FREE · NO LOGIN · NO CARD

Free External Attack-Surface Scan

See what an attacker sees. No login. We email the report within 1 business day.

Banner-grade, expert-reviewed, with a 90-day responsible disclosure window. Built for AU/NZ/SG operators who want to know their actual exposure before a compliance push or AI rollout.

Request your free scan Or book a 15-min

Expert-reviewed · Australian-owned · ABN 34 318 502 254

WHAT IT IS · WHO IT’S FOR

WHAT IT IS

Banner-grade external scan of your public attack surface
90-day responsible-disclosure window on every finding
No exploitation, no credential attempts, no DoS — ever
Independently reproducible: every finding ships with the exact nmap command
Expert-reviewed before delivery; no auto-generated noise

WHO IT’S FOR

AU/NZ/SG operators who own a domain and want their actual exposure
CTOs & founders staring down a compliance push or audit
IT leads about to greenlight an AI rollout in production
MSP-buyers about to renew — verify before you sign
Anyone who wants a sober second opinion, not a sales pitch

THE FULL PROCESS

Five steps from form-submit to report-in-inbox. No mystery, no opaque hand-offs.

SUBMIT THE FORM

Domain, work email, name, and any scope notes. Takes under a minute.

WE QUEUE YOUR SCAN

You’re placed in the daily scan queue. No payment, no waiting list game.

III

SCAN RUNS

nmap -sV, TLS/SSL validation, public DNS + certificate-transparency lookups, NVD CVE matching by version.

REPORT DELIVERED

Hosted HTML report linked from an email to your inbox — within 1 business day.

YOU DECIDE WHAT’S NEXT

Fix it yourself, escalate to your host, or ask us for help. No pressure, no auto-renewal.

WHAT’S INSIDE THE REPORT

One report, every finding ranked, every finding reproducible.

Public-facing services + open ports (the standard 15-port external sweep)
Database exposure flags (any DB port reachable from the public internet)
TLS posture — certificate validity, expiry, signature algorithm, protocol versions
Known CVE matches against reported service versions (NVD-sourced)
DNS hygiene — SPF, DKIM, DMARC, CAA, MX, plus cert-transparency findings
Host classification — what you control vs what your hosting provider controls
Severity ranking (Critical / High / Medium / Low / Info) + remediation step per finding
Reproduction command for every finding — verify it independently in 30 seconds

METHODOLOGY · THE SHORT VERSION

If a tool would require permission, we don’t use it. Period.

WHAT WE DO

✓Banner-grade nmap -sV

✓TLS / SSL validation

✓Public DNS + cert transparency

✓NVD CVE matching by version

WHAT WE NEVER DO

✗Auth / credential attempts

✗Exploit attempts

✗DoS / brute force

✗Data exfiltration

Full methodology →

REQUEST YOUR FREE SCAN

Submit the form. We’ll email your report within 1 business day. No card, no login.

WHAT COMES AFTER THE SCAN

Most teams use the free scan to decide whether they need the Compliance engagement or an AI build. Here’s where each fits.

PRIVACY ACT + ESSENTIAL EIGHT COMPLIANCE

If the scan surfaces gaps and the 11 December 2026 Privacy Act deadline matters to you, the compliance engagement is the next step. One done-with-you call where we apply the changes together.

SEE THE COMPLIANCE PACK ›

AI IMPLEMENTATION FOR BUSINESS

If the scan shows you’re solid on basics and your real bottleneck is an AI capability you can’t free up engineering hours to ship, scope a build with us. Quoted by scope, fixed-price SOW.

SEE AI IMPLEMENTATION ›

QUESTIONS WE GET

How long does the scan take?

Your scan is queued the moment you submit. The report is delivered to your inbox within 1 business day. Most run faster than that — the SLA is just the worst-case promise.

What if my domain is hosted on Squarespace / Webflow / GitHub Pages?

The scan still works. We split findings into what you control vs what your hosting provider controls, so you don’t walk away with a list of things you can’t fix. Host-controlled findings come with the exact escalation language to send the provider.

Is this exploitation?

No. Banner-grade only. We probe what the public internet can already see — service banners, TLS posture, DNS records, certificate transparency. No authentication attempts. No exploit attempts. No DoS. No data exfiltration. Full methodology at /methodology.

Do you store my data?

Scan results are kept for our scan corpus so we can show longitudinal exposure trends. Your email goes only into our lead store — never sold, never shared with third parties, suppressed forever if you reply remove.