Security Intelligence

Find the Bugs
Before Hackers Do

CloviScan detects code vulnerabilities, exposed files, server weaknesses, and security headers — and tells you exactly how to fix them. Lite: from $9/mo for 3 scans per month.

No sign-up required · results in ~60 seconds

View dashboard

One platform for your whole attack surface — site security, repository security, SEO, performance and accessibility. Point-solution code scanners only see your source. CloviScan also scans your full git history for secrets that were committed and later removed but are still recoverable.

4 layers site, code, server, fix
8 categories SSL, headers, DNS, code & more
~60 sec per full scan
$9/mo Lite, lowest tier
example.com
SSL Certificate — Valid, expires 2026-09-14 PASS
Missing HSTS Header — browsers not forced to HTTPS MEDIUM
Hardcoded API key found in /config.js — line 23 CRITICAL
phpMyAdmin exposed at /phpmyadmin HIGH
jQuery 2.1.4 — 12 known CVEs in this version MEDIUM
Security Score
3 critical issues need immediate attention
73 /100
C
Grade
See a Real Report

What You Get in 60 Seconds

Below is an actual scan report of a public test site — every finding is real, nothing is mocked up.

Sample scan of testphp.vulnweb.com — Acunetix's official intentionally-vulnerable public test site.

← YOUR SECURITY SCORE
40
Grade F — At Risk
TLS invalid · 6 security headers missing · Score derived from real probe results.
← AI-RANKED FIXES
AI Security Verdict & Next Steps
  1. Renew/fix TLS certificate — invalid cert breaks encryption and browser trust.
  2. Add HSTS header — prevents SSL-stripping MITM on first load.
  3. Set Content-Security-Policy — blocks injected script execution.
AI Recommended Fix · KB
← REAL FINDINGS (from this scan)
Critical TLS certificate could not be validated CWE-298 · A02
High Strict-Transport-Security header not set CWE-319 · A05
Medium Content-Security-Policy header not set CWE-1021 · A05
+5 more findings in the full report
← ONE-CLICK EDGE FIX (Pro)
🔒 Edge Autofix & Continuous Monitoring — coming soon / beta
Pro tier will offer one-click header injection via Cloudflare Workers + weekly re-scan alerts. Currently in development.
See Full Sample Report → Open raw sample
Free vs Pro

What Free Gets You — and What Pro Unlocks

Free Scan
  • Full TLS & certificate audit
  • 6 security header checks
  • Exposure probe (9 paths)
  • Reputation & blocklist
  • Security score + grade
  • AI verdict & top-3 priorities
  • Shareable report link
No account needed · unlimited free scans
PRO
Pro & Agency
  • Everything in Free
  • Full PDF report export
  • AI fix citations & code snippets
  • Port & CVE fingerprint scan
  • DMARC/SPF/DKIM grading
  • Edge autofix (Cloudflare headers) coming soon
  • Continuous monitoring & alerts coming soon
Start Free — Upgrade Anytime
4-Layer Intelligence

From Surface to Source Code

Other scanners check what's visible. CloviScan goes four layers deep — analysing your external footprint, your actual source code, your server configuration, and then showing you exactly how to fix everything it finds.

Layer 1

External Website Audit

Your site's public-facing security profile, examined from the outside — exactly as a security researcher or attacker would see it. No access credentials required.

  • SSL/TLS certificate validity, grade, and cipher strength
  • Security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy
  • DNS health: SPF, DKIM, DMARC, open resolvers
  • Exposed admin files: .env, wp-config.php, .git/config
  • Google Safe Browsing check + IP reputation score
"We check what the internet can already see about you — before someone malicious does."
Website Audit — example.com
SSL Certificate A+ Grade
Content-Security-Policy Missing
HSTS Enabled Pass
.env file exposed Critical
DNS — no DMARC Medium
Safe Browsing Clean
Layer 2 — What's Leaking

Exposed Source & Config Files

Your site may be leaking configuration files, credentials, and source code over public HTTP — without you knowing. CloviScan probes the paths attackers check first and surfaces anything that shouldn't be public.

