Pre-launch · free for one domain

Run a security audit before you switch on traffic.

The day you launch is the day your domain hits every public scanner. Find the things they'll find — leaked developer keys, brand impersonators, exposed admin URLs, weak DNS — in 90 seconds, free, no signup required.

  • ✓ 30+ external-surface checks (no agent, no code access)
  • ✓ Leaked-credential scan against public GitHub
  • ✓ WHOIS privacy + registrar-lock check
  • ✓ Plain-English fixes — hand directly to your developer

Run your free pre-launch check

We run the scan from public infrastructure. Nothing is installed on your site. Results in 90 seconds.

What you're about to find

Six things every pre-launch startup misses

Developer credentials leaked on GitHub

We scan public GitHub for AWS keys, Stripe live secrets, GitHub PATs and database URLs that include your domain — the most common vector that bites pre-launch teams the day after their first press hit.

Brand impersonation domains already registered

Lookalike domains (homoglyphs, hyphenated variants, alternate TLDs) are often pre-registered before you hit reddit. We surface every active clone so your team can take it down before traffic arrives.

Public WHOIS exposing personal data

Most early-stage founders register the domain personally. Without privacy enabled, your home address and phone number are publicly searchable. We check the privacy flag, registrar lock, and expiry runway.

Email-spoof-ready SPF / DMARC / DKIM

Without DMARC at p=quarantine or p=reject, anyone can send phishing email pretending to be your domain. We check all three records and explain the fix in plain English.

Exposed admin paths and config files

We probe for /.env, /.git/config,/wp-admin, /phpinfo.php, default/admin URLs, and unauthed Spring/Actuator endpoints — the first thing automated scanners hit on launch night.

TLS misconfiguration that fails a checkout

Mixed-content warnings, weak ciphers, expiring certificates, mismatched SAN entries — any one will block Stripe Checkout or Apple Pay. We grade TLS A/B/F so you know before payments break.

Why timing matters

Launch day is when scanners start looking.

When your launch lands on Hacker News, Product Hunt, or industry Twitter, a wave of automated scanners hits within the first hour. They look for the same 30+ patternswe check for. The difference is that they're looking to exploit; we're looking to fix.

At pre-launch you can fix every finding in an afternoon — rotate the leaked AWS key, enable WHOIS privacy, add a DMARC record, change a default password. After launch, every fix is harder: you have customers with sessions, browser caches with your old DNS, search engines indexing your exposed admin paths.

The cheapest security work you will ever do is the work you do before your first customer arrives.

30+
Checks per scan
90 s
Time to first finding
0
Code access needed

Domain ownership check

Is your domain's WHOIS record protecting you?

Most founders register their domain personally with the home address on file. If you didn't enable WHOIS privacy at checkout, your name, email, phone number, and physical address are searchable in seconds viawhois example.com. We'll show you exactly what's exposed and how to lock it down at your registrar — usually a single checkbox.

  • ✓ Privacy flag (on / off)
  • ✓ Registrar transfer lock
  • ✓ Renewal date countdown
  • ✓ Owner organisation + country (if exposed)
  • ✓ Domain age + status flags
  • ✓ Recent registrar / nameserver changes

Free for one domain. Forever.

Run the audit, fix what we find, ship your launch. If you want continuous monitoring + WhatsApp alerts when something changes, our paid plans start at $99/mo.

Run my free pre-launch auditSee plans

FAQ

Common questions

Do I need to install anything?
No. We scan from public infrastructure — DNS, HTTP, WHOIS, certificate transparency logs. Nothing is installed on your servers.
How is this different from a pentest?
A pentest is a one-shot, deep, expensive engagement (~$5k+). This is a free 90-second audit covering the boring-but-deadly external-surface basics. They complement each other; do this first, pentest later.
What about my GitHub repos?
The free pre-launch scan includes a public-GitHub credential leak check using your domain as the brand token. If you want our deeper GitHub App (PR review, full-repo SAST, branch-protection lock-in), that's on the paid Standard plan and up.
Will the scan break anything?
No. Every probe is read-only and rate-limited. We do not log in, fuzz inputs, or send any traffic that could trip a WAF.
Do you keep my findings?
Only if you sign up. Run the scan, see results, leave — we delete the anonymous run after 7 days. If you create an org, the report is attached to your account so you can re-run it later.