Free · No account · Results in 15 seconds
Decloak scans 7 attack surfaces simultaneously - JavaScript CVEs, hidden trackers, third-party data flows, security headers - and delivers a scored, graded report in under 15 seconds.
Security Score
Fair - attention needed
example.com
just now
Stripe API key exposed in /dist/main.js
sk_live_4xK9mR...
jQuery 1.12.4 - CVE-2019-11358
Known XSS vulnerability - 3 pages affected
GTM firing 3 tags to unknown domains
cdn-analytics-2847.io · reg. 6 weeks ago
AI Summary
Critical credential exposure detected in production JS bundle. A recently-registered domain is loading third-party scripts that may have been compromised...
What Decloak finds
Most tools check one thing. Decloak checks everything - then correlates findings across layers to surface risks that single-purpose scanners miss.
Stripe API key exposed in production bundle
sk_live_4xK9mRpQ2...
jQuery 1.12.4 - CVE-2019-11358 (XSS)
/assets/vendor.js · loaded on 3 pages
GTM firing to 3 unrecognised domains
cdn-analytics-2847.io · reg. 6 weeks ago
Content-Security-Policy header missing
No CSP policy found across 12 pages
Hidden 1×1 tracking pixel - doubleclick.net
<img width="1" height="1" style="display:none">
Source map exposed - /dist/app.js.map
Original source code reconstructable
How it works
No account, no setup, no browser extension. Just a URL. Free tier results in under 15 seconds.
HTTP headers, HTML, live network traffic, JavaScript CVEs, tag managers, third-party supply chain, and behavioural analysis - simultaneously.
A graded A–F report with an AI-written executive summary. Shareable by link. Readable by anyone.
Paid tier
The free tier scans one page. The paid tier deploys an AI security agent that reads each finding and decides what to look at next - following threads, fetching scripts, checking domains - until it has complete site coverage.
For compliance teams
Teams using AppCheck, Qualys, or Tenable for monthly SOC2 and ISO 27001 evidence pay thousands per year for reports that still need a pentester to interpret. Decloak delivers the same scheduled scan cadence, maps findings to compliance controls, and produces PDF evidence packages - at a fraction of the cost.
View compliance featuresAutomated daily, weekly, or monthly cadence keeps your SOC2 and ISO 27001 evidence current without manual effort.
Timestamped, audit-ready PDFs with scan attestation blocks your auditors can accept.
Findings automatically tagged to ISO 27001 Annex A controls and SOC2 Trust Services Criteria.
Compare each scan against the last - show auditors exactly which findings have been resolved.
Mark findings as Open, In Progress, Resolved, or Accepted Risk. Auditors need to see action was taken.
One view across all your domains - current grade, last scan date, and open critical findings.
Pricing
Free for individual page checks. Paid plans unlock full AI agent investigations, scheduled scans, and compliance reporting - at a fraction of enterprise scanner costs.