Is my data secure? What do you access?

Everything scans over the network - the same way a browser visits your site. We never access your source code, server, or database. GitHub scans use read-only tokens you can revoke anytime. All data encrypted with AES-256.

Can a scanner really protect me?

No tool catches everything - and we are upfront about that. But finding exposed .env files, leaked API keys, and missing security headers before an attacker does matters. Think of it as a pre-flight checklist, not a guarantee.

How long does it take to check my website security?

You can check this stuff manually for free, but it will take 40+ hours to cover what UNPWNED checks in under 2 minutes. Plus you would need to learn OWASP Top 10, HTTP security headers, DNS security, CSP policies, and repeat it after every deployment.

Is my app too small to be a target?

Bots do not check your company size. Automated scanners hit every domain on the internet looking for exposed .env files, open admin panels, and default credentials. If you are online, you are a target.

How much does UNPWNED cost?

Start free with 2 scans per month including score, grade, and finding titles. Pro plans start at $9/month and unlock full AI fix prompts, PDF reports, scan history, and monitoring. Enterprise scanners charge $275+/month. UNPWNED does not.

Find security issues before launch

SCAN BEFORE
YOU GET PWNED.

700+ checks. Findings are free. AI fix prompts are Pro.700+ checks in under 2 minutes. Findings are free; AI fix prompts are Pro.

Free scan|No credit card|Authorized scans only

Live report preview

2,170+

SITES SCANNED

15,231+

FINDINGS DETECTED

700+

SECURITY CHECKS

<2 min

SCAN TIME

WHAT CAN HACKERS SEE ON YOUR WEBSITE?

We scanned hundreds of websites. Here is what we found.

74%

No rate limiting

72%

No CSP header

72%

No DNSSEC

47%

No DMARC

Source: UNPWNED scan telemetry, 2,170 websites analyzed, April 2026

Live scan activity

Websites scanned across countries

Country-level scan telemetry only. No personal location data is shown.

Scan telemetry module

SYNC

Country signalstandby

Countries

Scans

Feed status

Loading globe...

Top countriesCountry-level only

Resolving countries--

Syncing scan feed--

Preparing telemetry--

Waiting for data--

Aggregate country-level activity. Personal location data is never shown.

HOW IT WORKS

HOW DOES UNPWNED WORK?

ENTER YOUR DOMAIN

Paste your URL. No signup required for the first scan.

WE RUN 700+ CHECKS

SSL, headers, secrets, DNS, malware, APIs - all in parallel. AI analyzes raw data and writes findings.

FIX WITH AI & SHIP

Pro reports include paste-ready prompts for detected findings. Drop them into Cursor, Claude, or any AI tool.

PRO AI FIX PROMPTS

AI FIX PROMPTS. PASTE. FIX. SHIP.

Pro unlocks one paste-ready prompt per finding. Built for Cursor, Claude, ChatGPT, and the rest of your stack.

UNPWNED FINDING #1

CRITICAL.env file publicly accessible

Your .env file is exposed at https://example.com/.env

revealing DATABASE_URL, NEXTAUTH_SECRET, and 3 API keys.

AI FIX PROMPT(paste into Cursor or Claude)

My Next.js app exposes .env at the root URL. I need to:

1. Block /.env route in next.config.js headers

2. Add .env* to .gitignore

3. Rotate all exposed secrets:

- DATABASE_URL (Supabase)

- NEXTAUTH_SECRET (regenerate)

- STRIPE_SECRET_KEY (Stripe dashboard)

4. Add a middleware check for sensitive file paths

Pro prompt preview

Built for:

Claude

Cursor

ChatGPT

Bolt

Lovable

Windsurf

Replit

VS Code

WordPress

Elementor

Base44

Pro-only prompts for each finding. No guessing.

Context and fix steps you can verify.

Tailored to your AI tool and platform.

CVE intelligence

New CVEs do not wait for your next scan.

UNPWNED matches new CVEs to technologies found in past scans, so Pro users know when a live stack may become risky.

