Private beta · Summer 2026

Continuous external attack-surface monitoring for small teams.

Scan any public website for security, technical SEO, and code-quality issues in under a minute. Free tier with no account; paid monitoring with alerts, change detection, and team seats from $15/mo.

84 automated checks Copy-paste fixes for every failure No account required Flat-rate team pricing
Scan your site free Learn more → See the console →
7
Specialist agents
24/7
Unblinking watch
Immutable audit
Free Scan + Free DIY Fixes

Found vulnerabilities? Fix them yourself — for free.

Every CRUCiBLE Security scan comes with free step-by-step remediation guides so you can fix issues yourself. No account required. No payment needed. We believe security knowledge should be free.

FREE — DIY Guides
Every scan result includes step-by-step instructions you can follow yourself. Clear browser cache, fix headers, harden settings, remove duplicates — all free.
FREE — Desktop Scanner
Download our Python scanner app for deep local checks: malware, WiFi security, credential exposure, system cleanup, duplicate files, startup audit.
Optional — We fix it for you
Don't want to DIY? We'll patch it: $50 for single fixes, $100 for multi-issue, $150 for full hardening. But the knowledge is always free.

Scan is free. Suggestions are free. We only charge if you want us to fix it for you.

Free Cleanup & Security Guide Get a Quote (Optional)
Free Combined Audit · Security + Marketing + Code

Scan any website. 84 automated checks. No account needed.

FREE COMBINED AUDIT — 🛡️ SECURITY + 📈 MARKETING + 💻 CODE = SHIPPED SCORE

External signal only. We check what is reachable from the public internet — a passing score is a useful indicator, not a substitute for a full audit or compliance certification. Only scan domains you own or are authorized to test. Terms · Privacy

