Passive · Read-only · No exploitation

Your app has
security blind spots.

Talon runs five passive security checks against your domain and sends you the findings. No login, no setup, no exploitation.

Get your free surface scan →See a sample report
scan output / acme-demo.com2026-03-03 14:22 UTC
sevscannerfinding
CRITgithubStripe secret key in public commit history
HIGHerrors/actuator/env accessible without auth
HIGHerrors.git/config exposed at root
MEDheadersContent-Security-Policy header missing
MEDcertsSubdomain pointing to deprovisioned Heroku app
LOWheadersReferrer-Policy not set
6 findings · report ready at talonwatch.com/surface-report?website=acme-demo.com

How it works

No setup. No access required.

01

Submit your domain

Enter your domain and email. No credit card, no setup.

02

Five passive scanners run

Security headers, certificate transparency, GitHub credential scanning, indexed file exposure, and debug endpoint probing. All read-only. No login attempts, no fuzzing.

03

You get a report link

Findings are organised by severity with evidence excerpts. Your report is hosted at a PIN-protected URL and emailed to you directly.

Surface scan

Five passive check categories

CheckWhat it finds
Security headersHSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy
Certificate transparencySubdomain enumeration, wildcard certificate scope, expiry
GitHub credential scanAPI keys, tokens, and secrets in public repositories
Indexed file exposurePublicly indexed .env files, DB dumps, and config files
Debug endpoint probing/.git/HEAD, /.env, /actuator/env, phpinfo, adminer, stack traces

Need more? The deep scan adds active endpoint probing, JS bundle analysis, CORS checks, and optional static repo analysis. See deep scan →

Common findings

What founders typically find

[CRIT]

AWS access key committed to a public GitHub repository

[CRIT]

Stripe live key found in commit history

[HIGH]

Spring Boot /actuator/env accessible without authentication

[HIGH]

.git/config exposed (reveals private repository URL)

[MED]

Content-Security-Policy header absent on all routes

[MED]

Subdomain pointing to deprovisioned Heroku deployment

Surface scan (Free)

Five passive checks, automated

Security headers, certificate transparency, GitHub credentials, indexed file exposure, debug endpoints. Read-only. Delivered to your inbox automatically.

Get surface scan →

Deep scan ($39 / $29 per month)

Active probing + static analysis

Auth endpoint testing, API exposure, JS bundle secrets, CORS misconfiguration, Firebase/Supabase rules. Optionally: private repo analysis with GitHub App authorisation.

Run deep scan →

No setup · Free

Submit your domain.

Enter your domain and email. We run the surface scan and send you a PIN-protected report link. The whole thing is automated.

Get your free surface scan →

Passive scans only. Read the FAQ →

Talon — Security Scanner for Vibe-Coded Apps