114 free security tools — no signup required. Scan any domain for vulnerabilities, misconfigurations, and risks.
Get a comprehensive 0-100 security reputation rating. Combines DNS, email auth, SSL, and headers into one actionable score with letter grade.
Visualize your security posture as an interactive radar chart across 6 axes: DNS, Email, SSL, Headers, Infrastructure, and Attack Surface. Compare against industry averages instantly.
Measure how visible your attack surface is on the public internet. Analyzes subdomains, open ports, WHOIS privacy, email infrastructure, DNS footprint, and technology leakage. Lower is better.
Monitor any domain's security score continuously — for free. Get webhook or email alerts when something changes. Competitors charge $500+/month for this.
Check if your website is protected against AI crawlers like GPTBot, ClaudeBot, and CCBot. Analyzes robots.txt, meta tags, WAF, and 20+ AI bots. Get copy-paste fixes.
Comprehensive security audit with actionable fix guides. Check 20+ security controls across SSL, DNS, email, headers, and best practices. Get copy-paste remediation snippets for every finding.
Discover exposed cloud resources — S3 buckets, Azure blob storage, GCP buckets, Firebase databases, Elasticsearch, and Docker registries. Finds misconfigurations before attackers do.
Scan any website's public HTML and JavaScript files for accidentally exposed API keys, tokens, passwords, and secrets. Detects AWS, Google, GitHub, Stripe, and 20+ more patterns.
Comprehensive IP analysis — geolocation, open ports, threat intelligence, blacklist checks, reverse DNS, ASN data, and hosted domains. Your free Shodan alternative.
Scan up to 10 domains at once. Compare security grades, risk levels, and vulnerabilities side-by-side. Export results as CSV.
Get a comprehensive security analysis combining all tools into one unified report. Email, SSL, DNS, headers, and subdomain scanning.
Discover all subdomains using 10+ OSINT sources. Each result enriched with IP, HTTP status, server, cloud provider, and page title. Export as CSV.
SSL Labs-style deep analysis: cipher suites, protocol versions (TLS 1.0–1.3), certificate chain, forward secrecy, HSTS preload, OCSP stapling.
Find domains related to any target through shared infrastructure — same IP, SSL certificates, MX servers, and nameservers. SecurityTrails charges $50+/mo for this.
Instant reconnaissance — see open ports, known CVEs, technologies, DNS records, and WHOIS data in one unified view. Powered by Shodan InternetDB.
Browse the latest CVEs from NIST NVD in real-time. Filter by technology (Apache, Nginx, WordPress, etc.), severity, and timeframe. Free Shodan exploit search alternative.
Scan any website and get ready-to-use server configurations to fix missing security headers. Supports Nginx, Apache, Cloudflare Workers, Express.js, and Caddy.
Compare the security posture of two domains side by side. See who has better DNS, email auth, SSL, and header security across 8 signals.
Verify HSTS header configuration and preload eligibility. Check max-age, includeSubDomains, preload directive, and Chrome preload list status.
Scan any domain for exposed sensitive files — .env, .git, database dumps, config backups, admin panels, and 35+ common paths attackers look for.
Decode and analyze JSON Web Tokens for security vulnerabilities. Check for algorithm none attacks, key confusion, expired tokens, sensitive data exposure, and header injection risks.
Decode and inspect SAML 2.0 Responses, AuthnRequests, and Assertions. Analyze attributes, conditions, signatures, time validity, and security misconfigurations — 100% client-side.
Test for open redirect vulnerabilities across 26 common redirect parameters with 6 bypass techniques. Detect phishing attack vectors before attackers exploit them.
Test if a website is vulnerable to clickjacking (UI redressing) attacks by checking X-Frame-Options and CSP frame-ancestors headers.
Analyze Permissions-Policy and Feature-Policy headers. Check which browser features (camera, mic, geolocation, payment, USB) are restricted or exposed.
Check if a website has rate limiting configured on its endpoints. Detects standard and vendor-specific rate limit headers.
