Quack

"Hello! I'm a duck,
my name is Quack"

safe_read_only_by_default

Know Your Security Posture Before It Becomes an Incident

Get a comprehensive security assessment of your web application in minutes. Enter your domain, review findings for free, and unlock the full report with remediation steps. Assessments can take up to 1 hour. $50 $25.

$scanning withnuclei

How it works|See demo report|Read-only by default|DNS verification for deep scans

No setup

Free preview

Easy fixes

no_setup

Just enter your URL

Pick options. We do the rest.

preview

See findings free

Severity visible, details blurred.

fixes

Plain-English remediation

Copy-paste configs included.

// Built for development teams, startups, and businesses shipping securely.

results_in_minutes

live_preview

Example scan output

Severity is visible. Sensitive details stay blurred until you unlock the report.

safe_scan

Public database endpoint detected

service: postgres • surface: public

high

evidence

host=********.supabase.co:5432 • sslmode=disable

fix

Restrict network access • enforce TLS • rotate creds

Client-side secret pattern match

surface: frontend • type: api_key

medium

matched_snippet

blurred

const API_KEY="sk_live_************************"

Security headers incomplete

surface: http • scope: public

low

Good to fix before launch. The full report includes exact headers and recommended values.

exportable_pdf • email_delivery

Run your scan

Quack

"Here's what I found,
let me show you!"

// how_it_works

Three steps. Total clarity.

Full details

step_01

Enter your domain + options

Choose what to assess: databases, infrastructure, credentials. Basic scans run immediately.

step_02

See the preview

We show you what we found. Severity ratings visible, details blurred.

step_03

Unlock full report

Pay $25 to get all details and fixes sent to your email.

See demo report

// coverage

Comprehensive Security Coverage

Automated checks for common vulnerabilities, exposed databases, misconfigured services, and secrets in frontend code — aligned with OWASP Top 10.

databases

Database exposure

-Supabase
-PostgreSQL permissions
-Exposed tables

infrastructure

Infra surface area

-Server versions
-SSL/TLS checks
-Headers and exposed services

credentials

Default credential checks

-PostgreSQL
-RabbitMQ
-Redis and more

secrets

Frontend secret leaks

-API keys
-Tokens and credentials
-Exposed config in bundles

Plain English results

No security jargon. Clear explanations anyone can understand.

// authorization

Deep assessments require domain ownership

Basic assessments run freely on any domain. But active testing — vulnerability scanning, credential testing, and fuzzing — requires you to prove domain ownership via DNS verification first.

Learn how verification works

DNS TXT Record

industry_standard

TypeTXT

Name_quackscan.yourdomain.com

Valuequackscan-verify=abc123...

Same approach used by Google Search Console, AWS, and certificate authorities to verify domain ownership.

No verification needed

-Public endpoint checks
-SSL/TLS analysis
-Header inspection
-Frontend secret detection
-Technology fingerprinting

DNS verification required

-Nuclei vulnerability scanning
-Default credential testing
-Parameter fuzzing

// powered_by

Industry-Standard Assessment Tools

Every assessment runs industry-standard open-source security tools trusted by compliance teams and security professionals worldwide.

ProjectDiscovery

open_source • security_tooling

nuclei

Vulnerability scanner • 8,000+ templates

subfinder

Passive subdomain enumeration

httpx

HTTP probing & tech detection

katana

URL crawler & parameter discovery

shodan

Shodan

Open ports, services, CVEs, EOL detection

nmap

Nmap

Network port scanning & service detection

securitytrails

SecurityTrails

Historical DNS for origin IP discovery

8,000+ vulnerability templates

Nuclei's community-maintained template library covers CVEs, misconfigurations, exposed panels, default credentials, and more.

// problem

You built something great. But is it actually secure?

Default credentials get forgotten. Databases get exposed. Services get misconfigured. One small mistake and your users' data is at risk. The problem? These issues are invisible until they cause an incident. Our assessment identifies what needs to be fixed and explains it in plain English.

Misconfigs

Easy to miss, expensive later.

Exposure

Public surfaces add up fast.

Clarity

Plain-English report + fixes.

// trust

What happens to your data?

Your report is deleted from our servers after 24 hours. We don't store your data.

Read our Privacy Policy

Basic scan (default)

read_only • safe_for_production

enabled

We only check what's publicly accessible — exposed endpoints, open databases, leaked secrets in your frontend. Read-only.

Extra options (you enable)

opt_in • more_thorough

your_choice

Want us to try default credentials on your services? Test write permissions? These are opt-in. You decide what runs.

// pricing

Preview free. Full report $25.

See what we found before you pay. Unlock the details and fixes when you're ready.

No subscriptions. No tiers. No upsells. Just answers.

Pay with card or crypto.

preview

Free

-Severity ratings
-Details blurred
-Safe default scan

Start Free Scan

full_report

$25

one-time

-Unblurred evidence
-Step-by-step fixes
-PDF delivered by email

Unlock After Preview

For teams and businesses

Right now you're hoping your security is fine. For $25, you can know for sure.

minutes_to_answers

// start_here

One security check before you ship.

Enter your domain, choose what to scan, and see a preview of findings for free.

Basic scan (default)

read_only

We only check what's publicly accessible: exposed endpoints, open databases, leaked secrets in frontend code.

Scan your domain

severity_visible • details_blurred

minutes_not_days

Enter your domain to start

free_preview

We automatically discover subdomains. Just enter the root domain. Scans typically take a few minutes, up to 1 hour for larger apps.

safe_read_only

email (optional - for full report)

Preview is free. Full report unlocks details + fixes for $25.

results_in_minutes

no_subscriptions

No tiers. No upsells. Just answers.

pdf_report

Professional report delivered by email.

privacy_first

Report deleted after 24 hours.

// ready_to_launch

That nagging feeling something's misconfigured?

Find out for sure. Enter your domain, review your security posture, and unlock detailed remediation steps when you're ready.

Scan My App Read data policy