Skip to content
RiskMeter
How it works

How a website security scan actually gets done.

Our website security scanning process is built around one idea: give business owners the information they need to make a security decision, without forcing them to decode a security report.

  1. 01

    You apply

    You fill out a short application — name, company, website, role, and a brief description of your site. You confirm in writing that you're authorized to approve testing of the listed asset.

    5 minutes
  2. 02

    We review and qualify

    We check that your asset is in scope for our service, that we have written authorization, and that the scan can be performed responsibly. Not every applicant will be accepted — and that's the point of qualifying.

    1–2 business days
  3. 03

    We confirm scope and schedule

    If accepted, we confirm exactly which domains and paths will be scanned, the scan window, and any rate limits. You'll receive a written Rules of Engagement summary to acknowledge before we begin.

    Same week
  4. 04

    We run the scan

    We use industry-standard scanning techniques to identify exposed services, missing security headers, common OWASP Top 10 issues, outdated software, weak TLS, and other public-surface weaknesses. Throttled for safety.

    A few hours
  5. 05

    You receive your report

    A short, ranked report with each finding's severity, evidence, business impact, and recommended fix. Written so a business owner can read it and prioritize without a security degree.

    Within a few days
Scope

What we test, and what we don't.

Clear scope is the difference between a useful scan and a liability. Here's what's on the table by default.

In scope

  • Public web domains and subdomains you own
  • Web applications served from your domains
  • Public-facing APIs you authorize for testing
  • Server configuration (TLS, headers, exposed services)
  • Common OWASP Top 10 weakness classes

Out of scope by default

  • Authenticated areas behind your customers' accounts
  • Third-party services (Stripe, Auth0, Cloudflare, etc.)
  • Anything we don't have written authorization to test
  • Destructive tests, denial-of-service techniques
  • Social engineering or staff phishing

Scope can be expanded or narrowed in writing. We never go outside what you have explicitly authorized.

What we never do

We never collect passwords, credit card data, or customer credentials on this website. We never scan an asset without your written authorization. We never run destructive checks. And we never share your data with third parties for marketing.

Read our full Rules of Engagement

Launch offer · limited

Free scans for the first 10 qualified businesses.

Tell us about your site and we'll review your application. Submission does not guarantee acceptance.

Apply for a free scan →