Pricing

Start free. Go deeper when you need to.

Surface scan is free. Deep scan is $39 one-time or $29/month.

Surface Scan

Five passive checks

Security headers, certificate transparency, public GitHub credentials, indexed file exposure, debug endpoints. Delivered as a PIN-protected report within 24 hours.

Free

Submit your domain →

Deep Scan

Everything in Surface Scan, plus active probing

$39one-time

Active probing (always runs)

·Auth endpoints: rate limiting, cookie flags, admin route exposure

·API exposure: GraphQL introspection, Swagger/OpenAPI, debug endpoints

·JS bundle analysis: Supabase keys, Firebase config, AWS keys, Stripe keys, JWT

·Infrastructure: CORS misconfiguration, HTTP method abuse, subdomain takeover

·Provider security: Firebase rules probe, Supabase RLS check

Optional additions (configure after checkout)

·Test credentials: authenticated endpoint checks (rate limiting, session flags, admin access)

·GitHub repo access: commit history secrets, SQL injection patterns, auth implementation, dependency CVEs, unsafe code patterns

Report delivery

·Full report with evidence for every finding

·PDF export

·Master fix prompt formatted for Cursor or Claude

Run deep scan →

Deep Scan Monitor

Everything in Deep Scan, monthly

$29/month

·Monthly re-scan with findings compared against prior run

·Email alert when new findings appear

·Cancel any time

Start monitoring →

Refund guarantee

If the deep scan returns zero medium or higher severity findings, we refund the full fee. No questions.

Common questions

Do I need to give you any access for the surface scan?

No. All surface checks are passive and use only public data: HTTP headers, certificate logs, public GitHub repos, and publicly indexed pages. No credentials, no admin access.

What's the difference between one-time and monthly deep scan?

The one-time deep scan runs once and delivers a full report. The monthly plan re-runs the same scan every 30 days and emails you if new findings appear, useful if you're actively shipping.

Is GitHub access required for the deep scan?

No. GitHub access is optional and enables Tier 2 static analysis. If your repo is public, paste the URL. If it's private, install the Talon GitHub App during setup — it requests read-only access to the repositories you select. The installation token is short-lived and generated fresh at scan time.

How are test credentials handled?

Credentials are optional and used only for authenticated endpoint probing: checking whether admin panels enforce rate limiting, whether session cookies have correct flags, and similar. They are stored encrypted and deleted after the scan completes.