Every tool in one place.

SPF, DKIM, DMARC, MX, MTA-STS, TLS-RPT, BIMI, and DNSSEC across three resolvers in about 15 seconds. PDF report on request.

Pick the services you send from; we assemble the TXT record and count DNS lookups so you don't blow the RFC-7208 10-lookup limit.

Resolve an existing SPF record's whole include/redirect tree and count the real number of DNS lookups — the one that breaks mail past 10.

Build a v=DMARC1 record with the right policy and reporting address, plus a guided rollout from p=none to full enforcement.

Paste your DMARC TXT record for per-tag grading and plain-English fixes. No DNS lookup — bring your own record.

Paste a daily aggregate (rua=) XML report for a per-source breakdown, alignment rate, and a verdict on moving to quarantine or reject. Runs in your browser.

Paste your DKIM TXT record for tag-by-tag grading, a key-size estimate, and revocation detection. No DNS lookup required.

Paste a suspicious email's raw headers to trace every hop, read the SPF/DKIM/DMARC verdicts, and surface spoofing tells. Nothing uploaded.

Resolve your BIMI DNS record, fetch the SVG, and flag Gmail-blocking issues: size, content-type, missing VMC, DMARC enforcement.

Ingest aggregate reports from your rua= mailbox: per-source alignment, untrusted-sender flags, and a guided path from p=none to p=reject.

Pick your MX hosts and a mode (enforce / testing / none). Emits the hosted policy file plus the DNS TXT record.

Subscribe to daily TLS/MTA-STS/DANE failure reports. Build a fresh TXT record, or paste one for tag-by-tag grading.

Daily (Starter) or 6-hour (Pro) rescans with field-level drift detection. Email, Slack, and webhook alerts the moment anything changes.

Real TLS handshake — chain trust, expiry, negotiated version, public-key strength, and signature algorithm.

Walks an https page for http:// sub-resources, distinguishing active (blocked) from passive (warned) mixed content.

Grades CSP, HSTS, frame protection, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy with weighted scoring and a fix list.

Pick your CSP directives, frame policy, referrer-policy, and Permissions-Policy. Emits a ready-to-paste header block for your CDN or proxy.

Paste a Content-Security-Policy header; we grade every directive — wildcards, 'unsafe-inline', missing frame-ancestors, and the rest.

Paste your Access-Control-* headers. Catches wildcard + credentials, Allow-Origin: null, and comma-separated origin lists.

Paste your Strict-Transport-Security header; we grade it against Chrome's preload-list requirements (max-age, includeSubDomains, preload).

Per-cookie grading of Secure, HttpOnly, and SameSite — the three flags that decide whether XSS can steal sessions.

Paste a single Set-Cookie line. Decomposes name/value/attributes and grades against best practice (Secure, HttpOnly, SameSite, __Host-, Partitioned).

Probes redirect-shaped query parameters with an attacker-controlled destination. Fails are endpoints with no allowlist.

Decomposes a URL into scheme, host, path, query, and fragment, flagging IDN homograph attacks, suspicious ports, and mismatched encoding.

One-shot recon: NS/MX/A/AAAA/TXT/CAA on the apex, subdomain discovery via Certificate Transparency, owning ASN per IP, rendered as a node-link map.

Pick the CAs you trust; emits the DNS CAA records to publish so unauthorized CAs can't issue certs for your domain.

Generate a valid /.well-known/security.txt (RFC 9116). Warns on http://, expired, or 2+ year-out Expires fields.

Decode header + payload, flag the alg: none exploit, show expiry status, and list claim sets. Signatures aren't verified — that needs the secret.

MD5, SHA-1, SHA-256, SHA-384, SHA-512. Paste text or upload a file; copy any digest with one click.

Encode arbitrary bytes to base64 or base64url and decode the other way — handy for inspecting auth headers and CSP nonces.

Percent-encode or decode in three flavors — encodeURI, encodeURIComponent, and form-urlencoded (+ for space).

Escape the five OWASP-mandated characters (or every non-ASCII). Decode named, decimal, and hex references; detects double-encoding.

Generate v4 UUIDs in bulk; inspect a UUID's variant + version. Useful when correlating logs across services.

Entropy + time-to-crack against three attacker baselines, 100% client-side. Flags repeated chars, year suffixes, and a top-100 breach corpus.

Convert between Unix epoch (s/ms), ISO-8601, RFC 3339, and human-readable. Always UTC to avoid timezone confusion.

Paste a 5-field cron expression for a plain-English explanation and the next 6 UTC fire times. Catches the dom/dow OR-semantics gotcha.

Compute network/broadcast, usable range, mask, and host count for any IPv4 CIDR. Handy when carving subnets for new VPCs.

Expand ::-compressed addresses, get the RFC 5952 canonical form, classify scope, and derive the reverse-DNS PTR.

Pretty-print, minify, or validate any JSON. Surfaces parse errors with line + column. Stays entirely client-side.

Live regex match preview against multi-line input, highlighting matches + groups. JavaScript regex flavor.

Compare two texts line-by-line, side-by-side or unified, with +/- stats. Useful for diffing CSP headers, JSON, or config files.

Pick your level — L1 (17 FAR practices), L2 (110 NIST 800-171 controls), or L3 (24 NIST 800-172). Self-assessment, evidence library, SSP markdown, and POA&M CSV per level.

Score against the AICPA Common Criteria plus opt-in Availability and Confidentiality. Capture evidence, export a readiness report and gap CSV.

Self-assess the six CSF functions across 106 subcategories — the framework cyber insurers ask about. Tier statement, profile markdown, and gap CSV.

Upload a customer's security questionnaire as CSV; we auto-match every question we've seen before from your saved answer library. Stop rewriting answers.

A single posture score with week-over-week deltas, plus a unified findings board (Kanban, SLA aging, bulk actions) across every connected system.

M365, Google Workspace, GitHub, Cloudflare, AWS, Snyk, KnowBe4, UniFi, Meraki, and Kisi — synced on a schedule into findings and auto-evidence.

A policy template library, risk register, access reviews, offboarding playbooks, and an incident register — the governance an auditor asks to see.

Auto-discover vendors from your OAuth grants, track each one's risk and review cadence, and get alerted on vendor breaches and stale grants.

Run phishing simulations with a difficulty-tiered lure library and customizable sender domains, plus training and report-phish positive-outcome paths.

Auto-fill the underwriter's 12-item control checklist from the facts your integrations already gathered, then export a signed attestation PDF.

Publish a Vanta-style trust page that shows prospects your security posture, certifications, and sub-processors — without sending the questionnaire back and forth.

The CISA Known Exploited Vulnerabilities catalog, filtered and ranked for the products an SMB actually runs, with ransomware-linked and due-soon flags.

The ransomware, phishing, and BEC trends hitting small businesses — every figure traced to the FBI IC3 report and CISA #StopRansomware advisories.

Upcoming CMMC, PCI DSS, FTC Safeguards, and US state-privacy deadlines, each traced to its primary source and re-bucketed by how soon it's due.

A plain-English gallery of the tells that give away a phishing email — sender tricks, urgency, dodgy links, fake logins, and payment fraud. Every example is synthetic.

Ten plain-English questions across email, identity, backups, and training. Two minutes, a score, and prioritized next steps. Runs entirely in your browser.

A rotating library of concrete, plain-English security steps for SMBs — one a day, no acronym soup, no fear-mongering.

Plain-English definitions of the security and compliance terms that show up in audits, questionnaires, and insurance forms — each with its own indexable page.