Now scanning with GPT-4o

Know your site's
attack surface

Ten security scans run in parallel. AI turns raw findings into a graded report with prioritized, copy-pasteable fixes. Takes seconds, costs pennies.

Start Scanning — Free How it works

Free to start · No credit card required

krakenprobe.com/dashboard

example.com

Scan

BGRADE

76/100

example.comAI analyzed

Good TLS configuration and cookie security. Missing Content-Security-Policy and DMARC records are the main areas to address.

1.2sAI: $0.002↻ Rescan↓ Export PDF

Top Priorities

Add Content-Security-Policy+12 pts🤖 Copy AI Prompt

No CSP header detected. This leaves the site vulnerable to XSS and data injection attacks.

NginxApacheCloudflareExpress

add_header Content-Security-Policy "default-src 'self'; script-src 'self' cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data:;" always;

Set DMARC policy to reject+8 pts🤖 Copy AI Prompt

DMARC is set to 'none' — emails can be spoofed without any action taken.

Add Subresource Integrity hashes+5 pts🤖 Copy AI Prompt

🔒TLS/SSLA

🛡️Security HeadersD

🌐DNS SecurityC

🍪CookiesA

Ten scanners, one report

Everything checked in parallel

🔒

TLS/SSL Analysis

Certificate validity, protocol versions, cipher strength, key size, and chain verification.

🛡️

Security Headers

HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and information disclosure.

📦

Vulnerable Libraries

Detects outdated JavaScript libraries and cross-references known CVEs automatically.

🌐

DNS Security

SPF, DKIM, DMARC, CAA records — complete email authentication and DNS hardening audit.

🍪

Cookie Security

Secure, HttpOnly, SameSite flags with extra scrutiny on session and authentication cookies.

🔀

CORS Misconfiguration

Tests for wildcard origins, origin reflection, null origin, subdomain trust, and prefix bypass.

⚠️

Mixed Content

Detects HTTP resources loaded on HTTPS pages — scripts, styles, images, iframes, and forms.

🔏

Subresource Integrity

Checks external scripts and stylesheets for integrity hashes. No SRI = CDN compromise risk.

🔍

Technology Detection

Identifies your CMS, framework, server, CDN, WAF, and third-party services from headers and HTML.

📂

Exposure Scanning

Checks for exposed .env, .git, server-status, phpinfo, backups, and other sensitive files or paths.

Why it matters

Your attack surface is bigger than you think

Every website exposes an attack surface — the collection of entry points that an attacker can probe, test, and exploit. This includes your TLS configuration, HTTP response headers, DNS records, cookies, third-party scripts, and CORS policies. Most site owners only think about their application code, but the infrastructure around it is often where attackers find the easiest wins.

A missing Content-Security-Policy header means any injected script runs with full privileges. Misconfigured CORS lets malicious sites read your API responses. Outdated JavaScript libraries ship known exploits directly to your visitors. These aren't theoretical risks — they're the issues behind real breaches documented by OWASP and security researchers every week.

The problem is that checking all of this manually takes hours. You need to inspect TLS certificates, read raw HTTP headers, query DNS records, audit every cookie flag, test CORS with crafted requests, and cross-reference library versions against CVE databases. KrakenProbe does all of this in parallel, in seconds, and uses AI to turn the raw findings into a prioritised action plan you can actually follow.

Knowing your site's attack surface is the first step to reducing it. You can't fix what you can't see.

Three steps

How KrakenProbe works

Enter a URL

Type any public website address. KrakenProbe runs ten security scanners in parallel — TLS, headers, DNS, cookies, CORS, libraries, mixed content, subresource integrity, technology detection, and exposure scanning. The entire scan completes in under two seconds.

AI analyses results

Raw scan data is sent to GPT-4o for analysis. The AI grades your site A through F, identifies the top priorities, estimates the score impact of each fix, and generates platform-specific remediation code for your server.

Fix and rescan

Each finding comes with copy-pasteable configuration for your platform — whether that's Nginx, Netlify, Cloudflare, or Vercel. Implement the fixes, hit rescan, and watch your grade improve. You can also export a PDF report to share with your team.

Pricing

Pay-per-scan. That's it.

No subscriptions, no tiers. Each scan costs roughly what the AI analysis costs — about a penny with GPT-4o-mini.

GPT-4o-mini

~$0.001

per scan

Fast, cheap, very capable. Best for most scans.

GPT-4o

~$0.03

per scan

Deeper analysis, better CSP insights, richer remediation.

No AI

Free

always

Raw scan results only. No AI summary or prioritization.

From the blog

Security guides & insights

All posts

AIengineering

Vibe Coding Is Not Engineering

Everyone's shipping AI-generated apps. Most of them are broken, insecure, and held together with duct tape. The hard part of building software was never typing the code.

2026-03-06·6 min read

case studysecurity headers

We Scanned Ourselves and Found 6 Security Issues

We pointed KrakenProbe at krakenprobe.com. It found missing headers, no CSP, information leaks, and platform-wrong remediation. Here's every issue and exactly how we fixed each one.

2026-03-01·8 min read

web securitysecurity audit