Public-only security audit
Find the security gaps in your business before someone else does.
We scan everything your domain exposes to the public internet, then hand you a ranked, plain-English fix list. No agent, no install.
100+ passive checks on what your domain exposes to the internet. Ranked, plain-English fixes. No agent, no install.
100% passive & public-only — no install, no credentials, and nothing that slows your site down. You authorise the scan of your own domain at checkout.
ILLUSTRATIVE SCAN · FICTIONAL STORE · YOUR REPORT COVERS 100+ CHECKS
SAMPLE OUTPUT · FICTIONAL STORE · YOU AUTHORISE YOUR OWN SCAN AT CHECKOUT
100+
Checks per audit
3–6 min
Typical scan time
20+
Tools combined
$149
One-time price
POWERED BY THE TOOLS PROFESSIONALS USE
01Why this exists
Most teams don't know what's publicly broken about them.
Attackers don't write exploits first—they read what your domain freely broadcasts. Misconfigured email records, expiring certificates, and forgotten subdomains are all easily found. No hacking required, just looking.
Exarlo does that looking for you. We provide a comprehensive, plain-English report so you can fix issues before they cost you customers or your inbox reputation.
What attackers see
We replicate a real reconnaissance pass—public DNS, certificates, headers, services, breach databases. If they can read it, we read it first.
What's actually broken
We turn raw findings into a ranked list of fixes by impact. No 200-page PDFs full of noise—just the things that actually matter, in priority order.
How to fix it
Each finding ships with the exact records, headers or configuration changes to apply, written for your IT team or service provider.
02What's in the audit
Everything we check for you, in one audit.
We combine 20+ industry-standard scanners and analyzers into a single report. Every check below is run on every audit — no tiers, no upsells.
Email authentication
We verify DMARC, SPF, DKIM and MX records. Prevent attackers from sending phishing emails as your brand.
- →DMARC policy + p=none detection
- →SPF correctness + permissiveness (+all)
- →DKIM selector discovery
- →MX & mail-server posture
- →MTA-STS / TLS-RPT transport security
TLS, certificates & transport
Check HTTPS end-to-end: validity, expiry, protocols and ciphers. Weak TLS quietly erodes trust with browsers.
- →Certificate validity & expiry alerts
- →TLS 1.0 / 1.1 deprecation check
- →Deep cipher & protocol analysis (testssl)
- →HTTPS enforcement (HTTP→HTTPS)
- →CAA certificate-authority control
Headers, cookies & CORS
Essential headers, cookie flags and cross-origin policy to protect visitors from clickjacking, XSS and data leaks.
- →Strict-Transport-Security, CSP
- →X-Frame-Options, X-Content-Type-Options
- →Referrer-Policy, Permissions-Policy
- →Cookie flags (Secure / HttpOnly / SameSite)
- →CORS misconfiguration check
Public services & ports
Map open ports, exposed services, and tech stack. We flag unauthenticated or deprecated endpoints.
- →Port discovery (TCP scan)
- →Service & version fingerprinting
- →Subdomain enumeration
- →Tech stack identification
- →WAF / edge-protection detection
Vulnerability & exposure sweep
Targeted scanning against exposed services for known CVEs, web-server misconfigurations and leaked files.
- →CVE matching on detected services
- →Web-server misconfiguration scan (Nikto)
- →Sensitive file exposure (.env, .git, backups)
- →Path traversal & directory exposure
- →Default-credential checks
Breached credentials & brand
Check domain emails against breach databases, and monitor for typosquatting brand impersonation.
- →Breach database lookups
- →Plain-text credential exposure
- →Typosquat domain detection
- →Brand impersonation signals
Plus — the actual deliverable
- A 0–100 risk score and a clear executive summary.
- Findings ranked by impact with simple business explanations.
- Copy-paste fixes (records, headers, patches) for your IT team.
- A downloadable PDF to share with auditors or customers.
- A free 90-day re-scan link to verify your fixes.
03Why you can trust this
No black box, no fine print, no install.
We’re a new, focused tool — so instead of asking you to take our word for it, we show our work. Every check is passive and public-only, every finding maps to a recognised standard, and the whole engine list is published on our methodology page.
What we always do
- Test only your public, external footprint
- Rate-limit and identify ourselves in the user-agent
- Map findings to OWASP, CVE/NVD and compliance frameworks
- Write every issue in plain English plus a copy-paste fix
What we never do
- Install an agent or ask for your credentials
- Run intrusive exploits or brute-force anything
- Generate meaningful load on your site
- Touch a domain you haven’t purchased an audit for
Your risk is covered
- Report in your inbox within 48 hours — or a full refund
- Free 90-day re-scan to confirm your fixes worked
- Payments secured by Stripe — your card details never touch our servers
- One-time $149. No subscription, no auto-renewal
04What you’ll receive
See exactly what a finding looks like.
