Website Security Scanner
Scan any website for common security issues including missing headers, SSL misconfigurations, and exposed server technologies.
Issues Found in Your Scan?
This scanner checks surface-level issues. A CREST-certified penetration test goes deeper, testing authentication, business logic, and application-layer vulnerabilities.
About the Security Scanner
The security scanner combines an external network scan and a vulnerability check into one report against the IP or domain you provide. It tells you what services are exposed, what vulnerabilities apply to those services according to the published CVE feeds, and which of those vulnerabilities sit above the CVSS 7.0 threshold that Cyber Essentials cares about.
The free version is the right tool for a quick external check before a Cyber Essentials assessment, before a customer audit, or after a deploy that exposed a new service. It is also the right tool when you want to audit what your domain looks like to an external attacker doing reconnaissance. The output is the same class of artefact the attacker would build for themselves on day one of a kill chain.
The scan does not authenticate against your services, walk application business logic, or test for chained attacks across services. For that level of coverage we run a CREST-certified penetration test or our credentialed pre-assessment scan. The free scanner is the high-level surface check. The paid services go deeper.
Common questions
Is the security scanner free?
Yes. The basic external scan is free and unlimited per IP you own. We rate-limit per IP per day to keep the service available to other users.
How does the security scanner differ from the network scan and vulnerability scan?
It runs both: the port enumeration of the network scan plus the CVE matching of the vulnerability scan, in one report. If you are unsure which to start with, run this one first.
Should I run this against an IP I do not own?
No. Unauthorised scanning of an IP you do not own can be a Computer Misuse Act 1990 offence. Only run this against IPs and domains you own or have explicit written authorisation to test.
What do I do with the report when it is done?
Patch the high-severity items inside Cyber Essentials' 14-day window. Investigate any open service you cannot account for. If the report shows more than you can act on internally, the next step is a scoping call with us.
Beyond the free check
CREST-Certified Penetration Testing
Manual exploitation, application-logic testing, and a chained-attack write-up beyond what an automated scan can find.
Learn moreCE Plus Pre-Assessment
Authenticated scan with the same class of enterprise scanner the assessor runs on CE Plus day.
Learn more24/7 Threat Monitoring (MDR)
Continuous detection of activity on the surface this scanner inventories, plus analyst-driven response.
Learn more