Expand shortened URLs to reveal the final destination. Trace every redirect hop, detect HTTPS downgrades, suspicious TLDs, and excessive redirect chains.
Discover what the Wayback Machine has archived for any domain. Find historically exposed admin panels, config files, API endpoints, and sensitive paths.
Check if a website is up or down. Multi-point verification with DNS resolution, HTTPS support, and response time analysis.
Discover registered lookalike domains targeting your brand. Detects character omissions, swaps, homoglyphs, TLD variations, and more.
Inspect the full HTTP response — status, headers, redirects, cookies, timing, body preview, and security analysis. Like curl -v in your browser.
Test encrypted DNS resolution across Google, Cloudflare, Quad9, NextDNS, AdGuard, and Mullvad. Check consistency, DNSSEC validation, and response times.
Compare DNS resolution across Google, Cloudflare, Quad9, and OpenDNS to detect poisoning, hijacking, or propagation issues.
Detect DNS rebinding vulnerabilities by analyzing IP resolution for private addresses, TTL values, wildcard DNS, and CORS misconfigurations.
Detect covert data channels hidden in DNS traffic — high-entropy records, encoded payloads, unusual record types, wildcard DNS, and suspicious nameservers.
Test if nameservers allow unauthorized AXFR zone transfers, exposing internal hostnames, mail servers, and full network topology.
Export all DNS records for any domain in JSON, CSV, or BIND zone file format. Queries 17 record types including A, AAAA, MX, TXT, NS, SOA, SRV, CAA, DNSKEY, and more.
Analyze Certificate Authority Authorization records to see which CAs can issue SSL certificates. Checks wildcard restrictions, violation reporting, parent domain inheritance, and grades your configuration.
Deep security analysis of nameserver infrastructure — redundancy, version disclosure, open resolvers, EDNS, TCP, DNSSEC, and provider diversity.
Detect exposed GraphQL endpoints and analyze schemas for sensitive types, dangerous mutations, and data exposure risks.
Scan any domain for exposed API documentation, admin panels, configuration leaks (.env, .git), debug endpoints, and authentication routes.
Look up Autonomous System Numbers, IP addresses, or domains to discover network ownership, BGP peers, announced prefixes, and abuse contacts.
Test HTTP/2, HTTP/3 (QUIC), ALPN negotiation, and TLS version support. Ensure your server uses modern protocols for optimal performance.
Measure website response time with detailed timing breakdown — DNS, TCP, TLS, TTFB, and download. Get performance grades and optimization tips.
Test STARTTLS support on mail servers, verify MTA-STS enforcement policy, and check SMTP TLS Reporting (TLSRPT) — ensure email is encrypted in transit.
Check Brand Indicators for Message Identification (BIMI) — verify brand logo display in email clients, VMC/CMC certificates, and DMARC compliance.
Discover email addresses and email infrastructure for any domain. OSINT-powered email enumeration using DNS records, web scraping, and pattern analysis.
Benchmark DNS resolution speed across 12 major public resolvers — Cloudflare, Google, Quad9, OpenDNS & more. Find the fastest DNS and get security insights.
Validate DNSSEC chain of trust, DNSKEY/DS records, RRSIG signature expiry, NSEC/NSEC3 zone enumeration protection, and algorithm security grading.
Check DNS-based Authentication of Named Entities (DANE) — verify TLSA records for certificate pinning via DNS across HTTPS, SMTP, and more.
Analyze website meta tags, Open Graph previews, Twitter Cards, JSON-LD structured data, and security-related metadata. See how your site looks when shared.
Audit any website for trackers, cookies, fingerprinting, consent management, and privacy policy compliance. Get GDPR & CCPA recommendations.
Estimate the CO₂ emissions of any web page. Analyze page weight, resource breakdown, green hosting status, and get tips to reduce environmental impact.
Generate an embeddable SVG badge showing your domain's security grade (A+ to F). Add it to your README, website, or docs as a trust signal.
