Frequently Asked Questions

Our free scan checks for common, high-impact security issues including:

• SSL/TLS configuration and certificate validity
• Security headers (HSTS, CSP, X-Frame-Options, Permissions-Policy, COOP, CORP)
• Exposed sensitive files (like .env, .git)
• Open ports that could be exploited
• WordPress vulnerabilities and user enumeration
• CORS misconfiguration and API endpoint discovery
• Subdomain takeover risk detection
• Cloud storage exposure (AWS S3, Azure Blob, Google Cloud)
• HTTP/2 protocol support and modern transport security
• DKIM, SPF, and DMARC email authentication validation
• Technology fingerprinting (server, CMS, frameworks, CDN, WAF)
• IP blacklist and reputation monitoring
• Basic GDPR compliance indicators

The scan runs 75+ checks, is completely free, and takes about 60 seconds to complete.

Yes, our scan is completely safe. It only performs passive reconnaissance and non-intrusive checks against publicly accessible endpoints. We don't attempt any exploits, we don't try to break into your site, and we don't perform any actions that could impact your website's performance or availability.

No registration is required to run the initial scan. You only need to provide an email address if you want to receive the results or unlock the full report.

Your security score is a number from 0-100 that represents your website's overall security posture. Scores of 80+ are considered "Verified Secure." The score is calculated based on multiple factors including SSL implementation, security headers, exposed sensitive files, open ports, and other security best practices. Each factor is weighted according to its potential impact on your site's security.

The full security report ($29) includes:

• Comprehensive executive summary
• Detailed vulnerability findings with severity ratings
• Step-by-step remediation instructions with one-click "Copy Fix" and "AI Fix Prompt" buttons
• Interactive security dashboard with severity charts, category radar, and score trend sparklines
• Visual attack surface map showing ports, files, subdomains, WAF, and SSL status
• Advanced checks: CORS, API discovery, subdomain takeover, cloud storage exposure
• Attack surface analysis and compliance mapping (OWASP, ISO 27001, PCI DSS, GDPR, SOC 2)
• Kill chain visualization — see how an attacker would chain your vulnerabilities
• One-click share results to X (Twitter), LinkedIn, or copy a direct link
• Secure report access with unique tokens — only you can view your data
• Technical evidence and recommendations
• Downloadable PDF format for sharing with stakeholders

After your scan completes, click the "Get Full Security Report" button. After purchase, you'll receive an email with a secure link to download your PDF. You can also access and re-download your reports anytime from the My Reports section.

First, check your email for the download link. Then, open My Reports and verify your email address is correct. If the report still doesn't appear, contact Support and include your email address and scan ID (if available).

Yes! The PDF report is designed to be shared with stakeholders. It's formatted professionally with an executive summary for management and technical details for your development team. Many agencies use our reports to demonstrate security value to their clients.

Monthly monitoring (starting at $29/month) includes:

• Weekly automated security scans
• Real-time alerts for new vulnerabilities
• Security score tracking and trend analysis
• Change detection (new files, headers, configurations)
• Monthly summary reports
• Priority support access

One-time report ($29): Best for getting a current security snapshot, addressing immediate issues, or meeting a specific compliance requirement.

Monthly monitoring ($29/month): Best for ongoing security visibility, detecting new vulnerabilities as they emerge, and maintaining a strong security posture over time. Ideal for business-critical websites and those handling sensitive data.

Monthly monitoring is set up manually to ensure it meets your specific needs. Click the "Request Monthly Monitoring" button or visit our Support page to submit your request. Our team will contact you to discuss your requirements and set up your monitoring plan.

Yes. We offer multi-domain packages for agencies and businesses with multiple websites. Discounts are available based on volume. Contact us with the number of domains you need to monitor, and we'll provide custom pricing.

No. Our scans only check publicly accessible endpoints. We never ask for or store your hosting login, admin passwords, or private keys. Your security is our priority.

All scan data and reports are encrypted both in transit and at rest. Access to your reports requires authentication and is protected by secure tokens. We follow industry best practices for data protection and regularly audit our security measures.

Yes. You can request deletion of your scan data and reports at any time by contacting our support team. We comply with data protection regulations including GDPR.

Yes! Every report can be downloaded in three formats from My Reports:

• PDF — Executive-ready report for stakeholders and management
• JSON — Machine-readable output with full vulnerability details, scores, and metadata
• CSV — Spreadsheet-friendly format for tracking, filtering, and importing into ticketing systems (Jira, Linear, etc.)

The JSON and CSV exports contain the same raw findings data used to generate the PDF, so nothing is lost.

Absolutely — this is one of the most powerful ways to use your report. Download the JSON file and paste it directly into any AI coding assistant (Cursor, Windsurf, ChatGPT, Claude, Copilot, etc.). The structured format lets the AI understand each vulnerability, its severity, and the affected component, so it can generate precise code fixes, configuration changes, or server hardening commands. Many of our users go from scan to fix in minutes using this workflow.

The JSON export includes:

• Scan ID, domain, and overall security score
• Scan timestamp and payment date
• Full vulnerability/findings array with severity, category, description, and evidence
• Remediation recommendations per finding

It's the same data that powers the PDF — just in a format your tools and scripts can consume directly.

Every vulnerability in your scan report now includes two action buttons:

• Copy Fix — Copies the remediation instructions to your clipboard so you can paste them directly into your server config, code editor, or ticketing system.
• AI Fix Prompt — Copies a pre-built prompt with full context (severity, issue, description, and remediation) that you can paste into ChatGPT, Claude, Cursor, or any AI coding assistant to get instant, precise code fixes.

After each scan, you'll see a visual dashboard with three interactive charts:

• Severity Distribution — A color-coded bar showing the breakdown of Critical, High, Medium, Low, and Info findings.
• Category Radar — An SVG radar chart showing your scores across six security categories: Application, Infrastructure, Transport, Email, Compliance, and Reputation.
• Score Trend — A sparkline showing how your security score has changed over multiple scans, so you can track improvement over time.

During the scan, animated step indicators show real-time progress through each phase (DNS, SSL, Headers, Ports, Files, Tech, Analysis, Score).

The Attack Surface Map is an interactive network graph that visualizes your domain's full external exposure at a glance. Your domain sits at the center, with connected nodes showing:

• Open ports (highlighted in red)
• Exposed sensitive files (highlighted in red)
• Discovered subdomains
• WAF protection status
• SSL certificate validity
• Detected CMS/technology

This gives security teams and stakeholders an immediate visual understanding of the attack surface without reading through tables of data.

These are advanced security checks we recently added:

• CORS Misconfiguration — Detects if your server allows any domain to make cross-origin requests (wildcard *), especially dangerous when combined with credentials.
• API Endpoint Discovery — Probes for publicly accessible API routes like /swagger.json, /graphql, /api/v1/, and OpenAPI documentation that should be restricted.
• Subdomain Takeover — Identifies dangling CNAME records pointing to unclaimed cloud services (AWS, Azure, Heroku, Netlify, etc.) that attackers can hijack to serve malicious content on your subdomain.
• Cloud Storage Exposure — Scans your page source for references to AWS S3 buckets, Azure Blob containers, and Google Cloud Storage that may be misconfigured.

We offer several options:

• The full PDF report includes step-by-step remediation instructions
• Visit Improve Your Ranking to see our remediation packages
• For custom assistance, contact Support

You can reach our support team by visiting our Support page and filling out the contact form. We typically respond within 24 business hours.

If you applied the recommended fixes and your security score did not improve, contact our support team within 30 days for a full refund. However, once the report materials have been delivered and downloaded, refunds are not available if no fix attempt was made.