Free · Defensive · No account

Shield.
Free security audit for your stack.

Paste a URL, wallet, contract, email, or package.json — get a real security report in 10 seconds. Public-data scanners, zero account required.

Scans today
Critical today
Avg time-to-finding
Monitored targets

Run a scan

Pick what you want to audit. All scans are defensive — public data only. We do not touch your credentials, keys, or private infra.
Checks: security headers (HSTS, CSP, X-Frame-Options), TLS cert + expiry, exposed files (.git, .env, .DS_Store, phpinfo), subdomain inventory via Certificate Transparency.
Checks: Sniper blacklist cross-reference, active token approvals to unverified contracts, phishing-contract interaction history, sweeper-bot activity patterns. Public on-chain data only.
Checks: verified-source static analysis (selfdestruct, tx.origin, delegatecall-with-user-data, unprotected proxy upgrade, reentrancy patterns), Sniper attestor flags, known rugpull signatures. Rate-limited 5/min.
Checks: public breach databases via k-anonymity hash prefix (we never send your full email or hash to any third party). Returns breach count without revealing specifics unless HIBP_API_KEY is configured server-side.
Checks: every declared dependency cross-referenced against OSV.dev (free public vulnerability database). Reports per-package CVE IDs + severity. Highlights CVE-2026-39313 for mcp-framework. Max 256KB manifest.
Checks: mcp-framework version banner vs CVE-2026-39313 (critical if <= 0.2.21), maxMessageSize enforcement probe (gentle 1KB body), well-known endpoint presence, STDIO interface header check, Anthropic MCP SDK arbitrary-command-execution pattern.
Probe is gentle: HEAD/GET on safe endpoints only. We do not send malicious payloads.
Scanning — this takes about 10 seconds…
Get notified on re-scan
We'll re-scan this target every 6 hours and email you if anything changes. Your email is hashed (SHA-256) before storage.

Because the internet needs it

Every app ships with at least one stale dep, one missing header, one forgotten .env. A free scan removes the excuse.

Because attestation doesn't help if you're already owned

Signed modules are great. They are also useless if your host machine is leaking .env through /.git/config. Check both layers.

Because real intel builds trust

We are the same team that runs Sniper. Sniper watches bad actors. Shield helps good actors. Same data lake, opposite direction.

FAQ

What does "defensive only" mean?

Shield never exploits, never attempts unauthorized access, never harvests credentials. Every check uses public data (DNS, Certificate Transparency, CVE databases, block explorer data, public breach databases). User-initiated only — you paste your own target.

What about privacy?

We hash emails with SHA-256 before storing. For breach lookup we use HIBP's k-anonymity range API so your full hash never leaves this server. Scan reports are kept for 30 days then purged. No account, no tracking pixels.

Responsible disclosure?

If you opt in with an email, we will only notify you privately about new critical findings on your own target. We do not publish vulnerabilities about third parties.

Will there be a paid tier?

Maybe, for continuous monitoring with SMTP alerts, longer retention, and SLA support. The core scan will always be free.

Is the MCP scan safe to run on a live server?

Yes. The probe sends a 1KB benign JSON body and a HEAD request to well-known endpoints (/.well-known/mcp, /version, /). No payloads, no fuzzing, no brute-force.

Sniper (offense intel) CVE-2026-39313 primer Shield SDK Honesty page
Free defensive security audit · Public-data checks · Responsible disclosure · Same category as Snyk, Wiz, Socket.dev, HaveIBeenPwned · Not a law-enforcement substitute · MeterCall Shield