Nine concurrent modules — SSL/TLS, security headers, Nmap port scan, DNS authentication, CVE lookup, subdomain enumeration, tech fingerprinting, site crawler, and web surface checks. Risk score and free PDF report in under 60 seconds.
Loading scanner...
All nine modules run in parallel inside a single scan. CVE lookup follows in a brief Phase 2 using the service version data collected by Nmap — so a 60-second scan surfaces both misconfigurations and known exploitable vulnerabilities.
Opens a real TLS handshake to validate certificate expiry, chain of trust, weak protocol versions (TLS 1.0/1.1/SSLv3), port 443 reachability, and negotiated cipher suite.
Audits every security-relevant HTTP response header and inspects cookies — HSTS, CSP, X-Frame-Options, Referrer-Policy, X-Powered-By disclosure, and Secure/HttpOnly cookie flags.
Runs Nmap TCP connect and service version detection across 15 ports. Database, RDP, and Telnet ports open to the internet are flagged with exact version strings for CVE matching.
Queries TXT, MX, and DMARC records. Without SPF and DMARC anyone can forge emails from your domain — the foundation of phishing and Business Email Compromise attacks.
Eight parallel probes: HTTP→HTTPS redirect, robots.txt sensitive path disclosure, exposed .env/.git/config files, open directory listings, mixed content, HSTS preload eligibility, and default server pages.
Async BFS crawler maps your site's internal URL structure up to 25 pages in batches of 5 concurrent fetches — revealing the true attack surface beyond the homepage.
Detects your full technology stack with Wappalyzer-style pattern matching — CMS, framework, CDN, analytics, and security tools — with no external API key and no data shared.
Queries crt.sh Certificate Transparency logs for all subdomains of your domain — the same free technique attackers use to find forgotten staging environments and admin panels.
Queries the NIST NVD API v2 using service version data from Nmap. Rather than 'MySQL is open', you get 'MySQL 5.7.34 is affected by CVE-2021-22112 (CVSS 9.8)' — an immediate patch target.
DPDP Act 2023 Due Diligence
India's Digital Personal Data Protection Act requires businesses handling personal data to implement appropriate security safeguards. A vulnerability scan is the documented first step toward demonstrating that due diligence.
CERT-In 6-Hour Reporting Mandate
CERT-In requires Indian organisations to report cybersecurity incidents within 6 hours of detection. You cannot report what you haven't detected — proactive scanning helps you find vulnerabilities before they become incidents.
SMBs Are the Primary Target
43% of cyberattacks globally target small and medium businesses. Indian SMBs are increasingly in scope because rapid digitisation has expanded the attack surface faster than security has kept pace.
Free Scan, Zero Commitment
Unlike traditional security assessments that cost lakhs and require weeks of scoping, our free scanner gives you a credible starting point in 60 seconds — with no contract, no consultant, no signup.
Need Expert Help?
Found issues? Let our team fix them for you.
DeltaDot AI's security engineers can review your scan results, explain the risk in plain English, and build a managed remediation plan — with no long-term lock-in required.
Book Free ConsultationCompliance frameworks our checks align to:
Enter your domain name (e.g. yourcompany.com) in the DeltaDot AI scanner above and click Scan Now. No signup, no credit card, and no software installation is required. Your risk score and issue breakdown appear in under 60 seconds.
SecScan runs nine concurrent modules: (1) SSL/TLS certificate validity and protocol strength, (2) HTTP security headers and cookie flags, (3) Nmap port and service version scan across 15 ports, (4) DNS email authentication (SPF, DMARC, MX), (5) web surface checks including exposed .env files, open directories, and robots.txt disclosures, (6) BFS site crawler mapping up to 25 pages, (7) technology fingerprinting (CMS, framework, CDN), (8) subdomain enumeration via Certificate Transparency logs, and (9) CVE lookup against the NIST NVD using detected service versions.
Yes. The scan, risk score (0–100), risk level, and the first set of issues are completely free with no signup required. To unlock the full findings, business impact story, and a branded PDF remediation report, you provide your name and email — still at no charge.
Most scans complete within 30–60 seconds. Nine modules run concurrently in Phase 1 — SSL, headers, ports, DNS, web surface checks, site crawler, tech fingerprinting, and subdomain enumeration. CVE lookup runs in a brief Phase 2 after port scanning completes, since it needs the service version data from Nmap.
Your score is a 0–100 rating of your overall security posture. 85–100 is Low Risk (strong posture, minor gaps). 65–84 is Moderate Risk (several issues need attention). 40–64 is High Risk (significant vulnerabilities). Below 40 is Critical Risk (immediate action required). Each Critical finding deducts 25 points, High deducts 12, Medium deducts 6, and Low deducts 2.
Yes. The DPDP Act 2023 requires Indian businesses that handle personal data to implement appropriate security safeguards. CERT-In mandates incident reporting within 6 hours of detection. A vulnerability scan finds gaps before attackers — or regulators — do.
The scanner identifies the most common security gaps — missing HTTPS, weak headers, exposed services — that regulators and auditors look for when assessing DPDP Act 2023 readiness. It is a starting point for demonstrating due diligence, not a substitute for a full compliance audit.
You receive a full branded PDF report with all findings and remediation steps sent to your email. From the results page you can also book a free consultation with DeltaDot AI to discuss fixing the issues and building a managed security programme.
No signup. No credit card. No software to install. Just your domain and 60 seconds.
Scan My Website Free