ABOUT
What is UNPWNED?
UNPWNED is a passive, AI-aware web security scanner. It runs 700+ automated checks against websites and GitHub repositories in under two minutes, returns plain-English findings with severity ratings, and includes copy-paste AI fix prompts on Pro reports. It is built for indie hackers, vibe coders, SaaS founders, and small teams who need fast, accessible security feedback before launch - not a $50,000 pentest, not an enterprise scanner with a sales call. Free to start, Pro from $9/month.
What is UNPWNED?
UNPWNED is a passive web security scanner that runs 700+ automated checks against a website or GitHub repository in under two minutes. It identifies misconfigurations, leaked secrets, weak HTTP headers, SSL/TLS issues, DNS and email auth gaps, exposed config files, BaaS rule problems on Supabase and Firebase, and dependency vulnerabilities. Reports return plain-English findings, and Pro reports include copy-paste fix prompts that developers paste into AI coding agents like Cursor, Claude, ChatGPT, or Copilot.
Who is UNPWNED for?
UNPWNED is built for solo developers, indie hackers, and small teams shipping fast - especially developers who build with AI coding tools (Cursor, Lovable, Bolt, Replit, v0, Base44, Windsurf). It is also useful for SaaS founders running a pre-launch security check, agencies validating client work before handover, and Supabase or Firebase users who need to confirm their RLS rules and storage policies are tight.
What does UNPWNED scan?
UNPWNED scans live websites by domain and GitHub repositories by OAuth. The scan covers SSL/TLS configuration, HTTP security headers, exposed secrets and API keys, exposed config files (.env, credentials.json, SSH keys), Supabase and Firebase misconfigurations, API route security and CORS policies, DNSSEC and email authentication (SPF, DKIM, DMARC), open ports, subdomain enumeration, dependency vulnerabilities, privacy and consent mechanisms, threat intelligence correlation, and source-code-level secrets in connected GitHub repos. Deep Scan adds active probing for verified domains including CVE fingerprinting, error disclosure analysis, form security testing, and open redirect detection.
What makes UNPWNED different from other scanners?
Three things. First, Pro reports include fix prompts tailored to the developer's AI coding tool - UNPWNED understands the gap between "you have a CSP problem" and "here is the exact policy to paste into your Next.js middleware". Second, it is purpose-built for code generated by AI tools, which has a distinct vulnerability profile (exposed Supabase keys, missing RLS, hardcoded credentials in client bundles, open CORS) compared to hand-written code. Third, the pricing model fits indie developers - Pro starts at $9/month rather than $500+/month enterprise pricing.
Is UNPWNED a penetration test replacement?
No. UNPWNED is a passive automated scanner, not a human-led penetration test. A real pentest involves manual exploit chaining, threat modeling, and creative attacks that automated tools cannot replicate. UNPWNED is best used as a pre-pentest baseline: it catches the obvious 80% in two minutes, so a human pentester (when you eventually hire one) can spend their time on the harder, higher-value issues. UNPWNED also does not replace runtime protection like a WAF, firewall, or DDoS mitigation.
Is UNPWNED safe to run on my domain?
Yes. The standard scan is read-only and behaves like any normal web visitor - it touches only what is publicly accessible. Deep Scan, which performs active probing, is gated behind domain ownership verification and only runs on domains you explicitly verify (via DNS TXT record, file upload, or meta tag).
When should you use UNPWNED?
Run UNPWNED before every public launch, after every meaningful deploy, and on a continuous monthly schedule once you are live. Pro plans include scheduled monitoring with alerts on new findings or newly disclosed CVEs affecting your dependencies. The ideal moment to run a first scan is the day before launch, when there is still time to fix what comes back.
REAL TELEMETRY
See the data behind the scanner
74% of sites have no rate limiting. 72% have no CSP. Real telemetry, updated continuously.
METHODOLOGY
How the scanner actually works
Step-by-step breakdown of what each scanner does and how findings are scored.
Try it on your domain
Free scan, no signup required. 700+ checks in under 2 minutes.