  • Exposed .env files containing API keys, DB passwords, and secrets
  • Accessible .git/config and .git/HEAD (full source code extraction risk)
  • wp-config.php, config.php, /backup.zip common leaks
  • Publicly accessible admin panels and phpMyAdmin instances
  • Directory listing enabled (exposes file tree)
  • Malware & SEO spam detection via Sucuri SiteCheck enrichment
  • CVE-matched component fingerprinting (CMS, plugins, libraries)
"Attackers check these paths in the first 30 seconds. We check them first."
/app/routes/users.js 2 issues
44router.get('/user/:id', async (req, res) => {
45 const id = req.params.id;
46 const result = await
47 db.query(`SELECT * FROM users
WHERE id=${req.params.id}`);
SQL Injection Risk on line 47 — string interpolation in query allows attacker to inject arbitrary SQL. Severity: Critical.
📋 Fix: db.query('SELECT * FROM users WHERE id = ?', [req.params.id])
89const API_KEY = "sk-live-4xZ8...";
Hardcoded API key on line 89 — credential exposed in source file, likely in version control. Severity: Critical.
📋 Fix: Move to environment variable: process.env.API_KEY
Layer 3 — Your Attack Surface

Network Surface & Port Audit

Every open port is a potential entry point. CloviScan probes 14 common ports from an external vantage point — exactly as an attacker scans a target — flagging anything that shouldn't be internet-facing.

  • Port scan: 14 common attack surfaces (80, 443, 22, 21, 3306, 5432, 6379, 27017, 8080...)
  • Exposed database ports: MySQL (3306), PostgreSQL (5432), MongoDB (27017), Redis (6379)
  • Admin panels on non-standard ports (8080, 8443, 8888)
  • FTP/SFTP exposure (21, 22) and banner fingerprinting
  • TLS version probing: detects legacy TLS 1.0/1.1 that should be disabled
  • Forward secrecy check: ensures cipher suites protect past sessions
  • IP blacklist check: Spamhaus, SpamCop, Barracuda blocklists
"14 ports probed, external vantage — exactly what an attacker's first scan reveals."
Server Audit — 192.168.1.100
SSH root login enabled Critical
SSH key-only auth Good
Port 3306 open (MySQL) High
PHP 7.4 — EOL Jan 2023 Medium
Fail2ban active Good
phpMyAdmin publicly exposed Critical
Layer 4 — Where Others Stop

AI-Powered Autofix

Finding problems is the easy part. CloviScan goes further — every issue comes with a plain-English explanation, copy-paste code fix, and step-by-step server instructions so your team can resolve it today, not next sprint.

  • Plain-English explanation of every vulnerability found
  • Copy-paste code fix for all code-level issues
  • Step-by-step remediation for server and config issues
  • Auto-apply option for safe, low-risk fixes with one click
  • Priority scoring so you fix critical issues first
  • Re-scan confirmation after each fix is applied
"Not just a scanner — a security engineer in your browser."
Issue #1 — Critical SQL Injection

String interpolation in your database query lets an attacker pass SQL commands instead of an ID. This can expose your entire database with a single request.

SUGGESTED FIX — Copy & Paste
db.query(
  'SELECT * FROM users WHERE id = ?',
  [req.params.id]
);
Why It Matters

A Bug Today is a Breach Tomorrow

Every major breach starts as a small, overlooked code issue. Here's how a hardcoded API key becomes a catastrophic security event — and how CloviScan breaks the chain.

1

The Hidden Bug

A developer hardcodes an API key directly in a config file. It looks harmless. The test suite passes. The code ships to production.

const key = "sk-live-4xZ8mN...";
2

The Crawler Finds It

An automated bot scans GitHub repositories and public websites for exposed secrets around the clock. Within hours of your deploy, your API key is being actively tested on the dark web.

Credential detected — 14h ago
3

The Breach

Attackers use your exposed key to spin up compute instances, exfiltrate your customer database, or send thousands of spam messages — all billed to your account.

Unexpected charge: $14,870 — AWS

CloviScan catches this at Step 1 — before the crawler ever runs.

Scan Your Code Now
By the Numbers

One Scan, Whole-Site Coverage

Every scan runs the full check library across your site, code, and server — and returns a graded report in under a minute.

