Methodology

What we scan

Surface scan: six passive categories. Deep scan: active probing + optional static analysis.

We do

  • +Read public HTTP responses and headers
  • +Query public certificate transparency logs
  • +Read public GitHub repositories
  • +Query Wayback Machine and CommonCrawl
  • +Probe known paths with single GET requests
  • +Active endpoint probing (deep scan only)
  • +Static repo analysis with your permission (deep scan)

We don't

  • ×Fuzz forms, inputs, or APIs
  • ×Exploit any vulnerability we find
  • ×Attempt to log in without your credentials
  • ×Scan private repositories without your OAuth consent
  • ×Store or share your data with third parties
  • ×Create accounts or leave test data on your systems

Surface Scan (Free)

Six passive categories

Security Headers

Single GET request to the root of your domain. Inspect response headers against a known-good baseline.

  • ·Missing HSTS (HTTP Strict Transport Security)
  • ·Missing Content-Security-Policy
  • ·Missing or misconfigured X-Frame-Options
  • ·Missing Referrer-Policy and Permissions-Policy

Certificate Transparency

Query public certificate transparency logs. Every TLS certificate issued is logged there automatically.

  • ·Subdomain enumeration via CT logs
  • ·Wildcard certificate coverage and scope
  • ·Expired or soon-to-expire certificates

GitHub Credential Scanning

Scan public GitHub repositories associated with your domain for committed secrets.

  • ·Live API keys and secrets in commits or source files
  • ·Database credentials in configuration files
  • ·Private keys and OAuth tokens
  • ·Credentials in third-party repos that reference your domain

Indexed File Exposure

Check public web archives for sensitive files that were indexed while accidentally exposed.

  • ·.env and .env.backup files indexed by crawlers
  • ·Database dumps and SQL files
  • ·Private key and certificate files
  • ·Config files with credentials

Debug & Error Endpoints

Probe a curated list of paths known to expose debug artefacts in production. A 200 response alone is not sufficient; body content must match expected patterns.

  • ·Spring Boot actuator endpoints (/env, /mappings, /health)
  • ·Exposed .env, .git/HEAD, .git/config files
  • ·Stack traces from Python, Java, .NET, Rails, Django
  • ·phpinfo() pages and PHP error output
  • ·Public database admin panels (phpMyAdmin, Adminer)

Client-Side Code Analysis

Download the page HTML and up to 10 JavaScript bundles. Scan for hardcoded API keys, JWT tokens, and infrastructure configuration. Detect Supabase and Firebase projects to flag unverifiable database security.

  • ·Supabase service role keys exposed in compiled JavaScript
  • ·Stripe live secret keys, OpenAI/Anthropic API keys, AWS access keys
  • ·Firebase project configuration and Firestore collection names
  • ·Supabase/Firebase provider detection with RLS verification warning
  • ·Backend URLs and API paths leaked in client-side bundles

Deep Scan ($19.99 / $14.99 per month)

Active probing + optional repo analysis

Includes everything in the surface scan, plus two additional tiers of active checks.

Tier 1: Always runs (no repo required)

CategoryWhat it checks
AuthLogin endpoints, rate limiting, cookie flags, admin route exposure
API ExposureAPI paths, GraphQL introspection, Swagger/OpenAPI, debug endpoints
JS Bundle (Deep)Extends surface JS analysis with infrastructure discovery for downstream probes (API Gateway, Cognito, backend URLs)
InfrastructureCORS misconfiguration, HTTP method abuse (TRACE/CONNECT), subdomain takeover
Provider SecurityFirebase/Firestore live rules probe, Supabase RLS check

Tier 2: Requires GitHub repo access

CategoryWhat it checks
Secrets (Static)Committed .env files, git history secrets, hardcoded credentials
DB SecuritySQL injection patterns, Firebase rules, Supabase RLS analysis
Auth ImplementationJWT verify disabled, weak hashing, OAuth missing state param
Dependenciesnpm/pip audit for CVEs and abandoned packages
Code Patternseval(), dangerouslySetInnerHTML, mass assignment, unsafe file upload

Out of scope (both tiers)

These require manual penetration testing or authenticated access beyond what we probe.

  • ·Business logic vulnerabilities (IDOR, privilege escalation)
  • ·Authentication brute-force or credential stuffing
  • ·Active injection attacks (SQL injection, XSS payloads, CSRF)
  • ·Mobile application analysis
  • ·Third-party SaaS integrations
  • ·Internal or VPN-protected infrastructure
Get surface scan →Run deep scan →Sample report →
Services | Talon