Scores delivered
Security · Marketing · Code · Shipped Score
0Accounts required
Paste a URL · run it
Copy-paste fixes
For every failure
🛡️ HTTPS + HSTS 🛡️ CSP quality 🛡️ SPF / DMARC / CAA 🛡️ Exposed .git / .env 🛡️ Cookie flags 🛡️ Mixed content 🛡️ SRI + subdomain CT 📈 Title + Meta + H1 📈 Open Graph / Schema 📈 Sitemap + robots 📱 Mobile viewport 📱 Tap ergonomics 📱 Responsive CSS 📈 CTA + analytics 📈 Alt text + copy depth 💻 Placeholder text 💻 Dead forms 💻 Alt text / a11y 💻 Broken links 💻 Heading hierarchy 💻 Unminified assets
🛡️ Security — security checks
  • SSL / TLS handshake + cipher suite
  • HSTS header + preload eligibility
  • Content-Security-Policy quality
  • X-Frame-Options + X-Content-Type-Options
  • Referrer-Policy + Permissions-Policy
  • SPF record validity
  • DMARC record + policy strictness
  • DKIM presence
  • CAA records
  • Exposed .env / .git / .DS_Store / .htaccess
  • wp-config.php / config.json / backup file leaks
  • robots.txt admin-path disclosure
  • Subdomain enumeration (CT logs)
  • Dev / staging / preview subdomain exposure
  • Cookie Secure flag
  • Cookie HttpOnly flag
  • Cookie SameSite enforcement
  • Mixed-content (HTTPS page loading HTTP)
  • Subresource Integrity (SRI) on CDN scripts
  • www ↔ apex redirect drift
  • HTTP → HTTPS forced redirect
  • Open ports + banner exposure (HEAD-only)
  • GitHub credential / token leak (public org)
  • Pwned credentials / breach exposure (HIBP)
  • Honeypot / canary token detection (Watch+)
  • Login brute-force lockout policy
  • Common admin path exposure (/admin, /wp-admin)
  • Outdated dependency versions in headers
  • Weak TLS protocol downgrade (1.0/1.1)
  • OCSP stapling + certificate revocation
  • DNSSEC enabled
  • Email-only impersonation risk (no DMARC reject)
📈 Marketing + SEO + AIO — marketing + SEO + AIO checks
  • Title tag length (≤60 chars)
  • Meta description length (≤160 chars)
  • H1 present + uniqueness
  • H2/H3 hierarchy + skip-level violations
  • Open Graph tags (og:title, og:description, og:image, og:url)
  • Twitter Card tags (twitter:card + image)
  • Schema.org JSON-LD presence
  • Organization + SoftwareApplication schemas
  • FAQPage schema (AIO — required for AI assistant recommendations)
  • llms.txt presence (AIO)
  • robots.txt — explicit Allow for GPTBot / ClaudeBot / PerplexityBot (AIO)
  • sitemap.xml validity + freshness (lastmod)
  • Canonical URL declared
  • Viewport meta tag (mobile)
  • Responsive CSS breakpoints
  • Tap-target ergonomics (≥44×44px)
  • Render-blocking JS / CSS budget
  • Above-the-fold value-prop clarity
  • CTA specificity ("Get Free Quote" vs "Submit")
  • Analytics tag presence (GA / Plausible / Vercel Analytics)
  • Retargeting pixel detection (Meta / Google)
  • "Free" / pricing visibility on homepage (AIO)
  • Comparison content ("X vs competitor" — AIO recommendation hook)
  • Author/byline schema
  • Internal linking depth (Home → Features → Pricing)
  • External link rel attributes (noopener / nofollow)
  • Image alt text density (% with alt)
  • Page load weight (HTML + critical CSS)
  • Core Web Vitals signals (LCP / CLS / INP heuristic)
  • Hreflang + language tags (multi-region)
💻 Code + a11y — code + a11y checks
  • Placeholder text / lorem ipsum
  • Generic AI-slop copy ("we deliver value-added solutions")
  • Dead forms (no action / no submit handler)
  • href="#" links going nowhere
  • Stock filenames left in (pexels-XXXX, unsplash-XXX without alt)
  • Components named Component1 / Section2 / ItemA
  • TODO / FIXME / XXX comments left in production
  • console.log() debug calls in shipped JS
  • Hardcoded "test@test.com" / "John Doe" demo data
  • Missing favicon
  • Broken / 404 internal links
  • Image alt text presence + meaningful copy
  • ARIA labels on interactive elements
  • Keyboard navigation order (tabindex)
  • Focus indicators on buttons / links
  • Color contrast (WCAG AA on body text)
  • Heading hierarchy (no skipped levels)
  • Form labels associated with inputs
  • Unminified JS / CSS asset detection
  • Console errors on page load
  • 404 asset references (broken image / script)
  • Empty footer / missing legal links
What you get

Free scanner today. Full platform at $15/mo.

Crucible Security runs in the cloud — no hardware, no agents, no per-seat math. Run the free scanner now. When the paid tier ships this summer, it's flat-rate for the whole platform.

🛡️

Free external scanner

84 checks across security, marketing, SEO, AIO, and code quality. No account, no credit card. Open-source on GitHub. Run it now ↑

Seven specialist agents

Agent Crucible, Agent Shadow, Agent Purge, Agent Anvil, Agent Atlas, Agent Temper, Agent Alloy. Each watches a different domain — together they form one orchestrated sight. Meet the agents →

🐉

Agent Smaug — active defense

Honeypots, canary tokens, and decoy assets at $15/mo. Enterprise-grade deception tech that's normally five figures a year. See pricing →

Free Browser Security Check

System Health Check — instant, no install needed.

This runs entirely in your browser. Nothing is uploaded. Nothing is stored. Just a quick snapshot of your browser's security posture.

Early access

Join the watch. Before the next breach joins you.

Private beta opens Summer 2026. Request an invite — we're onboarding a small cohort of security teams who want to stop running seven tools to catch one attacker.

No spam. Beta invites only. One email a month, max.
✓ You're on the list. Check your inbox for a confirmation from Crucible Security.