Public-only security audit

Find the security gaps in your business before someone else does.

We scan everything your domain exposes to the public internet, then hand you a ranked, plain-English fix list. No agent, no install.

100+ passive checks on what your domain exposes to the internet. Ranked, plain-English fixes. No agent, no install.

Public-only checks. Your report is emailed to you, guaranteed within 48 hours. One-time payment, no subscription.

100% passive & public-only — no install, no credentials, and nothing that slows your site down. You authorise the scan of your own domain at checkout.

Exarlo EngineLIVE

ILLUSTRATIVE SCAN · FICTIONAL STORE · YOUR REPORT COVERS 100+ CHECKS

Exarlo EngineLIVE

PASSIVE · PUBLIC-ONLY · NO INSTALL · REPORT IN 48H

SAMPLE OUTPUT · FICTIONAL STORE · YOU AUTHORISE YOUR OWN SCAN AT CHECKOUT

100+

Checks per audit

3–6 min

Typical scan time

20+

Tools combined

$149

One-time price

No credentials, no install
20+ engines, one report
OWASP & CVE mapped
48h or full refund
Free 90-day re-scan

POWERED BY THE TOOLS PROFESSIONALS USE

NMAPNUCLEITESTSSL.SHSUBFINDERHTTPXNIKTOWAFW00FFFUFWHATWEBOWASPCVE / NVDPCI DSSSOC 2

01Why this exists

Most teams don't know what's publicly broken about them.

Attackers don't write exploits first—they read what your domain freely broadcasts. Misconfigured email records, expiring certificates, and forgotten subdomains are all easily found. No hacking required, just looking.

Exarlo does that looking for you. We provide a comprehensive, plain-English report so you can fix issues before they cost you customers or your inbox reputation.

What attackers see

We replicate a real reconnaissance pass—public DNS, certificates, headers, services, breach databases. If they can read it, we read it first.

What's actually broken

We turn raw findings into a ranked list of fixes by impact. No 200-page PDFs full of noise—just the things that actually matter, in priority order.

How to fix it

Each finding ships with the exact records, headers or configuration changes to apply, written for your IT team or service provider.

02What's in the audit

Everything we check for you, in one audit.

We combine 20+ industry-standard scanners and analyzers into a single report. Every check below is run on every audit — no tiers, no upsells.

Email authentication

We verify DMARC, SPF, DKIM and MX records. Prevent attackers from sending phishing emails as your brand.

  • DMARC policy + p=none detection
  • SPF correctness + permissiveness (+all)
  • DKIM selector discovery
  • MX & mail-server posture
  • MTA-STS / TLS-RPT transport security

TLS, certificates & transport

Check HTTPS end-to-end: validity, expiry, protocols and ciphers. Weak TLS quietly erodes trust with browsers.

  • Certificate validity & expiry alerts
  • TLS 1.0 / 1.1 deprecation check
  • Deep cipher & protocol analysis (testssl)
  • HTTPS enforcement (HTTP→HTTPS)
  • CAA certificate-authority control

Headers, cookies & CORS

Essential headers, cookie flags and cross-origin policy to protect visitors from clickjacking, XSS and data leaks.

  • Strict-Transport-Security, CSP
  • X-Frame-Options, X-Content-Type-Options
  • Referrer-Policy, Permissions-Policy
  • Cookie flags (Secure / HttpOnly / SameSite)
  • CORS misconfiguration check

Public services & ports

Map open ports, exposed services, and tech stack. We flag unauthenticated or deprecated endpoints.

  • Port discovery (TCP scan)
  • Service & version fingerprinting
  • Subdomain enumeration
  • Tech stack identification
  • WAF / edge-protection detection

Vulnerability & exposure sweep

Targeted scanning against exposed services for known CVEs, web-server misconfigurations and leaked files.

  • CVE matching on detected services
  • Web-server misconfiguration scan (Nikto)
  • Sensitive file exposure (.env, .git, backups)
  • Path traversal & directory exposure
  • Default-credential checks

Breached credentials & brand

Check domain emails against breach databases, and monitor for typosquatting brand impersonation.

  • Breach database lookups
  • Plain-text credential exposure
  • Typosquat domain detection
  • Brand impersonation signals

Plus — the actual deliverable

  • A 0–100 risk score and a clear executive summary.
  • Findings ranked by impact with simple business explanations.
  • Copy-paste fixes (records, headers, patches) for your IT team.
  • A downloadable PDF to share with auditors or customers.
  • A free 90-day re-scan link to verify your fixes.

03Why you can trust this

No black box, no fine print, no install.

We’re a new, focused tool — so instead of asking you to take our word for it, we show our work. Every check is passive and public-only, every finding maps to a recognised standard, and the whole engine list is published on our methodology page.

What we always do

  • Test only your public, external footprint
  • Rate-limit and identify ourselves in the user-agent
  • Map findings to OWASP, CVE/NVD and compliance frameworks
  • Write every issue in plain English plus a copy-paste fix

What we never do

  • Install an agent or ask for your credentials
  • Run intrusive exploits or brute-force anything
  • Generate meaningful load on your site
  • Touch a domain you haven’t purchased an audit for

Your risk is covered

  • Report in your inbox within 48 hours — or a full refund
  • Free 90-day re-scan to confirm your fixes worked
  • Payments secured by Stripe — your card details never touch our servers
  • One-time $149. No subscription, no auto-renewal

04What you’ll receive

See exactly what a finding looks like.

