E:LAB
← Services
SECURITY:LAB

Find the weak spots,
before someone elsedoes.

Before your site gets breached and you lose PG approval or customer trust, surface every externally-visible weakness in one pass. Verify ownership once, then 13 scanners sweep exposed configs, security headers, library CVEs, email-spoofing risk, and content-side issues — sorted by severity.

ScopeSecurity risks anyone could spot from outside your site — exposed configs, weak headers, leaked secrets. AI-search visibility is handled by GEO:LAB; site-code cleanup by SCHEMA:LAB.

Where this pays off most

Most owners stay in the "who'd target us?" stage right up until something breaks. If any of these match, the audit is cheaper than the insurance.

  • 01

    E-commerce · payment-taking sites

    Missing security headers or TLS issues can flip PG approval to reject. The owner can't usually patch hosting configs themselves, and without a diagnosis the contractor estimate is wide open.

  • 02

    Clinics · law firms

    Patient/client files in folders that turn out to be publicly listable. Exposed .env, backup files, debug pages — instant compliance / privacy-law exposure.

  • 03

    Sites built by an agency

    Designers/devs commonly leave .git folders, source maps, and admin pages reachable from the public site. The owner can't easily find these themselves.

  • 04

    Older WordPress / gnuboard sites

    Plugin and theme bundles ship with libraries (jQuery, Bootstrap) that accumulate known CVEs. No alert ever fires; the site just keeps running.

  • 05

    Any company that sends email from its domain

    No SPF / DKIM / DMARC means anyone can phish under "@yourcompany.com". A customer receives one and your brand trust drops overnight.

What happens after you pay

From verification to unlock in one page. Pay once per site; same domain stays re-runnable forever.

  1. 01

    Verify ownership (free)

    Upload one token file or paste one meta tag — your call. Required because scanning a site you don't own is legally fraught.

  2. 02

    Auto scan (3–5 seconds)

    13 surfaces probed in parallel. Issue count + severity breakdown (critical / high / medium / low) appears immediately.

  3. 03

    $29 unlock

    Critical / high / medium findings open up with SEO+trust+security impact and a fix path per item. Low / info findings are always free.

  4. 04

    Re-scan forever

    Re-run on the same domain after fixes — no extra charge. New risks that surface over time get caught on the next pass.

What we check

Thirteen scanners cover four surfaces simultaneously. Results are sorted by severity (critical → low) and grouped by category into a single report.

  • 01 · Surface exposure
    • Exposed .env / .git / config files
    • Admin / debug pages reachable
    • Source maps / directory indexes
    • .well-known metadata
  • 02 · Transport & headers
    • TLS cert / expiry / chain
    • HSTS / CSP / X-Frame / Permissions-Policy
    • Referrer-Policy · X-Content-Type-Options
    • Mixed content / cookie security flags
  • 03 · Code & dependencies
    • JavaScript library CVE matches
    • Vulnerable jQuery / Bootstrap / WordPress plugins
    • Source-map leaks (source extraction risk)
    • Cloaking patterns / cryptojackers
  • 04 · Email & DNS
    • SPF / DMARC / DKIM records
    • DNSSEC · CAA records
    • Spoofable domain identification
    • Subdomain takeover risk
See how we scan

Curious about the report? Browse a sample first; if it fits, run a scan against your own domain.

See a sample reportSee pricing