Pricing

Start free. Go deeper when you need to.

Surface scan is free. Deep scan is $19.99 one-time or $14.99/month.

Surface Scan

Six passive checks

Security headers, certificate transparency, public GitHub credentials, indexed file exposure, debug endpoints, and client-side code analysis. Delivered as a PIN-protected report within 24 hours.

Free
Submit your domain →

Deep Scan

Everything in Surface Scan, plus active probing

$19.99one-time

Active probing (always runs)

·Auth endpoints: rate limiting, cookie flags, admin route exposure
·API exposure: GraphQL introspection, Swagger/OpenAPI, debug endpoints
·JS bundle analysis: Supabase keys, Firebase config, AWS keys, Stripe keys, JWT
·Infrastructure: CORS misconfiguration, HTTP method abuse, subdomain takeover
·Provider security: Firebase rules probe, Supabase RLS check

Optional additions (configure after checkout)

·Test credentials: authenticated endpoint checks (rate limiting, session flags, admin access)
·GitHub repo access: commit history secrets, SQL injection patterns, auth implementation, dependency CVEs, unsafe code patterns

Report delivery

·Full report with evidence for every finding
·PDF export
·Master fix prompt formatted for Cursor or Claude
Run deep scan →
Includes badge

Deep Scan Monitor

Everything in Deep Scan, plus the badge

$14.99/month
·"Security Verified" badge: embed on your site to show users you're scanned
·Full deep scan re-run every 30 days
·On-demand rescan from your dashboard after deploys
·Public verification page your users can check
·Email alert when new findings appear
·Cancel any time

Badge preview

Security Verified by Talon

Embed this on your site. Links to a public verification page.

Start monitoring + get badge →

Common questions

Do I need to give you any access for the surface scan?

No. All surface checks are passive and use only public data: HTTP headers, certificate logs, public GitHub repos, and publicly indexed pages. No credentials, no admin access.

What's the difference between one-time and monthly deep scan?

The one-time deep scan runs once and delivers a full report. The monthly plan re-runs the same scan every 30 days and emails you if new findings appear, useful if you're actively shipping.

Is GitHub access required for the deep scan?

No. GitHub access is optional and enables Tier 2 static analysis. If your repo is public, paste the URL. If it's private, install the Talon GitHub App during setup. It requests read-only access to the repositories you select. The installation token is short-lived and generated fresh at scan time.

How are test credentials handled?

Credentials are optional and used only for authenticated endpoint probing: checking whether admin panels enforce rate limiting, whether session cookies have correct flags, and similar. They are stored encrypted and deleted after the scan completes.

More questions? See the full FAQ

Pricing | Talon