Surface Check

What does your site show the public?

Paste your URL. We fetch it like a normal browser and report what's visible from outside. No testing, no probing, no attack. Under-reporting is correct.

We make a small number of GET requests only. No forms, no auth attempts, no scanning of paths beyond a small fixed conventional list.

Inside the Rescue door

Two depths, one door.

Rescue starts free from outside and can go deep with your permission. Surface Check is observed, not tested. Deep Audit is authorized code review, not a penetration test.

Free · Instant

Surface Check

Paste a URL. We passively observe what your site shows a normal browser: headers, cookies, exposed secrets in bundled JS, and files that shouldn't be public. Nothing is tested, probed, or attacked.

  • · Honest letter grade with plain-language findings
  • · Shareable report link
  • · No sign-up, no email gate
Deep · Authorized

Deep Audit

Grant us permission to review your codebase. We run a static AI code security review that finds the classes of issues vibe-coded apps actually die from: broken access control, exposed secrets, missing auth, weak database rules.

  • · AI static code review, not a penetration test
  • · Your tailored Foundation, downloadable
  • · A phased Plan to remediate
Learn about the Deep Audit
Honest boundary. The Surface Check only observes what your site shows the public from outside. It doesn't and can't see your code, database rules, access control, or secrets that aren't already exposed. Those are where most vibe-coded apps actually break. That's what the Deep Audit is for.