passive pentest · one URL · $29 once

The 5-minute audit nobody on your team has time to run.

Point AttackMap at your site. It runs about fifteen read-only requests over ten seconds and emails you a prioritized report of what an attacker would notice on their first pass: leaked secrets in your JS, missing headers, exposed paths, CVE matches against the CISA KEV list.

Free preview returns grade + top 3 findings. Full report is $29, emailed in five minutes.

What it checks

$ attackmap scan your-site.com
→ security headers          CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
→ cookie hardening          Secure, HttpOnly, SameSite
→ secrets in JS bundles     Stripe sk_, AWS AKIA, JWTs, Google API, generic high-entropy
→ exposed paths             /.env  /.git/config  /swagger.json  /server-status  /debug
→ SPA-aware path scoring    catch-all routing won't false-positive into hardcoded 200s
→ auth-wrapper detection    Cloudflare Access, Auth0, Okta, Azure AD
→ TLS + certificate         expiry, chain, supported versions
→ tech fingerprint          framework, server, CDN
→ CVE match                 detected versions cross-checked against the CISA KEV catalog
→ remediation               specific code/config change for each finding, not "consider implementing"

What you get

gradeA+ through F based on weighted findings.
summarytwo-paragraph executive read, no jargon.
findingsevery issue with severity, evidence, and remediation.
formatMarkdown delivered by email, plus a re-download link valid 7 days.
timingin your inbox within 5 minutes of payment.

Price

$29 one-time · per scan · no subscription

Covers the compute, Stripe's cut, and the work that went into making the tool not produce false positives on SPAs. No account. No card on file. Re-scan whenever it makes sense for you.

Data handling

You're handing us a URL to scan plus, if you pay, an email. We treat both like the liability they are. Here's exactly what we keep, where it lives, and when it's deleted.

What

Where

Retention

Your submitted URL

Railway (US-east, ephemeral RAM only)

Discarded when scan finishes

Cached scan summary (so repeat scans of the same URL are instant)

Railway RAM, not on disk

1 hour, then evicted

Generated paid report (Markdown + JSON)

Cloudflare R2, attackmap-reports bucket, encrypted at rest

7 days, then auto-deleted

Your email + Stripe receipt

Stripe (PCI-DSS), Microsoft 365 (outbound mail)

Per Stripe + M365 policy. We do not maintain a separate customer list.

Server access logs (IP + timestamp, for rate-limiting)

Railway log retention

Rotated after 30 days

Report polish call to Anthropic

Anthropic API (zero-retention terms)

Not stored by Anthropic after response

No analytics, no advertising trackers, no social pixels on this site. No tracking cookies. Want your data deleted before its scheduled purge? Email support@attackmap.org. Full data-handling, encryption, subprocessor, and compliance detail on the data & compliance page — written for security reviewers who need to clear AttackMap before running a scan.

FAQ

Is this a real pentest?

It's a passive pentest. We observe your site from the outside the way an attacker would on first contact — no active exploitation, no fuzzing, no probing past authentication. For deep penetration testing of a complex app you still want a human consultant. AttackMap finds what anyone with time would find.

Will the scan stress my site?

No. About fifteen HTTP requests across ten seconds, less load than a curious visitor browsing four pages. We don't log in, fuzz parameters, or open sockets.

What if my site is behind SSO or auth?

We detect the wrapper (Cloudflare Access, Auth0, Okta, etc.) and report on what's visible at the public edge. For an authenticated audit, email support@attackmap.org.

Can I get a refund?

If the report doesn't surface anything you couldn't have found yourself in five minutes, email us and we'll refund you. No ticket queue.

What do you keep?

Scan results cached one hour so repeats are fast. Reports sit in Cloudflare R2 for seven days so the re-download link works. Nothing retained after that. No analytics, no mailing list, no third-party trackers on this page.

Who's behind this?

Built by Cliff Hack. Reachable at support@attackmap.org.