Quickstart
Getting Started
Quickstart
From first scan to first fix in about ten minutes. No installs, no configuration — paste a URL, read the grade, fix what matters, and verify it’s actually fixed.
1. Run your first scan
Paste your site’s URL on the homepage and start the scan — no signup required. Results arrive in two waves:
- Basic scanners stream first:security headers, SSL/TLS, DNS & email auth, exposure, cookies, CORS. Findings appear within seconds.
- Deep scanners follow: the heavier checks fill in as they complete.
When the scan finishes you get a Security Score from 0 to 100, graded A++ to F.
2. Read the results
The free preview shows your score and the name of every issue found. Work top-down by severity: CRITICAL > HIGH > MEDIUM > LOW > INFO.
- Any confirmed critical finding caps the score at 30 — no amount of good headers outweighs an exposed secret.
- Scoring is evidence-first: findings without captured proof are automatically downgraded, so the number reflects what was actually verified.
The full scoring model — weights, caps, provisional scores — is documented in How the Security Score works.
3. Unlock the full report
Unlock with pay-per-report credits or a plan. The full report adds everything you need to act:
- Captured evidence for every finding — the exact URL, header or response that proves it
- Step-by-step fixes written for your stack
- AI fix prompts for Cursor, Lovable, Bolt, Claude Code, Replit, v0 and Windsurf
- Compliance mapping and PDF export
See Understanding your report for a section-by-section walkthrough.
4. Fix and verify
Start with the criticals. Paste the finding’s fix prompt into your AI coding tool, or apply the deterministic autofix template where one exists. Then rescan — findings close only when the new scan captures evidence that the issue is gone, never on faith.
The full find-fix-prevent loop is covered in The AI Security Workflow.
5. Stay protected
A clean scan is a snapshot. The Care plan keeps it current:
- Weekly deep scans of your domains
- Uptime, SSL, DNS and blocklist monitoring
- Alerts via email, Slack or webhook when something regresses
- A live security badge you can embed on your site
FAQ
Is scanning safe for production?
Yes. Scans are bounded and non-destructive: read-only probes, rate-limited requests, and the heavy engines are off by default. Nothing is exploited, nothing is written.
Do I need an account for the first scan?
No — the score and every issue name are free, no signup. You need an account to unlock full reports and keep scan history.
Can I scan a GitHub repo or my code?
Paid plans add repository, code and project scan modes alongside URL scans. See Scanning for details.