Detect WebSocket endpoints, check WSS encryption, origin validation, CSWSH vulnerabilities, compression risks, and identify real-time libraries like Socket.IO and SignalR.
Public ranking of domains by security score. See which websites have the best security posture and compete for the top spot.
Track how a domain's security reputation score changes over time. See trends, improvements, and regressions with historical data.
Capture a visual snapshot of any website with metadata, tech detection, redirect chains, external connections, and console error analysis. Desktop & mobile views.
Automatically discover assets, subdomains, services, and risk areas to build a penetration testing scope document. Export-ready for security assessments.
Verify if a domain has a properly configured security.txt file per RFC 9116. Check for required fields, expiration, PGP signing, and compliance.
Discover your subdomains and check for takeover vulnerabilities. Find dangling CNAMEs before attackers do.
Paste raw email headers to trace the delivery path, verify SPF/DKIM/DMARC authentication, and detect phishing indicators.
Check your SPF, DKIM, and DMARC configuration. Prevent email spoofing and phishing attacks.
Paste or upload DMARC aggregate XML reports to visualize authentication pass/fail rates, source IP breakdown, alignment checks, and policy recommendations. 100% client-side.
Resolve all SPF includes into flat IP addresses. Stay under the 10-lookup limit and prevent email delivery failures.
Build DNS records interactively — SPF, DMARC, DKIM, MX, CAA, A, AAAA, CNAME, and TXT. Form-based builder with copy-paste ready output and BIND zone format.
Deep DKIM selector discovery — tests 50+ selectors, validates key strength, detects weak or revoked keys.
Verify your SSL certificate validity, expiration, and configuration. Ensure secure connections.
Interactive infrastructure map — visualize DNS records, subdomains, CNAME chains, CDN providers, and IP geolocation in a network graph.
Comprehensive DNS analysis: nameservers, CAA records, SOA configuration, TTL optimization, and more.
Analyze your website's HTTP security headers. Check for HSTS, CSP, X-Frame-Options, and more.
Check domain registration details, expiration dates, and ownership. Verify transfer locks and privacy protection.
Find all domains registered by the same organization, email, or person. Uncover hidden infrastructure and domain portfolios. SecurityTrails charges $50+/mo for this.
Find all domains hosted on the same IP address. Discover shared hosting neighbors, virtual hosts, and associated domains.
Scan common ports on any domain or IP. Identify open services, detect risky exposures, and assess your attack surface.
Visualize your domain's entire DNS infrastructure as an interactive network graph. See nameservers, mail servers, IPs, and subdomains at a glance.
Track how a domain's DNS infrastructure has changed over time. View historical records, certificate issuances, hosting changes, and registration timeline — like SecurityTrails, but free.
Scan any webpage to find broken links that hurt SEO, user experience, and security. Detects 404s, timeouts, and connection errors.
Detect insecure HTTP resources loaded on HTTPS pages. Find scripts, stylesheets, images, and iframes that weaken your TLS security.
Verify that external scripts and stylesheets use Subresource Integrity hashes to prevent CDN tampering attacks.
Analyze website cookies for missing Secure, HttpOnly, and SameSite flags. Detect CSRF and XSS risks in cookie configurations.
Analyze robots.txt for exposed sensitive paths and sitemap.xml for crawl configuration. Discover hidden endpoints before attackers do.
Discover what technologies power any website. Identify servers, frameworks, CMS, analytics, CDN, and more.
Trace every HTTP redirect hop from start to finish. Detect loops, HTTPS downgrades, excessive chains, and measure latency at each step.
Detect technologies on any website and check for known CVEs from the National Vulnerability Database. Find security flaws before attackers do.
Check if your domain has been involved in known data breaches. See exposed data types, account counts, and get risk assessments.
Test any domain for dangerous CORS policies. Detect origin reflection, wildcard misuse, null origin attacks, and credential leaks.
Search Certificate Transparency logs for all certificates ever issued for your domain. Discover subdomains, detect unauthorized issuance, and monitor CA activity.
Check DNS record propagation across 12 global resolvers. Verify that your DNS changes have propagated worldwide and identify inconsistencies.
