Skip to main content
Methodology v1.1 · Benchmarked against 2,170 scans

How we grade
your website.

Full transparency on how your A-F security grade is calculated. No black box, no hidden weights. Everything on this page is how the real scanner works.

THE FORMULA

score = 100
  - (Critical × 25)
  - (High     × 8)
  - (Medium   × 3)
  - (Low      × 1)
  + bonuses (max +5)

HARD CAPS (applied last, no bonus can bypass):
  Critical found      → F
  Cloaking/Ghost page → F
  Any scan            → max 99
  (100/100 never awarded. No scanner can prove it.)

DEEP SCAN PERK:
  Pro public reports that pass Green Light can activate UNPWNED VERIFIED.
  Verified-domain deep scans can activate UNPWNED DEEP VERIFIED.

7 Scoring Categories

Every finding maps to one of seven categories. Weights reflect real-world impact on your security posture, not theoretical severity.

20%

Secrets & Credentials

Exposed API keys, database credentials, .env files, source maps.

18%

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options.

17%

SSL/TLS Configuration

Certificate validity, cipher suites, TLS version, mixed content.

17%

Authentication & Access

Exposed admin panels, open API endpoints, weak authentication.

11%

DNS & Email Security

SPF, DKIM, DMARC, DNSSEC (where platform supports).

11%

Database Exposure

Supabase/Firebase RLS issues, open S3 buckets, exposed APIs.

6%

Dependencies & CVEs

Known vulnerabilities in JS libraries (via NVD/OSV).

Grade Scale

A+95-99 + 2 bonuses · no high/critical

Excellent. You went beyond the basics.

A88-94

Strong. No critical issues, hygiene mostly clean.

B78-87

Good. A few minor gaps to address.

C65-77

Acceptable. Several issues worth fixing.

D50-64

Weak. Multiple meaningful issues.

F<50 or critical/cloaking

Failing. Critical risks present.

Bonuses: What Earns A+

A+ is not automatic. You need a score of 95+, at least 2 of these bonuses, and zero high or critical findings. Each bonus gives +1 (max +5). We only count bonuses you can actually control on your stack.

HSTS Header
Forces browsers to HTTPS.
Strict CSP
Content Security Policy with strict-dynamic or nonce.
MFA Enforced
Multi-factor authentication on admin access.
Subresource Integrity
SRI attributes on external scripts.
Rate Limiting
Detected on API endpoints or forms.
WAF Detected
Cloudflare, Vercel Firewall, Sucuri, or similar.

Infrastructure-Aware Scoring

Your security doesn't have to be visible to be real. If your site is behind Cloudflare, Vercel Firewall, or a similar WAF, the scanner may be blocked. That's a good sign.

Blocked = Security Working. When a WAF returns 403 or a challenge, we credit it as active protection (+bonus), not a missing feature.
Platform Detection. If we detect Vercel, Wix, or Squarespace hosting (which don't support DNSSEC), we mark DNSSEC as N/A, not missing.
No Platform Punishment. If a security control requires infrastructure you don't control, it won't drag down your grade.

Surface Scan vs. Verified Deep Scan

Default · Free

Surface Scan

Highest possible grade
A+(up to 99)

External-only observations. We see what an attacker would see without touching your infrastructure.

700+ checks · 2 minutes
Pro · Verified

Deep Scan

Highest possible grade
A+(up to 99)Deep Verified

Requires domain ownership verification. Same score range as surface scan, but a Pro public report that passes Green Light can activate the UNPWNED DEEP VERIFIED badge. Unlocks cloaking detection, ghost page sampling, deep CORS, and HTTP method fuzzing. Higher risk of finding issues, but a high score here is more prestigious.

All surface checks + deep inspection

There is no such thing as 100% security. Any scanner that claims otherwise is lying. 100/100 is never awarded. Verified deep scans carry more weight because they probe deeper.

Data Sources

90%

Live Observations

  • → HTTP response analysis
  • → DNS queries
  • → SSL handshake inspection
  • → Content & secret regex
  • → Sitemap cloaking analysis
10%

External Databases

  • → NVD / CVE Database
  • → OSV (Google Open-Source Vulns)
  • → Known malware signatures

What We Don't Score

Some things matter but aren't security per se. We show them separately. They never drag down your grade.

Privacy Policy presence. This is legal compliance, not security. Tracked under Compliance Checks.
Cookie consent banners. GDPR/CCPA compliance, not attack surface.
SEO quality. Not our scope.

Version History

v1.1
May 2026. Developer-friendly rebalance
Severity weights softened (high 10→8, medium 5→3, low 2→1) so common hygiene gaps don't tank typical small-SaaS sites. Critical raised 20→25 and hard caps now run last (no bonus can bypass an F). Grade thresholds lowered to match the new distribution. A+ requires 2+ bonuses and no high/critical findings.
v1.0
April 2026. Initial public methodology
7-category weighted system, A-F grading, infrastructure-aware scoring, surface/deep split.

See your grade

Scan any website in under 2 minutes. No credit card required.