Checks

Security checks we actually measure

Each check is something we measure automatically and report concretely β€” not a long list of noise.

DMARC check: stop anyone from forging your email

Without a correct DMARC policy, anyone can send mail that looks like it comes from your domain. We check your DMARC, SPF and DKIM and give you a prioritised fix list.

GitHub branch protection: stop unsafe code reaching production

An unprotected main branch means anyone with write access can push straight to production β€” no review, no CI. We check branch protection per repo across your whole org.

Leaked secrets in GitHub: find them before someone else does

A forgotten API key in an old commit is still valid and searchable. We scan your repos β€” including git history β€” for leaked secrets and show exactly where they are.

Vulnerable dependencies: know which ones can actually hit you

Most dependency alerts are noise. We run dependency audit on your lockfiles and surface the most serious ones β€” so you fix the right things first.

Security headers: the simplest security win you can measure

The right HTTP security headers stop whole classes of attacks β€” clickjacking, protocol downgrade, mixed content. We check your headers and show exactly what's missing and why it matters.

SPF check: decide who can send in your name

SPF states which servers may send email for your domain. Set wrong, it blocks legitimate mail or lets forged mail through. We check it and pinpoint the errors.

DKIM check: prove your email is genuine

DKIM signs your mail cryptographically so the recipient can prove it wasn't tampered with. We check your selectors, key length and that signing works.

HSTS check: shut the door on HTTPS downgrade

HSTS forces the browser to always use HTTPS and stops downgrade attacks. We check your HSTS header β€” max-age, includeSubDomains and preload.

TLS check: encryption that actually holds

Old TLS and weak cipher suites turn encryption into false comfort. We check your TLS versions, cipher suites and certificates and show what should be turned off.

Kubernetes security: find the misconfiguration before the attacker

Most Kubernetes breaches start in a misconfiguration, not a zero-day. We check your manifests and cluster against hardening best practice and prioritise what actually opens a way in.

GitHub Actions: CI is a path straight into your secrets

A compromised or unpinned GitHub Action can exfiltrate your secrets and push code. We check your workflows' permissions and third-party dependencies and point out the risks.

CORS check: don't leak your API to any site

An overly permissive CORS policy lets attacker sites read your API in the user's name. We check your Access-Control headers and flag the dangerous combinations.

MTA-STS: enforce encrypted email delivery (roadmap)

Without MTA-STS, an attacker can downgrade email to unencrypted transfer. Automated MTA-STS/TLS-RPT verification is on our roadmap; today our email scan checks SPF, DKIM, DMARC, DNSSEC and CAA.

SBOM: a table of contents for your software

An SBOM lists every component in your software β€” the basis for answering 'are we affected?' when the next Log4Shell appears. Today we run dependency audit and can analyse an SBOM you provide; automated generation is on our roadmap.

Dockerfile security: an insecure image is an insecure service

A container is only as secure as its image. We check your Dockerfiles for root execution, baked-in secrets, unpinned bases and other common gaps.

Open ports: everything reachable is attack surface

Databases, admin panels and old services that happen to be internet-exposed are one of the most common ways in. We map your open ports and flag what shouldn't be there.

CVE exposure: known vulnerabilities on your surface, prioritised

Attackers scan the internet for known vulnerable versions within hours of a CVE. We match your exposed services against known CVEs and prioritise by what's actually being exploited.

GitHub repo permissions: know exactly who can push to your code

Over time, admin and write access accumulates on the wrong people, former employees and outside collaborators. We map permissions per repo and show where least privilege breaks down.

Container vulnerabilities: know which CVEs can actually be exploited

A container image inherits every vulnerability in its base layer and packages. We scan your images, rank the CVEs by real exploitability and show which are worth fixing first.

Backup evidence: prove you can restore, not just that you copy

A backup that's never been tested is a hope, not a control. We help you document that backups cover the right data, are tested regularly and protected against deletion β€” the evidence auditors and NIS2 ask for.

MFA check: do you require two-factor, or just offer it?

Most account breaches start with a stolen password. MFA stops them β€” but only if it's enforced for everyone, not optional. We check whether your GitHub org and exposed services actually require two-factor.

Exposed database: is your data open to the internet?

Open databases are one of the most common causes of large data leaks. We map your external surface for databases, caches and storage reachable from the internet β€” without authentication or with default passwords.

Subdomain takeover: can someone hijack your subdomains?

A DNS record pointing to a cloud service you stopped using can be hijacked by anyone who re-registers it. We map your subdomains and find the dangling records that can be taken over.

GraphQL security: is your API leaking or overloading?

GraphQL moves power to the client β€” and with it the risk. We check whether your API leaks its schema, allows queries that are too deep or too expensive, and lacks field-level access control.

Security logging: can you even see when something goes wrong?

You can't respond to a breach you never detect. We assess whether your systems log the right security events, whether the logs are protected from tampering, and whether they actually make it possible to detect and investigate an incident.

Secrets rotation: find leaked keys that must be rotated

Removing a leaked key from the code isn't enough β€” if it was never rotated it's still a valid way in. We look for secrets in your git history and flag every hit that must be rotated.

Want it all at once?

A Security Assessment runs every check against your domain and GitHub and gives you a prioritised fix list.

Run a free domain scan