Free · No account · Results in 15 seconds

Your website is doing things you don't know about.

Decloak scans 7 attack surfaces simultaneously - JavaScript CVEs, hidden trackers, third-party data flows, security headers - and delivers a scored, graded report in under 15 seconds.

7 scan layersCVE databaseAI summaryFree - no card required

What Decloak finds

Seven attack surfaces. One scan.

Most tools check one thing. Decloak checks everything - then correlates findings across layers to surface risks that single-purpose scanners miss.

CriticalLayer 4 · JavaScript

Stripe API key exposed in production bundle

sk_live_4xK9mRpQ2...

HighLayer 4 · CVE

jQuery 1.12.4 - CVE-2019-11358 (XSS)

/assets/vendor.js · loaded on 3 pages

HighLayer 5 · Tag Manager

GTM firing to 3 unrecognised domains

cdn-analytics-2847.io · reg. 6 weeks ago

MediumLayer 1 · HTTP

Content-Security-Policy header missing

No CSP policy found across 12 pages

MediumLayer 2 · HTML

Hidden 1×1 tracking pixel - doubleclick.net

<img width="1" height="1" style="display:none">

InfoLayer 4 · Source

Source map exposed - /dist/app.js.map

Original source code reconstructable

How it works

Three steps. Fifteen seconds.

01

Paste any URL

No account, no setup, no browser extension. Just a URL. Free tier results in under 15 seconds.

02

AI scans 7 attack surfaces

HTTP headers, HTML, live network traffic, JavaScript CVEs, tag managers, third-party supply chain, and behavioural analysis - simultaneously.

03

Get your scored report

A graded A–F report with an AI-written executive summary. Shareable by link. Readable by anyone.

Paid tier

It doesn't scan.
It investigates.

The free tier scans one page. The paid tier deploys an AI security agent that reads each finding and decides what to look at next - following threads, fetching scripts, checking domains - until it has complete site coverage.

  • Reads findings and decides what to investigate next
  • Fetches and scans every identified JavaScript file
  • Checks domains against threat intelligence databases
  • Reconstructs source code from exposed source maps
  • Produces per-finding remediation guidance
  • Shows its reasoning at every step
agent · investigation log
live
00:01statusStarting investigation of example.com
00:04pageLayer 1–7 scan complete · 4 findings
00:06agentExposed source map detected at /dist/app.js.map
00:08fetchFetching source map · 1,847 source files found
00:11findingHardcoded API key in src/utils/analytics.ts
00:13agentGTM container GTM-X4K9P2 detected - fetching
00:16page14 active tags · 3 firing to unknown domains
00:19findingcdn-analytics-2847.io · registered 6 weeks ago
00:22doneInvestigation complete · 12 findings · 2 critical

For compliance teams

Replace your compliance scanner.

Teams using AppCheck, Qualys, or Tenable for monthly SOC2 and ISO 27001 evidence pay thousands per year for reports that still need a pentester to interpret. Decloak delivers the same scheduled scan cadence, maps findings to compliance controls, and produces PDF evidence packages - at a fraction of the cost.

View compliance features

Scheduled recurring scans

Automated daily, weekly, or monthly cadence keeps your SOC2 and ISO 27001 evidence current without manual effort.

PDF evidence packages

Timestamped, audit-ready PDFs with scan attestation blocks your auditors can accept.

ISO 27001 / SOC2 mapping

Findings automatically tagged to ISO 27001 Annex A controls and SOC2 Trust Services Criteria.

Scan history and comparison

Compare each scan against the last - show auditors exactly which findings have been resolved.

Remediation tracking

Mark findings as Open, In Progress, Resolved, or Accepted Risk. Auditors need to see action was taken.

Multi-domain dashboard

One view across all your domains - current grade, last scan date, and open critical findings.

Pricing

Start free. Scale when you need to.

Free for individual page checks. Paid plans unlock full AI agent investigations, scheduled scans, and compliance reporting - at a fraction of enterprise scanner costs.

Free

£0
  • 1-page scan per submission
  • All 7 scan layers
  • AI executive summary
  • Scan history in your account
  • Re-scan and delete anytime
  • Shareable public link
Create free account

Starter

Popular
£29/ month
  • Full AI agent investigation
  • Up to 50 pages per scan
  • Per-finding remediation guidance
  • PDF evidence export
  • Scheduled recurring scans
  • Scan comparison reports
  • Email alerts for new criticals
Get started

Pro

£79/ month
  • Everything in Starter
  • Up to 200 pages per scan
  • ISO 27001 / SOC2 control mapping
  • Remediation tracking
  • Team access and finding assignment
  • Slack and webhook notifications
  • API and CI/CD access
  • Audit evidence packages
Get started