Email spoofing
DMARC, SPF, DKIM, plus MTA-STS and TLS-RPT transport security. Can a stranger send mail as you?
Passive security posture scanner
One scan checks email spoofing protection, TLS, security headers, exposed files, client-side JavaScript, and your entire public attack surface, then grades it and hands you a prioritized fix list. Nothing is touched but public data.
A full posture check across the surfaces attackers enumerate first, no agent to install, nothing to configure.
DMARC, SPF, DKIM, plus MTA-STS and TLS-RPT transport security. Can a stranger send mail as you?
CSP, HSTS, clickjacking, cookie flags, CORS, certificate validity, TLS versions, HTTP/2 & HTTP/3.
Subdomains from CT logs, live-host resolution, issuance timeline, and subdomain-takeover fingerprints.
Leaked keys, known-vulnerable libraries, downloadable source maps, and DOM-XSS / eval sinks.
Wayback-archived endpoints re-probed live, robots.txt path mining, and forgotten files that never got removed.
Registered lookalike domains, mail-capable typosquats, and exposed .env/.git leaks.
Three steps. No account, nothing to install, and nothing touched but public data.
Enter a domain and hit Scan. It only reads public data (pages, headers, DNS records, and JavaScript), so it's safe to run against a live site and needs no setup.
Findings stream in live as each check resolves. When it finishes you get a letter grade, A+ to F, with every result grouped by section so you can see exactly what's exposed.
The prioritized fix kit spells out what to change and how, most severe issues first. Apply the recommendations, then re-scan to confirm your grade climbs.
What a free, passive scan is and what it isn't.
Yes, free to use, no account, and no signup. Every scan returns a full graded report; nothing is paywalled.
It only sends the same kind of requests a browser, a DNS lookup, or a certificate-transparency search already makes: it reads public pages, headers, DNS records, and JavaScript. It never sends exploit payloads, submits forms, brute-forces logins, or tries to break anything, so it won't disrupt or take down the target.
Scan domains you own or are explicitly authorized to test. Everything here is passive and uses public data, but you're still responsible for having authorization. Treat it like any other security testing.
Email spoofing protection (DMARC, SPF, DKIM, MTA-STS), TLS and protocol support, security headers, exposed files, and your client-side JavaScript for leaked keys, known-vulnerable libraries, downloadable source maps, and DOM-XSS sinks. It also maps your attack surface from certificate-transparency logs, checks for subdomain takeover, dead links, forgotten endpoints in the Wayback Machine, and lookalike domains. See what one scan looks at for the full list.
No. A penetration test actively exploits weaknesses to prove impact; this is a passive posture check that maps what's exposed and grades your configuration. It's a fast first look and a good ongoing hygiene check, but it complements a real pentest rather than replacing it. A clean grade here doesn't mean you have no vulnerabilities. Vitreo is a free product from Vullify, a vulnerability management platform; for continuous tracking and remediation of vulnerabilities across your assets, that's where Vullify comes in.
Each check is a finding (pass, warning, or fail) weighted by severity, from a starting score of 100 down to a letter grade (A+ to F). The report groups everything into sections and hands you a prioritized fix kit, worst first, so you know what to address before anything else.
There's no account and no tracking. "Recent scans" is scoped to your browser: a random token is saved in your browser's local storage and only your own scans show up in that list, so other visitors can't browse what you've scanned. Anyone with a scan's link (its UUID) can still open that one report, so only share it if you mean to. Reports are deleted automatically 72 hours after a scan finishes; download the JSON if you want to keep one. Clearing your browser storage forgets the token, so your past scans drop off the list.
Public domains only. IP addresses and internal or reserved names (localhost, *.internal, or anything that resolves to a private address) are rejected, which keeps the scanner from being pointed at internal networks it can't see.
Yes. Scans are rate-limited per IP address to keep the service fair for everyone, with a per-minute limit and a daily cap. If you hit one, you'll get a clear message telling you when you can try again. The exact limits for this instance are shown on the API reference.
The scanner is a REST API first, this page is just one client of it. Start a scan, stream progress over Server-Sent Events, and pull the graded report. No browser required.