Passive · Read-only · No exploitation

Your app has
security blind spots.

Talon runs six passive security checks against your domain and sends you the findings. No login, no setup, no exploitation.

Get your free surface scan →See a sample report

scan output / acme-demo.com2026-03-03 14:22 UTC

sevscannerfinding

CRITgithubStripe secret key in public commit history

HIGHerrors/actuator/env accessible without auth

HIGHerrors.git/config exposed at root

MEDheadersContent-Security-Policy header missing

MEDcertsSubdomain pointing to deprovisioned Heroku app

LOWheadersReferrer-Policy not set

6 findings · report ready at talonwatch.com/surface-report?website=acme-demo.com

How it works

No setup. No access required.

Submit your domain

Enter your domain and email. No credit card, no setup.

Six passive scanners run

Security headers, certificate transparency, GitHub credential scanning, indexed file exposure, debug endpoint probing, and client-side code analysis. All read-only. No login attempts, no fuzzing.

You get a report link

Findings are organised by severity with evidence excerpts. Your report is hosted at a PIN-protected URL and emailed to you directly.

Surface scan

Six passive check categories

Full methodology →

Check	What it finds
Security headers	HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy
Certificate transparency	Subdomain enumeration, wildcard certificate scope, expiry
GitHub credential scan	API keys, tokens, and secrets in public repositories
Indexed file exposure	Publicly indexed .env files, DB dumps, and config files
Debug endpoint probing	/.git/HEAD, /.env, /actuator/env, phpinfo, adminer, stack traces
Client-side code analysis	Leaked API keys in JavaScript bundles, Supabase/Firebase provider detection, hardcoded secrets

Need more? The deep scan adds active endpoint probing, database rule verification, CORS checks, and optional static repo analysis. See deep scan →

Common findings

What founders typically find

Sample report →

[CRIT]

AWS access key committed to a public GitHub repository

[CRIT]

Stripe live key found in commit history

[HIGH]

Spring Boot /actuator/env accessible without authentication

[HIGH]

.git/config exposed (reveals private repository URL)

[MED]

Content-Security-Policy header absent on all routes

[MED]

Subdomain pointing to deprovisioned Heroku deployment

Surface scan (Free)

Six passive checks, automated

Security headers, certificate transparency, GitHub credentials, indexed file exposure, debug endpoints, and client-side code analysis. Read-only. Delivered to your inbox automatically.

Get surface scan →

Monitor + Badge ($14.99/month)

Deep scan + “Security Verified” badge

Full deep scan every month. Auth testing, API exposure, database rule verification, CORS checks. Embed a badge on your site so your users know you take security seriously.

Embed on your site

Start monitoring + get badge →

No setup · Free

Submit your domain.

Enter your domain and email. We run the surface scan and send you a PIN-protected report link. The whole thing is automated.

Get your free surface scan →

Passive scans only. Read the FAQ →

Your app hassecurity blind spots.