What we scan, and what we don't

Scan scope

Passive & read-only — only what your server already returns to any client.

• DNS — A, MX, NS, TXT, SPF, DMARC, DKIM, CAA, DNSSEC
• TLS/SSL — protocol versions, certificate validity, expiry, chain
• HTTP headers — server strings, security header presence
• Certificate Transparency (crt.sh) — subdomain enumeration
• Shodan passive data — open ports & banners (no active scan)
• Common path validation — low-impact probes, no form submission
• JS bundle analysis — accidental secret exposure patterns
• NVD/EPSS lookup — versions cross-referenced against CVE data

What we never do

• Send authenticated requests or attempt login
• Exploit or trigger any identified vulnerability
• Store data from the scanned domain beyond HTTP responses
• Scan internal networks or non-public endpoints
• Probe admin panels or application logic
• Modify any configuration, files, or state

Data retention

False positives

Passive scanning produces false positives. Version banners don't confirm vulnerable software; path probes confirm HTTP responses, not exploitability.

If a finding is inaccurate, send the domain, finding ID, and why. We review within 5 business days.

Responsible disclosure

Found a vulnerability in our platform? Report it responsibly. We acknowledge within 48 hours.

Infrastructure