286

Relevant CVEs

Critical

112

High

New 7 days

Scan once, monitor CVEs See Pro monitoring

Last NVD sync: Jun 5, 2026

CVE WATCH PIPELINE

02:30 UTCNVD sync completed

INDEX286 relevant CVEs tracked

FILTER32 critical and 112 high severity

MATCHDetected stack checked against new CVEs

ALERTPro users notified when their stack may be affected

NVD sync

New CVEs tracked from the National Vulnerability Database.

Stack matching

Detected technologies matched against relevant CVEs.

Pro alerts

Alerts when a new CVE may affect your stack.

GET YOUR VERIFICATION

EARN A BADGE CUSTOMERS CAN CLICK.

Pass Green Light on a public Pro report, then embed a clickable UNPWNED badge. Core covers standard checks; Deep Verified adds verified-domain depth.

Get your badge Run first scan

Pro public report + Green Light required

Security scan badge

UNPWNED Verified

Shown when a public Pro report passes Green Light. A visible trust signal for core website checks.

Premium deep scan badge

UNPWNED Deep Verified

Shown after a verified-domain deep scan passes Green Light. A stronger signal for deeper validation.

SSL LabsA+HeadersA+OWASPTESTED Pen TestREVIEWED AES-256ENCRYPTED SOC 2*CONTROLS GDPR*CONTROLS

* See our security page for full compliance details

Pricing

Start free. Scale when you need it.

Enterprise security scanners cost $275+/month. You don't need to spend that.

Free

See what's wrong

Pro

Know how to fix it

Higher tiers

Monitor everything continuously

Free

Forever

See what's wrong.

2 scans per month
Full 700+ check security scan
Score, grade, and finding titles
OWASP Top 10 coverage

Get started free

WHAT DOES UNPWNED SCAN FOR?

700+ checks across your website, DNS, APIs, frontend bundles, and connected GitHub repos

SECRET LEAKS

API keys, service-role keys, database URLs, tokens in JavaScript bundles and source code

PUBLIC EXPOSURE

.env files, source maps, package manifests, sensitive paths, debug and admin endpoints

APP & API SECURITY

CORS, exposed API routes, open redirects, rate limiting, auth and authorization gaps

HEADERS & CSP

CSP, HSTS, frame protection, referrer policy, permissions policy, clickjacking defenses

DNS & EMAIL

SPF, DKIM, DMARC, DNSSEC, certificate transparency, subdomain and record signals

INFRASTRUCTURE

TLS/SSL, open ports, server and CDN signals, hosting fingerprints, storage exposure

AI-generated code is 2.74x more likely to have security flaws.

Source: Stanford/UC Berkeley research

Continuous monitoring

A scan is a snapshot.
Monitoring keeps watch.

Every deploy can change risk. UNPWNED monitors scores, CVEs, and repo exposure so Pro users catch drift earlier.

Start monitoring

Daily Pro monitoring

Score drift caught before it sits live.

Pro

MonAll clear91

TueAll clear91

WedNew CVE caught72

ThuFix applied88

FriBack to Green Light91

CVE alerts

New CVEs matched to your stack.

Repo monitoring

Scheduled scans for secrets and vulnerable packages.

Score history

Track posture changes over time.

Open source

Scan from your terminal.

The CLI is the fast, free taste of UNPWNED: one command, no account, basic security signal in seconds.

$npx unpwned scan yoursite.com

8 CLI checksNo API keyMIT licensed

npx unpwned scan demo.unpwned.io

UNPWNED CLI scanning demo.unpwned.io showing security score and findings

View on GitHub Need full scan?

Frequently Asked Questions

Everything you need to know about UNPWNED

WHAT FREE SECURITY TOOLS ARE AVAILABLE?

Quick security checks - no signup required

Find out before they do.

One URL. 700+checks. 2 free scans show what's wrong. Pro unlocks AI fix prompts when you're ready to fix.

Scan your domain free Or check any domain instantly - no signup needed

SCAN BEFORE
YOU GET PWNED.

700+ checks. Findings are free. AI fix prompts are Pro.700+ checks in under 2 minutes. Findings are free; AI fix prompts are Pro.

WHAT CAN HACKERS SEE ON YOUR WEBSITE?

Websites scanned across countries