Scan any web app for
security vulnerabilities.

Scan any deployed app. 80+ modules: Supabase RLS probe, AI-key detection, XSS testing, GraphQL audit, Firebase deep probe, subdomain takeover, IDOR detection, AI code fingerprinting, OWASP compliance reports, and more. PDF reports, CI/CD webhooks, Slack/Discord alerts.

Free, no signup. Quick results in ~10 seconds.

Works where you work

One MCP server, every AI coding tool.

Claude Code
/security-scan skill + MCP
Claude Desktop
Native MCP
Cursor
.cursor/mcp.json
Cline
VS Code extension
Windsurf
Native MCP
ChatGPT
Custom GPT + Actions
Coming soon
GitHub Copilot
@security-scanner
Coming soon
Vercel
Post-deploy auto-scan

From scan to fix in 3 minutes

You don't leave your AI assistant.

STEP 1

In Claude Code, type /security-scan

The skill detects your deployment URL from CLAUDE.md or .env, then triggers a scan via MCP.

STEP 2

We run 80+ modules

Transport & headers, Supabase RLS probe, auth bypass on API endpoints, signup mass-assignment, payment webhook verification, SQL injection, SSTI, IDOR, GraphQL audit, AI-key leak detection, subdomain takeover, admin panel exposure, PII leak scanning, CORS / CSP / TLS / nuclei 8k+ CVE templates, and more.

STEP 3

Claude analyzes & fixes

Our AI writes a SECURITY-FIX.md with exact code changes for your tech stack. Claude Code reads it and implements fixes with your approval.

Simple pricing

Free to try. Pay as you scan.

Free

$0
Try the product
  • 1 scan to try
  • 1 target
  • No credit card
Start free

Pay as you go

$9 /scan
No subscription
  • One scan with AI analysis
  • Claude Code fix file
  • Up to 5 targets
Buy scan

Monthly

$29 /mo
Set & forget
  • Weekly auto-scan
  • Weekly summary email
  • AI analysis included
  • Trend tracking
  • Security badge
Subscribe

Pro

$99 /mo
Small teams
  • 10 targets
  • Daily scans
  • Team members
  • Webhooks
  • Priority queue
Subscribe