Every issue lands twice — once in plain business language so you can decide how much it matters, and once as an exact, copy-paste fix for whoever runs your stack. Below is a slice of a report, rendered exactly the way you’ll see it.

SAMPLE REPORT · meridian-coffee.com

Executive summary

20+ engines · 26 findings · scanned in 4m 12s

63RISK / 100
2CRITICAL5HIGH8MEDIUM11LOW
No DMARC record — your domain can be spoofedCVSS 7.4CRITICAL

EMAIL AUTHENTICATION · DNS

With no DMARC policy, anyone can send email that passes as meridian-coffee.com. Phishing in your name reaches customer inboxes and quietly erodes your sender reputation with the major mailbox providers.

FIX → _dmarc.meridian-coffee.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@meridian-coffee.com"

DMARCGDPRNIST 800-53
HSTS not enforced on the primary hostCVSS 5.9HIGH

SECURITY HEADERS · HTTPS

A first-time visitor's request can be silently downgraded to plain HTTP and read or altered on shared Wi-Fi or a hostile network — the textbook foothold for a man-in-the-middle.

FIX → Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

OWASP A05PCI-DSS 4.1
Legacy TLS 1.0 / 1.1 still acceptedCVSS 4.8MEDIUM

TLS CONFIGURATION · PROTOCOL ENUMERATION

Deprecated protocols are breakable and fail PCI and SOC 2 controls outright. Practically no modern client needs them, so leaving them enabled is all downside.

FIX → Disable TLS 1.0/1.1 at the web server or CDN; require TLS 1.2+ (1.3 preferred).

PCI-DSSSOC 2

Showing the 3 highest-impact findings from a redacted sample for a fictional store. Your report covers every finding on your own domain, ranked by impact, with the full technical detail in the PDF.

Get my full report — $149

The sample is the exact PDF you receive — for a fictional store, with findings redacted.

05How it works

From your domain to a prioritised fix list, delivered to your inbox.

01

Enter your domain

No agents, no config. Just enter your domain and email.

02

We run the audit

Passive parallel scans against your public footprint. We don't touch your internal systems.

03

We score and rank

Findings are scored and ranked by impact with copy-paste fixes.

04

You get the report

Get the report in your browser and as a PDF. Hand it straight to your IT team.

06Pricing

One price. One report. No subscription.

Traditional security reviews cost thousands and take weeks. We do the same public-facing checks for $149, with the scan running in minutes.

TRADITIONAL PENTEST

$3k–$15k

2–4 weeks, scoping calls, NDAs

EXARLO AUDIT

$149

Scan in minutes, report within 48h

And a clean result isn’t a wasted $149 — it’s a dated, shareable proof you can hand to customers, partners or a vendor-security questionnaire.

$149

one-time, USD

The complete Exarlo audit. Every check, every finding, every fix. Includes a downloadable PDF and a free 90-day re-scan.

  • All 100+ checks across email, TLS, headers, cookies, services, exposed files, web-server config, vulnerabilities and breach intel
  • Findings ranked by impact, with copy-paste fixes for each
  • Plain-English executive summary + technical appendix
  • Downloadable PDF, emailed automatically
  • Free 90-day re-scan to confirm remediation
Get my audit

Secure checkout · one-time payment · no subscription

48-hour delivery guarantee.If your report doesn’t land within 48 hours of payment, email us your order ID and we refund the full $149.

07Common questions

Honest answers, no fine print.

No. Every check is run against your public footprint — DNS records, certificates served on the public internet, HTTP responses on standard ports, public breach databases. You don't install an agent, share credentials, or change DNS records. Your domain is all we need.

Yes, it's legal, and you authorise it implicitly when you purchase the audit for your own domain. Everything we do is passive reconnaissance against publicly accessible services — the same techniques used by every well-known security search engine. We never run intrusive exploits, never brute-force, never touch private endpoints.

It shouldn't. We rate-limit ourselves to a polite cadence, identify ourselves in the user-agent, and avoid anything that would generate meaningful load. If your team monitors traffic and wants to whitelist us in advance, just reply to your order email — we'll send the IP ranges.

An executive summary, a risk score, every finding ranked by impact with a business-language explanation and a technical-language fix, plus a downloadable PDF. You can give the executive summary to a non-technical leader and the technical pages to your IT team — both audiences are covered.

One-time. There's no auto-renew, no monthly minimum, no upsell sequence. You pay $149, you get the report, you get a free re-scan within 90 days to verify your fixes. If you want another audit six months later, you pay $149 again. That's the whole pricing model.

Reply to the report email and a real human will get back to you. Most fixes are a one-line DNS record or a header configuration that your IT team or service provider will recognise immediately. For anything they're unsure about, we'll help.

Yes, in specific cases. If our engine fails to deliver your report within 48 hours of payment, or your domain is unreachable before the scan starts, email support@exarlo.xyz within 7 days with your order ID and we'll refund the full $149. A clean result is still a real result, so we don't refund simply because the audit found little to fix. Full details are on our Refund Policy page.

One scan. Every public gap.

Ready to see what’s public about you?

Enter your domain. The scan runs in minutes, and your clear, ranked, fixable report — the things real attackers would find first — is emailed to you, guaranteed within 48 hours.

Public-only checks. Your report is emailed to you, guaranteed within 48 hours. One-time payment, no subscription.