Free — by a human, not a bot

Free website security check, reviewed by a human.

Every ‘free security scanner’ on the internet is a bot. Ours starts the same way — instant passive recon on your domain — but then a real security engineer looks at the results and tells you, free, whether anything critical is exposed.

Is my website secure? The only honest way to find out is to look at it from the outside, the way an attacker does. Bug Circuit’s free check maps your public attack surface in seconds — subdomains, tech stack, DNS and email posture, security headers — with no login and no impact on your site. A human engineer then gives you a free yes/no answer on critical bugs, and a full manual audit with a written report is a one-time $49.

Run the free check on your domain

Passive recon only — subdomains, tech stack, DNS and headers. No login, no signup, no impact on your site. Results in seconds.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →

What the free check covers

The instant check is passive reconnaissance — it collects what your domain already exposes to anyone who looks, without sending a single hostile request. That is exactly the information attackers gather first, so seeing it yourself is the fastest way to understand your real exposure:

  • Subdomains — forgotten staging sites, old admin panels and dev boxes are the classic quiet way in.
  • Tech stack & versions — what software your site advertises, and whether it flags you as an easy target.
  • DNS & email posture — SPF, DKIM and DMARC configuration that decides whether criminals can spoof email from your domain.
  • Security headers & TLS — the browser-level protections (CSP, HSTS, cookie flags) most small sites are missing.

No login, no code snippet, no agent to install, and zero impact on your site — the check reads public records and response headers the same way a search engine does. Results appear in seconds.

Then a human looks — free

Here is the part no scanner offers: after the passive check, a Bug Circuit engineer reviews your site and gives you a yes/no answer on critical bugs — free. Not a 40-page PDF of maybes. One clear answer from a person who tests websites for a living: “we see something critical” or “nothing critical visible from the outside.”

If you want the complete picture, the Circuit audit is $49 one-time: a full manual audit of your site with a written report of every vulnerability found — severity, evidence, plain-English impact and exact fix steps, suitable to share with enterprise customers who ask for proof of testing. Signal ($299) adds the fixes: we repair the high and critical issues with you and provide 3 months of cover. Both carry a 14-day money-back guarantee before the audit begins. The honest caveat: $49 buys a productized small-site scope, not a multi-week enterprise engagement — for most small businesses that is precisely the right size, and if your scope is bigger we’ll say so before taking your money.

Why every other “free security scanner” is a bot

Free scanners are automated version-matchers. They compare your software versions against CVE lists and grade your headers. Useful — we do that part too — but they cannot find the flaws that actually get small websites hacked: broken access control, authentication weaknesses, and business-logic bugs in your forms and checkout. Those only surface when a person reasons about how your site is supposed to work. Scanners also produce false positives that a human has to verify anyway — which is why sub-$1,500 “pentests” from big firms are usually rebranded automated scans, while real manual engagements average around $18,000.

Typical free scanner vs the Bug Circuit free check vs the $49 audit
Typical free scannerBug Circuit free checkCircuit audit — $49
Who does the workA botPassive recon + a human engineerA human engineer, end to end
Finds logic & access-control flawsNoFlags critical issues a human can seeYes — tested by hand
False positivesCommonNone — a person verifiesNone — every finding verified
OutputAutomated grade or PDFRecon results + free yes/no critical-bug answerFull written report + exact fixes
CostFree (often a lead trap)Free$49 one-time, 14-day guarantee

More on where bots stop and humans start in manual vs automated penetration testing.

Privacy and authorization — how we keep it clean

We take the legal and ethical side seriously, because you should expect that from anyone touching your security:

  • Passive only, until you say otherwise. The free check never attacks, probes or logs into anything — it reads what your domain already publishes.
  • Ownership verified before active testing. Any hands-on testing requires you to prove you control the domain (email, DNS, file or meta-tag verification).
  • Recorded Authorization to Test. Before an audit begins, you explicitly authorize it in writing — so everything is legal, documented and above-board.
  • No pressure funnel. The free results are yours either way. No mandatory sales call, no auto-enrollment, and published pricing if you want more.

We serve customers worldwide, and we also publish free security tools you can use yourself, whether or not you ever pay us anything.

Common questions

Is my website secure? How do I actually check?
Start from the outside, the way an attacker would: map what your domain publicly exposes (subdomains, software versions, DNS and email records, security headers), then have a human look for the flaws that matter — broken access control, authentication weaknesses, logic bugs. Our free check does the first part in seconds; a human engineer does the second part free, with a yes/no answer on critical bugs. Neither step needs a login or touches your site.
Is the free website security check really free?
Yes — both parts. The passive recon scan is free and instant, and the human critical-bug check is also free: an engineer looks at your site and tells you, yes or no, whether anything critical is exposed. We only charge if you want the full manual audit with a written report ($49 one-time) or the audit plus fixes and 3 months of cover ($299). Pricing is published on the pricing page — no quote calls.
Will the check slow down or break my website?
No. The free check is passive — it reads publicly available information (DNS records, response headers, certificate data) the same way a browser or search engine does. Nothing is attacked, nothing is logged into, and your site never notices. Active testing only ever happens after you verify domain ownership and sign a recorded Authorization to Test.
How can I check if my website is hackable?
A scanner alone can’t tell you — it matches version numbers against known CVEs and misses the business-logic, access-control and authentication flaws that actually get small sites hacked. The honest sequence is: free passive check to see your exposure, free human critical-bug answer, then a $49 manual audit if you want every issue found and documented. We wrote up the warning signs in Is my website hackable?
Do I need to give you login access or install anything?
No. The free check needs only your domain name. No login, no plugin, no code snippet, no agent. If you later buy the full audit and want authenticated paths tested, you can optionally provide a low-privilege test account — recommended, never required.
What happens after the free check?
You see your passive results, and a human engineer gives you a free yes/no answer on critical bugs. If you want the full picture, the Circuit audit ($49 one-time) is a complete manual audit with a written report you can share with customers. There is no auto-billing, no subscription trap, and a 14-day money-back guarantee before any audit begins.

Keep reading

See what attackers see — free

Enter your domain, get your passive exposure in seconds, and a human tells you if anything critical is showing. No login, no charge.

Passive recon only. No login, and no impact on your site. Deeper testing needs domain verification.

Ready for the full manual audit? See transparent pricing →