 days surfaces immediately. Past expiry, the browser slaps a red warning on the site and sales stop cold.

Where the scanner stops

We only check signals visible from outside, so the scanner can't catch everything. Here's what's in scope and what still needs a human.

Can't see behind a login
Permissions and data exposure inside admin areas or member-only sections are out of scope — those need a human reviewer with credentials.
No active exploit attempts
We don't try SQL injection, command execution, or brute force. Suspicious patterns are flagged, but actually proving exploitation requires a separate penetration test.
Business-logic flaws aren't caught
Whether a checkout total can be tampered with client-side, or coupons can be replayed — these are site-specific and impossible to test generically.
This isn't a compliance checkmark
ISMS-P, PCI DSS, and similar certifications need their own audits. This report covers "close the obvious externally-visible holes first" — a starting point, not a finish line.

Preview the result layout with a sample report.

Sample report →Audit my domain →

How the 13 scanners decide

Score breakdown

Patterns we see over and over

Publicly listable .env / .git folder

Vulnerable jQuery / Bootstrap versions

DMARC missing or p=none

Admin page reachable from the public internet

Missing security headers (CSP · HSTS · X-Frame)

TLS certificate near expiry

Where the scanner stops

Can't see behind a login

No active exploit attempts

Business-logic flaws aren't caught

This isn't a compliance checkmark