Pricing
Simple pricing for fast triage and deeper remediation.
Free for public-surface checks. One-time $49 when you need live key validation, CVE audit, source-map reconstruction, and a report you can hand to someone else.
Free URL Scan
Fast public-surface triage before a launch, demo, or customer share.
- Public bundle and page inspection
- Secret exposure check
- Direct AI call check
- Abuse risk signal
- Instant JSON report
Deep Scan
For founders who are about to launch, take payments, connect Supabase, or put an AI endpoint in front of real users.
- Expanded URL review: checks public deployment signals, loaded bundles, source maps, and exposed endpoints together.
- Hardcoded secret detection: finds API keys and tokens sitting in source files, configs, and client-facing code.
- Supabase RLS review: looks for common RLS/auth mistakes that can expose user data or app tables.
- AI spend-risk check: flags direct browser-side AI calls and unguarded AI routes that can be abused.
- Debug + internal route sweep: looks for exposed debug, test, admin, or diagnostic endpoints that should not be public.
- Logging exposure check: catches secrets written to console output, client logs, or obvious logging paths.
- Prioritized fix list: separates urgent leaks from lower-risk cleanup so you know what to fix first.
- Evidence included: every finding points to the file, URL, route, or pattern that triggered it where possible.
- Scope statement: report says what was checked and what was not checked, so there is no fake certainty.
Feature comparison
What you get for $49 that you don't get free.
| Feature | Free | Deep Scan ($49) |
|---|---|---|
| Public bundle inspection | ||
| Common secret pattern detection | ||
| Plain-English findings | ||
Live API key validation (is the leaked key active right now?)Finds API keys and tokens sitting in source files, configs, and client-facing code. | ||
Auth-bypass probing on detected endpointsFlags direct browser-side AI calls and unguarded AI routes that can be abused. | ||
Dependency CVE audit (OSV.dev)Checks public deployment signals, loaded bundles, source maps, and exposed endpoints together. | ||
Source-map reconstruction & re-scanLooks for exposed debug, test, admin, or diagnostic endpoints that should not be public. | ||
Downloadable Markdown reportEvery finding points to the file, URL, route, or pattern that triggered it where possible. | ||
Shareable read-only report linkReport says what was checked and what was not checked, so there is no fake certainty. | ||
One free re-scan within 30 daysSeparates urgent leaks from lower-risk cleanup so you know what to fix first. | ||
Email summary + monitor upsellCatches secrets written to console output, client logs, or obvious logging paths. |
Free
$0
- Public bundle inspection
- Common secret pattern detection
- Plain-English findings
- Live API key validation (is the leaked key active right now?)
- Auth-bypass probing on detected endpoints
- Dependency CVE audit (OSV.dev)
- Source-map reconstruction & re-scan
- Downloadable Markdown report
- Shareable read-only report link
- One free re-scan within 30 days
- Email summary + monitor upsell
Deep Scan
$49
- Public bundle inspection
- Common secret pattern detection
- Plain-English findings
Live API key validation (is the leaked key active right now?)
Finds API keys and tokens sitting in source files, configs, and client-facing code.
Auth-bypass probing on detected endpoints
Flags direct browser-side AI calls and unguarded AI routes that can be abused.
Dependency CVE audit (OSV.dev)
Checks public deployment signals, loaded bundles, source maps, and exposed endpoints together.
Source-map reconstruction & re-scan
Looks for exposed debug, test, admin, or diagnostic endpoints that should not be public.
Downloadable Markdown report
Every finding points to the file, URL, route, or pattern that triggered it where possible.
Shareable read-only report link
Report says what was checked and what was not checked, so there is no fake certainty.
One free re-scan within 30 days
Separates urgent leaks from lower-risk cleanup so you know what to fix first.
Email summary + monitor upsell
Catches secrets written to console output, client logs, or obvious logging paths.
Free is for triage. Deep Scan is for evidence you can act on (or hand to someone else).
FAQ
Common questions.
- Is the free URL Scan actually free?
- Yes. The free URL Scan checks your public app surface — bundles, inline targets, and exposed patterns — at no cost. No login, no card, no wallet connection required. Automated abuse or scanning systems you do not own can still be blocked under the terms.
- What is the Deep Scan and how does it cost $49?
- Deep Scan adds live API key validation, auth-bypass probing, dependency CVE audit (OSV.dev), and source-map reconstruction on top of the free scan. Payment is one-time, $49 per scan, accepted in SOL or USDC on Solana. There is no subscription.
- What does "Live API key validation" mean?
- Deep Scan detects secret patterns in your bundle and then actively probes OpenAI, Anthropic, and Stripe to confirm whether each leaked key is currently active. A working leaked key is auto-upgraded to critical severity — because the risk is real right now, not theoretical.
- Will the Free URL Scan ever go away?
- No. The free public-surface check is designed to stay free for normal builder use. If any limit is introduced, this page will state it plainly before it affects normal scans.
- What payment methods do you accept?
- SOL and USDC on the Solana network. The checkout flow starts after a free scan and lets you upgrade in-context. No card capture required.