Why was my site scanned?
Last updated July 2026
What our scan does
The free scan is passive. It reads only what your site already serves to anyone on the public internet:
- Your public HTML and JavaScript bundles
- HTTP response headers
- Publicly-reachable files, like robots.txt or an exposed source map
- Your TLS certificate
Nothing more. We look at the front door — we don't go inside.
What we never do
On a free passive scan, we never:
- Log in, guess passwords, or attempt to authenticate
- Submit forms or send any data-changing request
- Query your database or touch your data
- Run intrusive or active exploit checks
Deeper, active checks only ever run after someone has proven they own the domain with us. No verification on file means no active scan — there's no override.
How to recognise our traffic
Every request from our scanner identifies itself. In your logs you'll see:
That address is the only IP our scans come from — you're welcome to allowlist or block it.
Don't want to be scanned?
Tell us and we'll add your domain to our do-not-scan list. If you've already verified ownership of your domain with us, no one else can scan it — that's automatic.
Getting a scary email demanding payment?
A legitimate security notice never pressures you. We'll never withhold what we found until you pay, cold-call you claiming your site is “broken,” or demand money. If you get a message like that in our name, treat it with suspicion — it isn't how we operate.