Every issue lands twice — once in plain business language so you can decide how much it matters, and once as an exact, copy-paste fix for whoever runs your stack. Below is a slice of a report, rendered exactly the way you’ll see it.
SAMPLE REPORT · meridian-coffee.com
Executive summary
20+ engines · 26 findings · scanned in 4m 12s
EMAIL AUTHENTICATION · DNS
With no DMARC policy, anyone can send email that passes as meridian-coffee.com. Phishing in your name reaches customer inboxes and quietly erodes your sender reputation with the major mailbox providers.
FIX → _dmarc.meridian-coffee.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@meridian-coffee.com"
SECURITY HEADERS · HTTPS
A first-time visitor's request can be silently downgraded to plain HTTP and read or altered on shared Wi-Fi or a hostile network — the textbook foothold for a man-in-the-middle.
FIX → Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
TLS CONFIGURATION · PROTOCOL ENUMERATION
Deprecated protocols are breakable and fail PCI and SOC 2 controls outright. Practically no modern client needs them, so leaving them enabled is all downside.
FIX → Disable TLS 1.0/1.1 at the web server or CDN; require TLS 1.2+ (1.3 preferred).
Showing the 3 highest-impact findings from a redacted sample for a fictional store. Your report covers every finding on your own domain, ranked by impact, with the full technical detail in the PDF.
The sample is the exact PDF you receive — for a fictional store, with findings redacted.
05How it works
From your domain to a prioritised fix list, delivered to your inbox.
01
Enter your domain
No agents, no config. Just enter your domain and email.
02
We run the audit
Passive parallel scans against your public footprint. We don't touch your internal systems.
03
We score and rank
Findings are scored and ranked by impact with copy-paste fixes.
04
You get the report
Get the report in your browser and as a PDF. Hand it straight to your IT team.
06Pricing
One price. One report. No subscription.
Traditional security reviews cost thousands and take weeks. We do the same public-facing checks for $149, with the scan running in minutes.
TRADITIONAL PENTEST
$3k–$15k
2–4 weeks, scoping calls, NDAs
EXARLO AUDIT
$149
Scan in minutes, report within 48h
And a clean result isn’t a wasted $149 — it’s a dated, shareable proof you can hand to customers, partners or a vendor-security questionnaire.
$149
one-time, USD
The complete Exarlo audit. Every check, every finding, every fix. Includes a downloadable PDF and a free 90-day re-scan.
- All 100+ checks across email, TLS, headers, cookies, services, exposed files, web-server config, vulnerabilities and breach intel
- Findings ranked by impact, with copy-paste fixes for each
- Plain-English executive summary + technical appendix
- Downloadable PDF, emailed automatically
- Free 90-day re-scan to confirm remediation
Secure checkout · one-time payment · no subscription
48-hour delivery guarantee.If your report doesn’t land within 48 hours of payment, email us your order ID and we refund the full $149.
07Common questions
Honest answers, no fine print.
No. Every check is run against your public footprint — DNS records, certificates served on the public internet, HTTP responses on standard ports, public breach databases. You don't install an agent, share credentials, or change DNS records. Your domain is all we need.
Yes, it's legal, and you authorise it implicitly when you purchase the audit for your own domain. Everything we do is passive reconnaissance against publicly accessible services — the same techniques used by every well-known security search engine. We never run intrusive exploits, never brute-force, never touch private endpoints.
It shouldn't. We rate-limit ourselves to a polite cadence, identify ourselves in the user-agent, and avoid anything that would generate meaningful load. If your team monitors traffic and wants to whitelist us in advance, just reply to your order email — we'll send the IP ranges.
An executive summary, a risk score, every finding ranked by impact with a business-language explanation and a technical-language fix, plus a downloadable PDF. You can give the executive summary to a non-technical leader and the technical pages to your IT team — both audiences are covered.
One-time. There's no auto-renew, no monthly minimum, no upsell sequence. You pay $149, you get the report, you get a free re-scan within 90 days to verify your fixes. If you want another audit six months later, you pay $149 again. That's the whole pricing model.
Reply to the report email and a real human will get back to you. Most fixes are a one-line DNS record or a header configuration that your IT team or service provider will recognise immediately. For anything they're unsure about, we'll help.
Yes, in specific cases. If our engine fails to deliver your report within 48 hours of payment, or your domain is unreachable before the scan starts, email support@exarlo.xyz within 7 days with your order ID and we'll refund the full $149. A clean result is still a real result, so we don't refund simply because the audit found little to fix. Full details are on our Refund Policy page.
One scan. Every public gap.
Ready to see what’s public about you?
Enter your domain. The scan runs in minutes, and your clear, ranked, fixable report — the things real attackers would find first — is emailed to you, guaranteed within 48 hours.