Follow CNAME chains hop-by-hop to their final resolution. Detect dangling CNAMEs, identify cloud providers, and assess subdomain takeover risks at each level.
Generate 50+ targeted Google dork queries for OSINT reconnaissance. Discover exposed files, admin panels, sensitive data, and vulnerability indicators on any domain.
Compute the MurmurHash3 of any website's favicon for Shodan, Censys, and ZoomEye searches. Discover related infrastructure and hidden assets using favicon fingerprinting.
Check how strong your password is. Analyzes entropy, estimated crack time, keyboard patterns, common passwords, and leet speak detection. 100% client-side — nothing leaves your browser.
Analyze SSH public keys for type, strength, fingerprints, and security issues. Supports RSA, Ed25519, ECDSA, DSA, and FIDO2 security keys. 100% client-side — nothing leaves your browser.
Scan your project dependencies for known CVEs using the OSV database. Supports package.json, requirements.txt, go.mod, Cargo.toml, and Gemfile. CSV export included.
Calculate vulnerability severity scores using the Common Vulnerability Scoring System v3.1. Includes known CVE examples, vector string parsing, and severity breakdown. 100% client-side.
Detect internationalized domain name (IDN) homograph attacks. Analyze domains for confusable Unicode characters, punycode encoding, mixed scripts, and visual spoofing risks. 100% client-side.
Test regular expressions for ReDoS (Regular Expression Denial of Service) vulnerabilities. Detects catastrophic backtracking, nested quantifiers, and exponential complexity with timing analysis. 100% client-side.
Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. Verify file integrity by comparing hashes. 100% client-side — nothing leaves your browser.
Generate secure TLS/SSL configurations for Nginx, Apache, HAProxy, and Caddy. Based on Mozilla's recommended settings with Modern, Intermediate, and Legacy presets.
Encode and decode text with Base64, URL encoding, HTML entities, hex, binary, Unicode escapes, ROT13, and Punycode. Essential for security analysis and debugging. 100% client-side.
Paste a PEM-encoded X.509 certificate and decode all fields: subject, issuer, SANs, validity, key type, extensions, and security grade. 100% client-side.
Paste a PEM-encoded Certificate Signing Request (PKCS#10) to decode subject, key algorithm, SANs, extensions, and get a security grade. 100% client-side.
Inspect the complete certificate trust path for any domain — leaf, intermediate CAs, and root CA with key details, validity, fingerprints, and chain grade.
Detect Web Application Firewalls protecting any domain. Identifies 16+ WAF and CDN providers through header analysis, response inspection, and DNS fingerprinting.
Check if your domain or IP is on major DNS blacklists, spam databases, and security blocklists. Protect your email deliverability and online reputation.
Deep analysis of Content-Security-Policy headers. Detect unsafe directives, known bypass endpoints, missing protections, and get actionable XSS prevention guidance.
Interactively build Content-Security-Policy headers with drag-and-drop directives, real-time grading, preset templates, and export for Nginx/Apache/Express.
Map any IP address or domain to its geographic location, ISP, and autonomous system. Detect proxies, VPNs, hosting providers, and mobile carriers.
Create a properly formatted RFC 9116 security.txt file for your domain. Fill in fields, validate in real-time, and download or copy the result.
Paste any suspicious URL to analyze it for phishing indicators. Detects brand impersonation, homoglyph attacks, suspicious TLDs, URL shorteners, and 12+ signals.
Query any DNS record type for a domain. Check A, AAAA, MX, NS, TXT, CNAME, SOA, and more with detailed results.
Discover which HTTP methods a server accepts and flag dangerous ones like TRACE (XST), PUT, DELETE, and CONNECT.
Detect throwaway, temporary, and disposable email addresses. Protect against fraud, fake signups, and list hygiene issues with bulk checking support.
Sign up for WebGuarder to get automated scanning, scheduled reports, alerting, team collaboration, and 13+ security scanners for your entire infrastructure.
Start Free Trial