Free website security check, reviewed by a human.
Every ‘free security scanner’ on the internet is a bot. Ours starts the same way — instant passive recon on your domain — but then a real security engineer looks at the results and tells you, free, whether anything critical is exposed.
Run the free check on your domain
Passive recon only — subdomains, tech stack, DNS and headers. No login, no signup, no impact on your site. Results in seconds.
What the free check covers
The instant check is passive reconnaissance — it collects what your domain already exposes to anyone who looks, without sending a single hostile request. That is exactly the information attackers gather first, so seeing it yourself is the fastest way to understand your real exposure:
- Subdomains — forgotten staging sites, old admin panels and dev boxes are the classic quiet way in.
- Tech stack & versions — what software your site advertises, and whether it flags you as an easy target.
- DNS & email posture — SPF, DKIM and DMARC configuration that decides whether criminals can spoof email from your domain.
- Security headers & TLS — the browser-level protections (CSP, HSTS, cookie flags) most small sites are missing.
No login, no code snippet, no agent to install, and zero impact on your site — the check reads public records and response headers the same way a search engine does. Results appear in seconds.
Then a human looks — free
Here is the part no scanner offers: after the passive check, a Bug Circuit engineer reviews your site and gives you a yes/no answer on critical bugs — free. Not a 40-page PDF of maybes. One clear answer from a person who tests websites for a living: “we see something critical” or “nothing critical visible from the outside.”
If you want the complete picture, the Circuit audit is $49 one-time: a full manual audit of your site with a written report of every vulnerability found — severity, evidence, plain-English impact and exact fix steps, suitable to share with enterprise customers who ask for proof of testing. Signal ($299) adds the fixes: we repair the high and critical issues with you and provide 3 months of cover. Both carry a 14-day money-back guarantee before the audit begins. The honest caveat: $49 buys a productized small-site scope, not a multi-week enterprise engagement — for most small businesses that is precisely the right size, and if your scope is bigger we’ll say so before taking your money.
Why every other “free security scanner” is a bot
Free scanners are automated version-matchers. They compare your software versions against CVE lists and grade your headers. Useful — we do that part too — but they cannot find the flaws that actually get small websites hacked: broken access control, authentication weaknesses, and business-logic bugs in your forms and checkout. Those only surface when a person reasons about how your site is supposed to work. Scanners also produce false positives that a human has to verify anyway — which is why sub-$1,500 “pentests” from big firms are usually rebranded automated scans, while real manual engagements average around $18,000.
| Typical free scanner | Bug Circuit free check | Circuit audit — $49 | |
|---|---|---|---|
| Who does the work | A bot | Passive recon + a human engineer | A human engineer, end to end |
| Finds logic & access-control flaws | No | Flags critical issues a human can see | Yes — tested by hand |
| False positives | Common | None — a person verifies | None — every finding verified |
| Output | Automated grade or PDF | Recon results + free yes/no critical-bug answer | Full written report + exact fixes |
| Cost | Free (often a lead trap) | Free | $49 one-time, 14-day guarantee |
More on where bots stop and humans start in manual vs automated penetration testing.
Privacy and authorization — how we keep it clean
We take the legal and ethical side seriously, because you should expect that from anyone touching your security:
- Passive only, until you say otherwise. The free check never attacks, probes or logs into anything — it reads what your domain already publishes.
- Ownership verified before active testing. Any hands-on testing requires you to prove you control the domain (email, DNS, file or meta-tag verification).
- Recorded Authorization to Test. Before an audit begins, you explicitly authorize it in writing — so everything is legal, documented and above-board.
- No pressure funnel. The free results are yours either way. No mandatory sales call, no auto-enrollment, and published pricing if you want more.
We serve customers worldwide, and we also publish free security tools you can use yourself, whether or not you ever pay us anything.
Common questions
Is my website secure? How do I actually check?
Is the free website security check really free?
Will the check slow down or break my website?
How can I check if my website is hackable?
Do I need to give you login access or install anything?
What happens after the free check?
Keep reading
See what attackers see — free
Enter your domain, get your passive exposure in seconds, and a human tells you if anything critical is showing. No login, no charge.