Advanced, continuous scanning for modern and AI-built apps
Radar, our flagship plan, goes past the security headers. Every week it sends crafted requests, checks the paths that should never be public, and reads your first-party scripts for leaked secrets. It is built for the way apps ship in 2026: fast, framework-heavy, and increasingly generated by AI.
Lovable, Bolt, v0, Cursor, Supabase: fast to ship, easy to misconfigure.
AI and no-code builders move quickly, and they leave the same handful of security mistakes behind again and again. Radar looks for exactly those.
Live keys in your client code
A Supabase service_role key, a Stripe secret key, an OpenAI, Anthropic or AWS key pasted into the front end is readable by every visitor and bypasses your access rules. We scan your page and its scripts and confirm the real ones, while leaving the keys that are meant to be public alone.
Public backend with no access control
A Supabase anon key or Firebase config belongs in the browser, but only if the database behind it enforces access control. With Row Level Security switched off, anyone can read it. We take the public key from your page and confirm whether the backend actually hands out its data, reading only the row count, never your records.
.env, .git and config left online
Deploys often push an .env, .env.local or a whole .git folder to the live server. We request the common ones and confirm each by its content, so a real leak is reported and a missing file is not.
Admin panels and consoles with no lock
An unauthenticated admin page, an open Spring Boot Actuator or an Apache status page hands attackers a head start. We check for them and treat a login screen as safe, so you only hear about the ones that are genuinely open.
The checks a pentester runs first, automated and confirmed.
First-party script scanning
Most leaked keys live in the JavaScript bundle, not the page source. On the advanced tier we fetch your own scripts through the same safe fetcher and search them for real credentials.
Active, safe probes
Beyond reading the page, Radar sends carefully crafted requests to test for host-header poisoning, TRACE and cross-site tracing, risky HTTP methods and content-negotiation quirks. Every request stays pinned to your verified domain.
Real risk, not noise
Each finding is verified by its content, not just a status code. A catch-all page that answers everything with 200, or an admin panel behind a login, is reported as safe. You get findings you can act on, not a wall of maybes.
Advanced scanning is the Radar plan.
Radar runs the full catalogue plus the advanced probes and secret scanning every week. Radar Lite runs the standard catalogue once a month. Both are priced per verified domain, excluding VAT.
| What you get | Free Freeno credit card Kicking the tyres: the essential checks, on demand. | Radar Lite €49/domain · mo, excl. VAT Sites that want our full set of checks, once a month. | Most chosen Radar €249/domain · mo, excl. VAT Teams who want the deepest, always-growing checks, scanned weekly. | Custom Quotetailored Apps needing authenticated testing or a full pentest. |
|---|---|---|---|---|
| Extra subdomains per subdomain · mo | — | €14,99 | €49,99 | Tailored |
| Automatic scanning | Manual only | Every month | Every week | On a set schedule |
| Manual scans | 1× per 30 days | Unlimited | Unlimited | — |
| Security basics (TLS, HSTS, CSP) | ✓ | ✓ | ✓ | ✓ |
| Advanced security (clickjacking, referrer & permissions policy, version leaks) | – | ✓ | ✓ | ✓ |
| Email spoofing (SPF, DKIM, DMARC) | – | ✓ | ✓ | ✓ |
| Accessibility (WCAG basics) | ✓ | ✓ | ✓ | ✓ |
| Findability (SEO basics) | ✓ | ✓ | ✓ | ✓ |
| Advanced SEO (Open Graph, heading structure) | – | ✓ | ✓ | ✓ |
| Advanced pentest checks | – | – | Added continuously | ✓ |
| Live findings dashboard | ✓ | ✓ | ✓ | ✓ |
| Authenticated & business-logic testing | – | – | – | ✓ |
- Extra subdomains per subdomain · mo
- —
- Automatic scanning
- Manual only
- Manual scans
- 1× per 30 days
- Security basics (TLS, HSTS, CSP)
- ✓
- Advanced security (clickjacking, referrer & permissions policy, version leaks)
- –
- Email spoofing (SPF, DKIM, DMARC)
- –
- Accessibility (WCAG basics)
- ✓
- Findability (SEO basics)
- ✓
- Advanced SEO (Open Graph, heading structure)
- –
- Advanced pentest checks
- –
- Live findings dashboard
- ✓
- Authenticated & business-logic testing
- –
- Extra subdomains per subdomain · mo
- €14,99
- Automatic scanning
- Every month
- Manual scans
- Unlimited
- Security basics (TLS, HSTS, CSP)
- ✓
- Advanced security (clickjacking, referrer & permissions policy, version leaks)
- ✓
- Email spoofing (SPF, DKIM, DMARC)
- ✓
- Accessibility (WCAG basics)
- ✓
- Findability (SEO basics)
- ✓
- Advanced SEO (Open Graph, heading structure)
- ✓
- Advanced pentest checks
- –
- Live findings dashboard
- ✓
- Authenticated & business-logic testing
- –
- Extra subdomains per subdomain · mo
- €49,99
- Automatic scanning
- Every week
- Manual scans
- Unlimited
- Security basics (TLS, HSTS, CSP)
- ✓
- Advanced security (clickjacking, referrer & permissions policy, version leaks)
- ✓
- Email spoofing (SPF, DKIM, DMARC)
- ✓
- Accessibility (WCAG basics)
- ✓
- Findability (SEO basics)
- ✓
- Advanced SEO (Open Graph, heading structure)
- ✓
- Advanced pentest checks
- Added continuously
- Live findings dashboard
- ✓
- Authenticated & business-logic testing
- –
- Extra subdomains per subdomain · mo
- Tailored
- Automatic scanning
- On a set schedule
- Manual scans
- —
- Security basics (TLS, HSTS, CSP)
- ✓
- Advanced security (clickjacking, referrer & permissions policy, version leaks)
- ✓
- Email spoofing (SPF, DKIM, DMARC)
- ✓
- Accessibility (WCAG basics)
- ✓
- Findability (SEO basics)
- ✓
- Advanced SEO (Open Graph, heading structure)
- ✓
- Advanced pentest checks
- ✓
- Live findings dashboard
- ✓
- Authenticated & business-logic testing
- ✓
Radar Lite runs our full catalogue of checks each month; Radar runs the same set weekly and is where new, advanced pentest checks land as we build them.
Add a domain or subdomain, or move up a plan, whenever you like: the new coverage starts on your next scan and the new price applies from your next monthly charge, so you are never billed twice in one month. Cancel any month and scanning stops at the end of the paid period, with nothing charged after that.
Scanning an app you built fast?
Start with a free homepage scan, then turn on Radar for the advanced checks on your verified domains.
Create account Talk to us