Free, fast, and focused: leaked secrets, misconfigs, exposed admin surfaces. No signup. No credit card.
No login. No install. One-time scan.
Everything that makes you say "how was THAT public?" — found automatically.
.env, .git/HEAD, config.json, backup.zip,
db.sql, .DS_Store, wp-config.php, and 25+ more paths that
should never be public.
/admin, /debug, /phpinfo.php,
/actuator/health, /graphql, /swagger.json — exposed
interfaces attackers check first.
Missing HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Cookie flags (Secure, HttpOnly, SameSite).
12 CHECKSFTP (21), SSH (22), MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017), dev servers (3000, 8080). Surface discovery — not exploitation.
9 CHECKSCertificate validity, expiration window, self-signed detection, deprecated TLS 1.0/1.1 support, HTTPS redirect enforcement.
5 CHECKSServer header version leaks, X-Powered-By disclosure, technology fingerprinting. Information that helps attackers narrow their approach.
3 CHECKSHere's what a typical scan result looks like. This is an example — your report will reflect your actual domain.
Lower is better. Your domain has critical exposures that should be fixed immediately.
Three steps. No meetings. No calls. No signup.
Type your domain in the box above. We validate it and make sure it's a real public site.
No payment. No account. Your scan begins immediately — 50+ checks in about 60 seconds.
50+ checks run automatically. View findings in your browser or download as a ZIP with JSON + HTML reports and a SHA-256 receipt hash.
Quick answers to the questions you're thinking.
No. Exposed only performs passive checks — standard HTTP GET requests, DNS lookups, and TCP connection attempts. It never sends exploit payloads, never modifies your site, and never attempts authentication. It's the same traffic a search engine crawler generates.
No. All checks are non-destructive and read-only. We make the same requests a browser would. Your server won't notice anything unusual — it's less traffic than a Google crawl.
Yes. Scans are completely free. Scan any domain, as many times as you want. No subscriptions, no commitments, no credit card.
Reports are stored for 24 hours so you can download them. After that, they are permanently deleted. We don't keep your scan data, sell it, or share it with anyone.
Then your report will show a clean score and zero critical findings. That's a good thing — you get a receipted proof that 50+ common exposure patterns were checked and none were found. No refunds for clean scans (that's the point).
No. Exposed is a surface-level exposure check. It finds the embarrassing stuff people forget — leaked config files, open databases, missing security headers. For deep pentesting, hire a professional. But run this first so you don't pay $10K to discover your .env file was public.