Quack

"Hello! I'm a duck,
my name is Quack"

safe_read_only_by_default

Quack the Code Before Attackers Do

Is your app secure? Find out in minutes. Enter your domain, see what's exposed, and pay only if you want the full report. Depending on size, scans can take up to 1 hour. $99 $1.

$scanning withnuclei

How it works|See demo report|Safe, read-only scan

No setup

Free preview

Easy fixes

no_setup

Just enter your URL

Pick options. We do the rest.

preview

See findings free

Severity visible, details blurred.

fixes

Plain-English remediation

Copy-paste configs included.

// Built for builders shipping fast: indie hackers, founders, teams.

results_in_minutes

live_preview

Example scan output

Severity is visible. Sensitive details stay blurred until you unlock the report.

safe_scan

Public database endpoint detected

service: postgres • surface: public

high

evidence

host=********.supabase.co:5432 • sslmode=disable

fix

Restrict network access • enforce TLS • rotate creds

Client-side secret pattern match

surface: frontend • type: api_key

medium

matched_snippet

blurred

const API_KEY="sk_live_************************"

Security headers incomplete

surface: http • scope: public

low

Good to fix before launch. The full report includes exact headers and recommended values.

exportable_pdf • email_delivery

Run your scan

Quack

"Here's what I found,
let me show you!"

// coverage

We scan what attackers would scan

Default credentials, exposed databases, misconfigured services, and secrets sitting in frontend code.

databases

Database exposure

-Supabase
-PostgreSQL permissions
-Exposed tables

infrastructure

Infra surface area

-Server versions
-SSL/TLS checks
-Headers and exposed services

credentials

Default credential checks

-PostgreSQL
-RabbitMQ
-Redis and more

secrets

Frontend secret leaks

-API keys
-Tokens and credentials
-Exposed config in bundles

Plain English results

No security jargon. Clear explanations anyone can understand.

// powered_by

Battle-tested tools. Not toy scripts.

Every scan runs the same open-source tools used by professional penetration testers and red teams worldwide.

ProjectDiscovery

open_source • security_tooling

nuclei

Vulnerability scanner • 8,000+ templates

subfinder

Passive subdomain enumeration

httpx

HTTP probing & tech detection

katana

URL crawler & parameter discovery

shodan

Shodan

Open ports, services, CVEs, EOL detection

nmap

Nmap

Network port scanning & service detection

securitytrails

SecurityTrails

Historical DNS for origin IP discovery

8,000+ vulnerability templates

Nuclei's community-maintained template library covers CVEs, misconfigurations, exposed panels, default credentials, and more.

// how_it_works

Three steps. Total clarity.

Start now

step_01

Enter your domain + options

Choose what to scan: databases, infrastructure, credentials.

step_02

See the preview

We show you what we found. Severity ratings visible, details blurred.

step_03

Unlock full report

Pay $1 to get all details and fixes sent to your email.

See demo report

// start_here

One security check before you ship.

Enter your domain, choose what to scan, and see a preview of findings for free.

Basic scan (default)

read_only

We only check what's publicly accessible: exposed endpoints, open databases, leaked secrets in frontend code.

Scan your domain

severity_visible • details_blurred

minutes_not_days

Enter your domain to start

free_preview

Tip: include subdomain if needed (e.g. app.example.com). Scans typically take a few minutes, up to 1 hour for larger apps.

safe_read_only

email (optional - for full report)

Options

opt_in_more_thorough

DatabasesSupabase, PostgreSQL permissions, exposed tablesInfrastructureServer versions, SSL/TLS, headers, exposed servicesSecretsAPI keys, tokens, credentials in frontend codeCredential testing (opt-in)Try default passwords on supported services (you decide)

Preview is free. Full report unlocks details + fixes for $1.

results_in_minutes

no_subscriptions

No tiers. No upsells. Just answers.

pdf_report

Professional report delivered by email.

privacy_first

Report deleted after 24 hours.

// problem

You built something great. But is it actually secure?

Default credentials get forgotten. Databases get exposed. Services get misconfigured. One small mistake and your users' data is at risk. The scary part? You won't know until someone exploits it. Our scanner checks what attackers would find and tells you in plain English.

Misconfigs

Easy to miss, expensive later.

Exposure

Public surfaces add up fast.

Clarity

Plain-English report + fixes.

// trust

What happens to your data?

Your report is deleted from our servers after 24 hours. We don't store your data.

Basic scan (default)

read_only • safe_for_production

enabled

We only check what's publicly accessible — exposed endpoints, open databases, leaked secrets in your frontend. Read-only.

Extra options (you enable)

opt_in • more_thorough

your_choice

Want us to try default credentials on your services? Test write permissions? These are opt-in. You decide what runs.

// pricing

Preview free. Full report $1.

See what we found before you pay. Unlock the details and fixes when you're ready.

No subscriptions. No tiers. No upsells. Just answers.

Pay with crypto.

preview

Free

-Severity ratings
-Details blurred
-Safe default scan

Start Free Scan

full_report

one-time

-Unblurred evidence
-Step-by-step fixes
-PDF delivered by email

Unlock After Preview

For indie hackers and founders

Right now you're hoping your security is fine. For $1, you can know for sure.

minutes_to_answers

// ready_to_launch

That nagging feeling something's misconfigured?

Find out for sure. Enter your domain, see what attackers could find, and unlock fixes when you want them.

Scan My App Read data policy