0+
security checks
A+
top SSL grade detected
<0s
average full scan
0k+
sites scanned
73 /100
Scan report — example.com
C 5 findings · 1 critical · scanned in 47s
SSL/TLS certificate valid — strong ciphers A+
Safe Browsing & reputation — clean PASS
Missing HSTS header — HTTPS not enforced MEDIUM
No DMARC record — domain spoofable MEDIUM
.env file exposed — credentials readable CRITICAL
Try It Now

Get a Security Snapshot

Enter any website to see a sample of what CloviScan finds. No account required.

Your security snapshot will appear here
Scanning
SSL: Valid through 2025-09-14 — Grade A
Headers: Missing Content-Security-Policy header
Critical: /.env file responding 200 OK — database credentials exposed
Overall Security Grade
3 issues found · 1 critical requires immediate attention
Score
48/100
D
+5 more findings (incl. 2 high-severity) & AI fixes
Email me the full report
See every finding plus copy-paste AI remediation steps. Lite: from $9/mo.
Double opt-in — we send a confirmation link. No spam, unsubscribe anytime.
Full report sent — check your inbox to confirm (double opt-in)
We emailed the complete scan with every finding and AI-suggested fixes. Confirm your email to view it, or open the full report now.
Open full report
Run a full scan on your own site
Ecosystem

Security Embedded Across Your Stack

CloviScan feeds its findings into the tools you already use — so security stays on the radar everywhere, not just in a quarterly audit report.

CloviSEO
Security score surfaces inside your SEO audit — HTTPS and headers affect rankings
CloviAble
Security findings appear alongside accessibility issues in the unified site audit
CloviFlow
Auto-alerts and remediation workflows trigger on new critical findings
aaPanel
Server hardening audit pulls live data from your panel — no manual SSH needed
Debug Agent
Code autofix agent applies suggested patches from scan results automatically
Pricing

Start at $9/mo, Scale as You Grow

No credit card required to start. All plans include AI-powered remediation advice — not just a list of problems.

Lite
For individuals and hobbyists
$9/mo
Annual $90 — lowest tier
  • 3 scans per month
  • Website audit (SSL, headers, DNS)
  • Google Safe Browsing check
  • 7-day history
  • Plain-English findings
  • Code analysis
  • Server audit
  • PDF reports
  • Email alerts
Get Lite
Most Popular
Pro
For developers and small teams
$19
per month, billed monthly
  • 50 scans per month
  • Full website audit
  • Code security analysis
  • Server hardening audit
  • AI autofix suggestions
  • PDF reports
  • 90-day history
  • Email alerts on new findings
  • API access
  • White-label reports
Start Pro Trial
Agency
For agencies and larger teams
$49
per month, billed monthly
  • 500 scans per month
  • All Pro features
  • REST API access
  • White-label reports
  • Multi-seat team access
  • Webhook integration
  • Slack alerts
  • Priority support
  • Custom scan schedules
Start Agency Trial
Comparison

How CloviScan Compares

Honest, feature-by-feature — no asterisks. Code-first scanners go deep but assume a developer audience and enterprise budget. Basic free checkers test one thing and stop. CloviScan covers the whole site in plain English.

Capability CloviScan Typical code-first scanners Basic free checkers
🔥 Dynamic detonation (runtime malware in isolated browser)
🔥 DNS/Email deep audit (SPF, DMARC, DKIM, DNSSEC, CAA)
🔥 Sucuri malware enrichment (free, every scan)
🔥 Security + SEO + Performance + A11y (one scan)
SSL/TLS certificate + cipher audit
Security headers (7 headers incl. COOP) 4-5 only Basic
Port surface scan (14 ports)
CVE fingerprinting
Google Safe Browsing check Some
Clean PDF report (CloviPrint) Basic PDF
Plain-English findings + AI fixes Jargon-heavy
Starting price Free scan · Paid from $19/mo $69–$249/mo Free (limited)
One Ecosystem

Pairs With the Rest of Your Site Toolkit

Security is one layer of site health. CloviScan shares findings with sibling tools for performance, accessibility, SEO, and automation — one login, one dashboard.

CloviAble — A11y CloviSEO — SEO CloviCharts — Perf CloviLegal — Legal CloviPDF — Reports
Get Started Today

Start Scanning from $19/mo

No credit card. No installation. Paste your domain and get a full security report in under 60 seconds.

Scan My Site See Sample Report

Lite from $19/mo · No installation · Results in 60 seconds