Each check is something we measure automatically and report concretely β not a long list of noise.
Without a correct DMARC policy, anyone can send mail that looks like it comes from your domain. We check your DMARC, SPF and DKIM and give you a prioritised fix list.
An unprotected main branch means anyone with write access can push straight to production β no review, no CI. We check branch protection per repo across your whole org.
A forgotten API key in an old commit is still valid and searchable. We scan your repos β including git history β for leaked secrets and show exactly where they are.
Most dependency alerts are noise. We run dependency audit on your lockfiles and surface the most serious ones β so you fix the right things first.
The right HTTP security headers stop whole classes of attacks β clickjacking, protocol downgrade, mixed content. We check your headers and show exactly what's missing and why it matters.
SPF states which servers may send email for your domain. Set wrong, it blocks legitimate mail or lets forged mail through. We check it and pinpoint the errors.
DKIM signs your mail cryptographically so the recipient can prove it wasn't tampered with. We check your selectors, key length and that signing works.
HSTS forces the browser to always use HTTPS and stops downgrade attacks. We check your HSTS header β max-age, includeSubDomains and preload.
Old TLS and weak cipher suites turn encryption into false comfort. We check your TLS versions, cipher suites and certificates and show what should be turned off.
Most Kubernetes breaches start in a misconfiguration, not a zero-day. We check your manifests and cluster against hardening best practice and prioritise what actually opens a way in.
A compromised or unpinned GitHub Action can exfiltrate your secrets and push code. We check your workflows' permissions and third-party dependencies and point out the risks.
An overly permissive CORS policy lets attacker sites read your API in the user's name. We check your Access-Control headers and flag the dangerous combinations.
Without MTA-STS, an attacker can downgrade email to unencrypted transfer. Automated MTA-STS/TLS-RPT verification is on our roadmap; today our email scan checks SPF, DKIM, DMARC, DNSSEC and CAA.
An SBOM lists every component in your software β the basis for answering 'are we affected?' when the next Log4Shell appears. Today we run dependency audit and can analyse an SBOM you provide; automated generation is on our roadmap.
A container is only as secure as its image. We check your Dockerfiles for root execution, baked-in secrets, unpinned bases and other common gaps.
Databases, admin panels and old services that happen to be internet-exposed are one of the most common ways in. We map your open ports and flag what shouldn't be there.
Attackers scan the internet for known vulnerable versions within hours of a CVE. We match your exposed services against known CVEs and prioritise by what's actually being exploited.
Over time, admin and write access accumulates on the wrong people, former employees and outside collaborators. We map permissions per repo and show where least privilege breaks down.
A container image inherits every vulnerability in its base layer and packages. We scan your images, rank the CVEs by real exploitability and show which are worth fixing first.
A backup that's never been tested is a hope, not a control. We help you document that backups cover the right data, are tested regularly and protected against deletion β the evidence auditors and NIS2 ask for.
Most account breaches start with a stolen password. MFA stops them β but only if it's enforced for everyone, not optional. We check whether your GitHub org and exposed services actually require two-factor.
Open databases are one of the most common causes of large data leaks. We map your external surface for databases, caches and storage reachable from the internet β without authentication or with default passwords.
A DNS record pointing to a cloud service you stopped using can be hijacked by anyone who re-registers it. We map your subdomains and find the dangling records that can be taken over.
GraphQL moves power to the client β and with it the risk. We check whether your API leaks its schema, allows queries that are too deep or too expensive, and lacks field-level access control.
You can't respond to a breach you never detect. We assess whether your systems log the right security events, whether the logs are protected from tampering, and whether they actually make it possible to detect and investigate an incident.
Removing a leaked key from the code isn't enough β if it was never rotated it's still a valid way in. We look for secrets in your git history and flag every hit that must be rotated.
A Security Assessment runs every check against your domain and GitHub and gives you a prioritised fix list.
Run a free domain scan