Radar · the advanced tier

Advanced, continuous scanning for modern and AI-built apps

Radar, our flagship plan, goes past the security headers. Every week it sends crafted requests, checks the paths that should never be public, and reads your first-party scripts for leaked secrets. It is built for the way apps ship in 2026: fast, framework-heavy, and increasingly generated by AI.

Built with an AI app builder?

Lovable, Bolt, v0, Cursor, Supabase: fast to ship, easy to misconfigure.

AI and no-code builders move quickly, and they leave the same handful of security mistakes behind again and again. Radar looks for exactly those.

Secrets in the browser

Live keys in your client code

A Supabase service_role key, a Stripe secret key, an OpenAI, Anthropic or AWS key pasted into the front end is readable by every visitor and bypasses your access rules. We scan your page and its scripts and confirm the real ones, while leaving the keys that are meant to be public alone.

Open database

Public backend with no access control

A Supabase anon key or Firebase config belongs in the browser, but only if the database behind it enforces access control. With Row Level Security switched off, anyone can read it. We take the public key from your page and confirm whether the backend actually hands out its data, reading only the row count, never your records.

Exposed files

.env, .git and config left online

Deploys often push an .env, .env.local or a whole .git folder to the live server. We request the common ones and confirm each by its content, so a real leak is reported and a missing file is not.

Open back doors

Admin panels and consoles with no lock

An unauthenticated admin page, an open Spring Boot Actuator or an Apache status page hands attackers a head start. We check for them and treat a login screen as safe, so you only hear about the ones that are genuinely open.

How the advanced scan goes deeper

The checks a pentester runs first, automated and confirmed.

We read your bundles

First-party script scanning

Most leaked keys live in the JavaScript bundle, not the page source. On the advanced tier we fetch your own scripts through the same safe fetcher and search them for real credentials.

We send crafted requests

Active, safe probes

Beyond reading the page, Radar sends carefully crafted requests to test for host-header poisoning, TRACE and cross-site tracing, risky HTTP methods and content-negotiation quirks. Every request stays pinned to your verified domain.

We confirm before we alarm

Real risk, not noise

Each finding is verified by its content, not just a status code. A catch-all page that answers everything with 200, or an admin panel behind a login, is reported as safe. You get findings you can act on, not a wall of maybes.

Plans

Advanced scanning is the Radar plan.

Radar runs the full catalogue plus the advanced probes and secret scanning every week. Radar Lite runs the standard catalogue once a month. Both are priced per verified domain, excluding VAT.

What you get Free Freeno credit card Kicking the tyres: the essential checks, on demand. Radar Lite €49/domain · mo, excl. VAT Sites that want our full set of checks, once a month. Most chosen Radar €249/domain · mo, excl. VAT Teams who want the deepest, always-growing checks, scanned weekly. Custom Quotetailored Apps needing authenticated testing or a full pentest.
Extra subdomains per subdomain · mo €14,99 €49,99 Tailored
Automatic scanning Manual only Every month Every week On a set schedule
Manual scans 1× per 30 days Unlimited Unlimited
Security basics (TLS, HSTS, CSP)
Advanced security (clickjacking, referrer & permissions policy, version leaks)
Email spoofing (SPF, DKIM, DMARC)
Accessibility (WCAG basics)
Findability (SEO basics)
Advanced SEO (Open Graph, heading structure)
Advanced pentest checks Added continuously
Live findings dashboard
Authenticated & business-logic testing
Free Freeno credit card Kicking the tyres: the essential checks, on demand.
Extra subdomains per subdomain · mo
Automatic scanning
Manual only
Manual scans
1× per 30 days
Security basics (TLS, HSTS, CSP)
Advanced security (clickjacking, referrer & permissions policy, version leaks)
Email spoofing (SPF, DKIM, DMARC)
Accessibility (WCAG basics)
Findability (SEO basics)
Advanced SEO (Open Graph, heading structure)
Advanced pentest checks
Live findings dashboard
Authenticated & business-logic testing
Radar Lite €49/domain · mo, excl. VAT Sites that want our full set of checks, once a month.
Extra subdomains per subdomain · mo
€14,99
Automatic scanning
Every month
Manual scans
Unlimited
Security basics (TLS, HSTS, CSP)
Advanced security (clickjacking, referrer & permissions policy, version leaks)
Email spoofing (SPF, DKIM, DMARC)
Accessibility (WCAG basics)
Findability (SEO basics)
Advanced SEO (Open Graph, heading structure)
Advanced pentest checks
Live findings dashboard
Authenticated & business-logic testing
Most chosen Radar €249/domain · mo, excl. VAT Teams who want the deepest, always-growing checks, scanned weekly.
Extra subdomains per subdomain · mo
€49,99
Automatic scanning
Every week
Manual scans
Unlimited
Security basics (TLS, HSTS, CSP)
Advanced security (clickjacking, referrer & permissions policy, version leaks)
Email spoofing (SPF, DKIM, DMARC)
Accessibility (WCAG basics)
Findability (SEO basics)
Advanced SEO (Open Graph, heading structure)
Advanced pentest checks
Added continuously
Live findings dashboard
Authenticated & business-logic testing
Custom Quotetailored Apps needing authenticated testing or a full pentest.
Extra subdomains per subdomain · mo
Tailored
Automatic scanning
On a set schedule
Manual scans
Security basics (TLS, HSTS, CSP)
Advanced security (clickjacking, referrer & permissions policy, version leaks)
Email spoofing (SPF, DKIM, DMARC)
Accessibility (WCAG basics)
Findability (SEO basics)
Advanced SEO (Open Graph, heading structure)
Advanced pentest checks
Live findings dashboard
Authenticated & business-logic testing

Radar Lite runs our full catalogue of checks each month; Radar runs the same set weekly and is where new, advanced pentest checks land as we build them.

Add a domain or subdomain, or move up a plan, whenever you like: the new coverage starts on your next scan and the new price applies from your next monthly charge, so you are never billed twice in one month. Cancel any month and scanning stops at the end of the paid period, with nothing charged after that.

Scanning an app you built fast?

Start with a free homepage scan, then turn on Radar for the advanced checks on your verified domains.

Create account Talk to us