80+ checks on every scan

Organized into 7 categories. Full module-level walkthrough →

👁Network & transport
  • nmaptop 1000 ports + common DB ports
  • TLS auditcert chain, expiry, weak ciphers, SAN
  • Security headersHSTS, CSP, X-Frame, Referrer-Policy on :80 / :443
  • WAF / CDN fingerprintCloudflare, Akamai, CloudFront, Fastly, Vercel, Netlify, Imperva, Sucuri, BIG-IP, Azure
  • Default-port DB probeRedis, Memcached, MongoDB, Elasticsearch, Kibana, CouchDB, Neo4j
🔗Application surface
  • Exposed endpoints/.env, /.git, /docs, /actuator, /terraform.tfstate — 25+ paths
  • Admin panel exposure/admin, /dashboard, /_admin, /cms + admin API endpoints
  • API enumeration/api/v2, /api/internal, /api/debug — flags auth regressions
  • OpenAPI auditparses /openapi.json, flags missing security on every operation
  • GraphQL probeintrospection, dangerous mutations, Hasura anonymous-role audit
  • CORS + CSP auditwildcard-origin + credentials, unsafe-eval / unsafe-inline
  • Error leak probetriggers verbose errors to find stack traces, file paths, DB details
🔑Auth & access control
  • Auth bypasstests 35+ sensitive endpoints without auth tokens
  • Signup mass-assignmentprobes register endpoints for role=admin privilege escalation
  • Mass assignmentPATCH/PUT with extra fields (role, isAdmin, plan)
  • IDOR / BOLA sweep3-ID sweep on discovered endpoints, PII-leak detection
  • PII exposurescans API list endpoints for leaked emails, phones, password hashes
  • JWT auditalg=none, HS256 weak-secret crack, session entropy
  • Login brute-forcerate limiting on login, signup, password-reset
Injection & exploits
  • SQL injectionboolean-based + error-based SQLi on parameterized endpoints
  • XSS probereflected XSS with 3 payloads on discovered parameters
  • SSTI probetemplate injection in Jinja2, Mako, ERB, FreeMarker
  • API fuzzSQL / NoSQL / LDAP injection signatures
  • Payment webhook bypassunsigned Stripe/Paddle events — missing signature verification
  • OAuth redirectopen-redirect on redirect_uri across 7 common paths
  • SSRF probefetch-URL endpoints tested against AWS metadata
🔓Secrets & data exposure
  • 38 provider patternsAnthropic, OpenAI, AWS, Stripe, GitHub, Google, Clerk, Supabase, and 30 more
  • Supabase service_roledecodes JWT payload to flag the catastrophic admin key
  • Hardcoded credentialsPEM blocks, DB connection strings with embedded passwords
  • Source map exposuredetects .js.map files that reveal original source code
  • Cookie securitymissing HttpOnly, Secure, SameSite flags
🛠BaaS deep-probe
  • Supabase RLSextracts every .from('table') + .rpc() from the JS bundle, probes each with the anon key for Row Level Security misconfigs
  • Supabase storageextracts .storage.from('bucket') refs, lists each — flags publicly listable buckets
  • Supabase edge functionsenumerates .functions.invoke() references
  • Firestoreextracts .collection() names, probes each with Firebase apiKey
  • Firebase Realtime DBchecks /.json root for unauthenticated read
  • NextAuth + Clerkconfig + missing-secret audit
Cloud & infrastructure
  • S3 + GCS bucket exposureextracts bucket names from JS + dictionary attack from apex; LIST probe
  • Subdomain takeoverCNAME chain analysis vs known fingerprints (Vercel, Netlify, Unbounce, GitHub Pages, S3, Heroku, Tumblr, Tilda)
  • Subdomain enumerationCertificate Transparency logs + DNS brute + port check
  • K8s + Docker unauth APIskubelet :10250 /pods, Docker Engine :2375 /version, Prometheus :9090
  • Email DNSSPF, DMARC, DKIM, DNS dangling-include detection
🧠AI & CVE modules
  • OpenAPI deep-auditSonnet classifies every endpoint, live-probes unauthed GETs
  • JS bundle analyzerextracts endpoints + auth patterns + secrets, probes each
  • AI finding triagedemotes false positives, re-verifies uncertain findings
  • Prompt-injection probecanary probes on discovered chat endpoints
  • Nuclei CVE templates8000+ templates (log4j, spring4shell, etc.)
  • JS library CVE + typosquatvulnerable versions + known-typosquatted npm packages

No exploitation. No destructive mutations. Read-only probes with bounded payload sizes. security.txt · What we don't do →

FAQ

The questions we get most.

Is it open source?

Not today. The scanner is a hosted product — the detection patterns are the product. We may release parts (the MCP server, the disclosure tooling) separately once the model stabilizes. In the meantime, every finding ships with exact detection methodology and a reproducible curl or SQL command so you can verify it yourself.

Do you store my scan results?

Yes — findings are stored per-user in your dashboard so you can track trend and re-check after a fix. Only you and your team members see them. We never publish individual results or share them with third parties. Delete a target and its scans go with it.

Can I scan apps I don't own?

Only if you have authorization. Our Terms require you to own or have explicit permission to scan any target you submit. We do only read-only, non-destructive probes — but running an unauthorized scan can still violate local laws and the target's ToS. If you find something on someone else's app, please disclose responsibly.

How is this different from Snyk, Cobalt, or Burp?

Snyk scans dependencies in your repo. Burp is an interactive proxy you drive by hand. Cobalt is a human pentest engagement. We scan the live, deployed URL — what an attacker actually sees — and emit fix instructions formatted for your AI coding assistant to execute. Built for the developer who ships on Lovable / Replit / Bolt and wants a security pass in 3 minutes, not a 2-week engagement.

What's the difference between Free and paid?

Free runs every detection module and shows you every finding, once. Paid plans add ongoing monitoring (weekly / daily re-scans), email alerts when a new CRIT appears, multi-target tracking, priority queue, API access for CI/CD, and the AI-generated SECURITY-FIX.md file your assistant can execute.

Get the next research post

One email when we publish — batch scans of new platforms, disclosure write-ups, no marketing.