Methodology
What we scan
Surface scan: five passive categories. Deep scan: active probing + optional static analysis.
We do
- +Read public HTTP responses and headers
- +Query public certificate transparency logs
- +Read public GitHub repositories
- +Query Wayback Machine and CommonCrawl
- +Probe known paths with single GET requests
- +Active endpoint probing (deep scan only)
- +Static repo analysis with your permission (deep scan)
We don't
- ×Fuzz forms, inputs, or APIs
- ×Exploit any vulnerability we find
- ×Attempt to log in without your credentials
- ×Scan private repositories without your OAuth consent
- ×Store or share your data with third parties
- ×Create accounts or leave test data on your systems
Surface Scan (Free)
Five passive categories
Security Headers
Single GET request to the root of your domain. Inspect response headers against a known-good baseline.
- ·Missing HSTS (HTTP Strict Transport Security)
- ·Missing Content-Security-Policy
- ·Missing or misconfigured X-Frame-Options
- ·Missing Referrer-Policy and Permissions-Policy
Certificate Transparency
Query public certificate transparency logs. Every TLS certificate issued is logged there automatically.
- ·Subdomain enumeration via CT logs
- ·Wildcard certificate coverage and scope
- ·Expired or soon-to-expire certificates
GitHub Credential Scanning
Scan public GitHub repositories associated with your domain for committed secrets.
- ·Live API keys and secrets in commits or source files
- ·Database credentials in configuration files
- ·Private keys and OAuth tokens
- ·Credentials in third-party repos that reference your domain
Indexed File Exposure
Check public web archives for sensitive files that were indexed while accidentally exposed.
- ·.env and .env.backup files indexed by crawlers
- ·Database dumps and SQL files
- ·Private key and certificate files
- ·Config files with credentials
Debug & Error Endpoints
Probe a curated list of paths known to expose debug artefacts in production. A 200 response alone is not sufficient; body content must match expected patterns.
- ·Spring Boot actuator endpoints (/env, /mappings, /health)
- ·Exposed .env, .git/HEAD, .git/config files
- ·Stack traces from Python, Java, .NET, Rails, Django
- ·phpinfo() pages and PHP error output
- ·Public database admin panels (phpMyAdmin, Adminer)
Deep Scan ($39 / $29 per month)
Active probing + optional repo analysis
Includes everything in the surface scan, plus two additional tiers of active checks.
Tier 1: Always runs (no repo required)
| Category | What it checks |
|---|---|
| Auth | Login endpoints, rate limiting, cookie flags, admin route exposure |
| API Exposure | API paths, GraphQL introspection, Swagger/OpenAPI, debug endpoints |
| JS Bundle | Supabase keys, Firebase config, AWS keys, Stripe keys, hardcoded JWTs |
| Infrastructure | CORS misconfiguration, HTTP method abuse (TRACE/CONNECT), subdomain takeover |
| Provider Security | Firebase/Firestore live rules probe, Supabase RLS check |
Tier 2: Requires GitHub repo access
| Category | What it checks |
|---|---|
| Secrets (Static) | Committed .env files, git history secrets, hardcoded credentials |
| DB Security | SQL injection patterns, Firebase rules, Supabase RLS analysis |
| Auth Implementation | JWT verify disabled, weak hashing, OAuth missing state param |
| Dependencies | npm/pip audit for CVEs and abandoned packages |
| Code Patterns | eval(), dangerouslySetInnerHTML, mass assignment, unsafe file upload |
Out of scope (both tiers)
These require manual penetration testing or authenticated access beyond what we probe.
- ·Business logic vulnerabilities (IDOR, privilege escalation)
- ·Authentication brute-force or credential stuffing
- ·Active injection attacks (SQL injection, XSS payloads, CSRF)
- ·Mobile application analysis
- ·Third-party SaaS integrations
- ·Internal or VPN-protected infrastructure