Pricing
Know what's exposed. Fix it fast.
700+ security checks in the full suite. Free shows what's broken. Paid gives you the exact fix, ready to paste, and keeps watching.
2,919+
Scans run
20,403
Vulnerabilities found
700+
Security checks
Founder offer
Applied automatically40% off
While your subscription stays active
25 founders
Limited to the first 25 founders
Ends Jul 31
Or when all founder spots are claimed
Free
Check any site in 60 seconds
Forever
- 1 domain, checked on demand
- Full security scan (700+ check suite)
- Score, grade & severity breakdown
- All finding titles + severity
- OWASP Top 10 checks
- 1 lifetime deep scan (verified domain)
Solo
1 monitored domain, unlimited re-scans
FOUNDER price while your subscription stays active
- Re-scan to verify your fix + before/after diff
- Full finding details + AI fix prompts
- Weekly & monthly monitoring + alerts
- Unlimited deep scans + CVE alerts
- PDF export, badge, GitHub, scan history
Studio
Most popular5 monitored domains, unlimited re-scans
FOUNDER price while your subscription stays active
- Everything in Solo
- Cover client sites and side projects
- Monitoring up to every 3 days
- Priority support
Scale
15 monitored domains, unlimited re-scans
FOUNDER price while your subscription stays active
- Everything in Studio
- Daily monitoring
- Early access to new checks as they roll out
Prices are in USD. Applicable taxes (such as VAT) are calculated at checkout by our payment provider, Freemius. Fair use: unlimited re-scans are for verifying and monitoring your own domains, not bulk scanning.
Managing more than 15 client domains? Email us - an Agency plan with white-label reports is on the way, and early access is open.
Scan once to find it. Re-scan to prove it is fixed.
Same scan. Different level of detail.
Missing Content Security Policy (CSP)
Severity: Critical
Upgrade to verify your fix worked
Missing Content Security Policy (CSP)
Severity: Critical
Your site has no CSP header, allowing attackers to inject malicious scripts via XSS. This can lead to session hijacking, data theft, and defacement.
// AI fix prompt - copy to Cursor / Claude
Add Content-Security-Policy header:
default-src 'self'; script-src 'self';
Compare plans
| Feature | Free | Solo | StudioMost popular | Scale |
|---|---|---|---|---|
| Coverage | ||||
| Monitored domains | 1 | 5 | 15 | |
| Fresh scans | 2 / month | Unlimited | Unlimited | Unlimited |
| Re-scan the same domain | Once a month | Anytime | Anytime | Anytime |
| Monitoring & alerts | Weekly | Every 3 days | Daily | |
| Deep scan - active checks (verified domain) | 1 lifetime | Unlimited | Unlimited | Unlimited |
| Always-fresh scans | Cached up to 24h | |||
| Find & fix | ||||
| Full security scan (700+ check suite) | ||||
| Finding titles + severity | All severities | All + full fixes | All + full fixes | All + full fixes |
| Verify a fix (before/after diff) | ||||
| AI fix prompts | All findings | All findings | All findings | |
| Plain-English fix suggestions | ||||
| Reports & integrations | ||||
| PDF report export | ||||
| Scan history & score trend | ||||
| Security badge for your site | ||||
| GitHub integration | ||||
| Support | ||||
| Priority support | ||||
| Early access to new checks as they roll out | ||||
| Advanced Security Assessment | Learn more | Learn more | Learn more | Learn more |
FAQ
What is a monitored domain?+
A domain you actively protect with UNPWNED: we scan it continuously on your schedule, alert you when something changes, and let you re-scan it anytime to verify fixes. Solo covers 1 domain, Studio covers 5, Scale covers 15. Subdomains of the same site count as one domain.
Are re-scans really unlimited?+
Yes, within fair use. The whole point of fixing something is re-scanning to prove it worked, so paid plans never meter the fix-verify loop on your monitored domains. Fair use means protecting your own sites, not bulk-scanning the internet.
Is re-scanning to check my fix free?+
Free re-scans the same domain once a month, so you can watch your score over time. Instantly re-scanning right after a fix, plus the before/after diff that proves the issue is gone, is a paid feature.
What does a scan check?+
Every scan covers the outside-in surface across OWASP Top 10, headers, SSL/TLS, exposed secrets, open ports, and more, drawn from a suite of 700+ checks. Deep Scan (on verified domains) unlocks the active-probing set: path traversal / LFI, CVE fingerprinting, cloaking detection, ghost-page sampling, and deep CORS/method testing. Paid reports that pass Green Light can activate an UNPWNED VERIFIED badge.
Will UNPWNED scans trigger my firewall or WAF?+
Sometimes. A confirmed WAF challenge can interrupt checks; that means scanner access was limited, not that every application control is secure. Verify ownership and re-run first so UNPWNED can use its owner-authorized retry paths. Our current Vercel egress IPs are shared and should not receive a broad firewall Allow rule. If you are behind Cloudflare, follow the Cloudflare scan guide for the safe access flow.
Why did my Free scan return cached results?+
To keep the Free tier fast and reduce repeated traffic to target sites, Free scans may reuse a healthy cached result if the same domain was scanned in the last 24 hours. You see severity counts and all finding titles, plus score and grade when coverage supports a reliable result. For always-fresh scans, verify your domain ownership (free) or upgrade. Paid scans and verified-domain scans always run live.
What if a paid plan isn't worth it for me?+
You can cancel anytime with one click, no questions asked. The Free plan is always there if you only need a basic check.
Why not just use free security tools?+
Free tools check one thing at a time (SSL, headers, DNS). UNPWNED runs a full suite of 700+ checks in one scan, finds the issues, gives you AI-generated fix instructions you can copy-paste into your editor, and then proves the fix worked. One scan replaces 10+ separate tools.
Can I change plans?+
Yes. You can move between Solo, Studio, and Scale at any time. Changes take effect immediately and are prorated by our payment provider.
What payment methods do you accept?+
We accept all major credit and debit cards via Freemius. All payments are processed securely - we never store your card details.
Your site is exposed right now.
Run your first scan in under 2 minutes. No credit card required.
2,919+ scans already run - 20,403 vulnerabilities found