Passive security posture scanner

See your domain the way the internet already does.

One scan checks email spoofing protection, TLS, security headers, exposed files, client-side JavaScript, and your entire public attack surface, then grades it and hands you a prioritized fix list. Nothing is touched but public data.

Scan options
  • Free
  • No signup
  • Passive & read-only

Authorized use only, scan domains you own or are explicitly permitted to test.

What one scan looks at

A full posture check across the surfaces attackers enumerate first, no agent to install, nothing to configure.

Email spoofing

DMARC, SPF, DKIM, plus MTA-STS and TLS-RPT transport security. Can a stranger send mail as you?

Headers & TLS

CSP, HSTS, clickjacking, cookie flags, CORS, certificate validity, TLS versions, HTTP/2 & HTTP/3.

Attack surface

Subdomains from CT logs, live-host resolution, issuance timeline, and subdomain-takeover fingerprints.

Client-side code

Leaked keys, known-vulnerable libraries, downloadable source maps, and DOM-XSS / eval sinks.

Legacy & history

Wayback-archived endpoints re-probed live, robots.txt path mining, and forgotten files that never got removed.

Brand & impersonation

Registered lookalike domains, mail-capable typosquats, and exposed .env/.git leaks.

How it works

Three steps. No account, nothing to install, and nothing touched but public data.

1

Start a scan

Enter a domain and hit Scan. It only reads public data (pages, headers, DNS records, and JavaScript), so it's safe to run against a live site and needs no setup.

2

Review the report

Findings stream in live as each check resolves. When it finishes you get a letter grade, A+ to F, with every result grouped by section so you can see exactly what's exposed.

3

Fix, worst first

The prioritized fix kit spells out what to change and how, most severe issues first. Apply the recommendations, then re-scan to confirm your grade climbs.

Frequently asked questions

What a free, passive scan is and what it isn't.

Is Vitreo really free?

Yes, free to use, no account, and no signup. Every scan returns a full graded report; nothing is paywalled.

What does “passive” mean? Is it safe to run against my site?

It only sends the same kind of requests a browser, a DNS lookup, or a certificate-transparency search already makes: it reads public pages, headers, DNS records, and JavaScript. It never sends exploit payloads, submits forms, brute-forces logins, or tries to break anything, so it won't disrupt or take down the target.

Do I need permission to scan a domain?

Scan domains you own or are explicitly authorized to test. Everything here is passive and uses public data, but you're still responsible for having authorization. Treat it like any other security testing.

What does one scan actually check?

Email spoofing protection (DMARC, SPF, DKIM, MTA-STS), TLS and protocol support, security headers, exposed files, and your client-side JavaScript for leaked keys, known-vulnerable libraries, downloadable source maps, and DOM-XSS sinks. It also maps your attack surface from certificate-transparency logs, checks for subdomain takeover, dead links, forgotten endpoints in the Wayback Machine, and lookalike domains. See what one scan looks at for the full list.

Is this a penetration test?

No. A penetration test actively exploits weaknesses to prove impact; this is a passive posture check that maps what's exposed and grades your configuration. It's a fast first look and a good ongoing hygiene check, but it complements a real pentest rather than replacing it. A clean grade here doesn't mean you have no vulnerabilities. Vitreo is a free product from Vullify, a vulnerability management platform; for continuous tracking and remediation of vulnerabilities across your assets, that's where Vullify comes in.

How is the grade calculated?

Each check is a finding (pass, warning, or fail) weighted by severity, from a starting score of 100 down to a letter grade (A+ to F). The report groups everything into sections and hands you a prioritized fix kit, worst first, so you know what to address before anything else.

Are my scan results private?

There's no account and no tracking. "Recent scans" is scoped to your browser: a random token is saved in your browser's local storage and only your own scans show up in that list, so other visitors can't browse what you've scanned. Anyone with a scan's link (its UUID) can still open that one report, so only share it if you mean to. Reports are deleted automatically 72 hours after a scan finishes; download the JSON if you want to keep one. Clearing your browser storage forgets the token, so your past scans drop off the list.

Can I scan an IP address or an internal host?

Public domains only. IP addresses and internal or reserved names (localhost, *.internal, or anything that resolves to a private address) are rejected, which keeps the scanner from being pointed at internal networks it can't see.

Is there a limit on how many scans I can run?

Yes. Scans are rate-limited per IP address to keep the service fair for everyone, with a per-minute limit and a daily cap. If you hit one, you'll get a clear message telling you when you can try again. The exact limits for this instance are shown on the API reference.

There's an API for that

The scanner is a REST API first, this page is just one client of it. Start a scan, stream progress over Server-Sent Events, and pull the graded report. No browser required.

  • Job-based HTTP API with live SSE progress
  • One request in, a full graded report out
  • Public by default
Read the API docs