Passive · Read-only · No exploitation
Your app has
security blind spots.
Talon runs five passive security checks against your domain and sends you the findings. No login, no setup, no exploitation.
scan output / acme-demo.com2026-03-03 14:22 UTC
sevscannerfinding
CRITgithubStripe secret key in public commit history
HIGHerrors/actuator/env accessible without auth
HIGHerrors.git/config exposed at root
MEDheadersContent-Security-Policy header missing
MEDcertsSubdomain pointing to deprovisioned Heroku app
LOWheadersReferrer-Policy not set
6 findings · report ready at talonwatch.com/surface-report?website=acme-demo.com
How it works
No setup. No access required.
01
Submit your domain
Enter your domain and email. No credit card, no setup.
02
Five passive scanners run
Security headers, certificate transparency, GitHub credential scanning, indexed file exposure, and debug endpoint probing. All read-only. No login attempts, no fuzzing.
03
You get a report link
Findings are organised by severity with evidence excerpts. Your report is hosted at a PIN-protected URL and emailed to you directly.
| Check | What it finds |
|---|---|
| Security headers | HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy |
| Certificate transparency | Subdomain enumeration, wildcard certificate scope, expiry |
| GitHub credential scan | API keys, tokens, and secrets in public repositories |
| Indexed file exposure | Publicly indexed .env files, DB dumps, and config files |
| Debug endpoint probing | /.git/HEAD, /.env, /actuator/env, phpinfo, adminer, stack traces |
Need more? The deep scan adds active endpoint probing, JS bundle analysis, CORS checks, and optional static repo analysis. See deep scan →
[CRIT]
AWS access key committed to a public GitHub repository
[CRIT]
Stripe live key found in commit history
[HIGH]
Spring Boot /actuator/env accessible without authentication
[HIGH]
.git/config exposed (reveals private repository URL)
[MED]
Content-Security-Policy header absent on all routes
[MED]
Subdomain pointing to deprovisioned Heroku deployment
Surface scan (Free)
Five passive checks, automated
Security headers, certificate transparency, GitHub credentials, indexed file exposure, debug endpoints. Read-only. Delivered to your inbox automatically.
Deep scan ($39 / $29 per month)
Active probing + static analysis
Auth endpoint testing, API exposure, JS bundle secrets, CORS misconfiguration, Firebase/Supabase rules. Optionally: private repo analysis with GitHub App authorisation.
No setup · Free
Submit your domain.
Enter your domain and email. We run the surface scan and send you a PIN-protected report link. The whole thing is automated.
Passive scans only. Read the FAQ →