MyDomainRisk
Full domain scan
Non-intrusive external scanning

PCI DSS 4.0 Surface Check — find the gaps your auditor will find.

MyDomainRisk runs an external PCI DSS 4.0 surface scan of your domain in under 60 seconds — HTTPS enforcement, TLS 1.2+ only, HSTS, CVEs, Heartbleed, exposed database ports, public cloud buckets, SMTP STARTTLS, open relay, and security.txt. Advisory only — a free pre-audit gap analysis, not a certification.

No password. No credit card. Just your email to receive results.

Built on SOC 2 Type II and ISO 27001 certified infrastructure.

acmecorp.com

Security posture: critical

34

/ 100

TLS / Certificate
18/30
Security headers
9/30
DNS / Email
7/20
Internet exposure
10/20

CRITICAL FINDINGS

!

Your domain can be impersonated to send phishing email — no DMARC enforcement

Critical
!

3 employee credentials found in stealer logs — active breach risk

Critical
!

Subdomain hijacking vulnerability — attacker can host content on your domain

High
!

TLS certificate expires in 6 days — site will show browser security warnings

High
!

2 lookalike domains actively resolving — phishing infrastructure detected

High
Scan my domain free — 60 seconds →

No password · No credit card · Just your email

40+

Security checks

< 60s

Scan time

0–100

Base score

40+

Intel sources

Surface Compliance

Every scan includes advisory compliance cards alongside the main security score — externally visible signals only, not a certification audit.

GDPR Technical BaselineFree + Pro

UK & EU — 5-check Article 32 advisory, scored 0–20. ⓘ What's checked?

  • HTTPS redirect enforcedArt. 32(1)(a)Free
  • Privacy policy accessibleArt. 13 / 14Free
  • Cookie consent mechanismePrivacy / Art. 7Free
  • No mixed contentArt. 32(1)(a)Pro
  • Vulnerability disclosure policyArt. 32(1)(d)Pro
  • Third-party tracker enumerationArt. 28 / Art. 13Pro

Advisory only. A passing score does not constitute GDPR compliance — organisational measures, DPAs, and data retention policies are out of scope.

US ComplianceFree + Pro

PCI DSS 4.0 Surface (0–24) + CCPA/CPRA (0–20). ⓘ What's checked?

PCI DSS 4.0 Surface (0–24)

  • HTTPS enforced (+3)
  • TLS 1.2+ only — no 1.0 / 1.1 offered (+3)
  • Certificate valid and not expired (+2)
  • HSTS present (+2)
  • No critical / high CVEs (+3)
  • No Heartbleed (+2)
  • No exposed database ports — MySQL / PostgreSQL / MongoDB / Redis / MSSQL / CouchDB (+2 graduated)
  • No public cloud buckets (+2)
  • Mail STARTTLS offered (+1)
  • Not an open mail relay (+2)
  • security.txt disclosure policy (+1)

US Privacy — CCPA / CPRA (0–20)

  • HTTPS enforced (+4)
  • Privacy policy present (+4)
  • 'Do Not Sell or Share' opt-out mechanism (+5)
  • Cookie consent / CMP (+4)
  • Global Privacy Control at /.well-known/gpc.json (+3)

Advisory only. Not a PCI DSS certification or a legal CCPA compliance assessment — formal audits, cardholder-data-environment scoping, and organisational controls remain out of scope.

Sample Open Source Intel Providers

Google Safe BrowsingHave I Been PwnedHudsonRockShodanOpenPhish

Everything your domain security needs

A comprehensive scan covering all the externally observable security signals that matter — with no special access or agent required.

Included free

Free

Infostealer Exposure

Detects employee credentials harvested by malware.

Free

Attack Scenarios

Plain-English narratives of how your weaknesses could be exploited.

Free

DNS Security

Verifies email authentication records to prevent spoofing.

Free

Fix It with Claude

One-click remediation guidance for every finding.

Free

Subdomain Takeover Detection

Finds dangling DNS records attackers could claim.

Free

Domain Exposure

Spots lookalike domains used for phishing against your brand.

Free

Cloud Storage Exposure

Detects publicly accessible cloud storage buckets.

Free

TLS & SSL Analysis

Validates certificates, ciphers, and encryption strength.

Free

Security Headers

Checks that your web server sends all major browser security headers.

Free

GDPR Technical Baseline

Checks the externally verifiable technical measures required under GDPR Article 32.

Free

US Compliance — PCI DSS + CCPA

Two standalone advisory scores for the US market.

Pro features
Pro

Data Breach Detection

Flags compromised credentials from known breach databases.

Pro

PDF Security Reports

Export a shareable report for leadership or auditors.

Pro

Scheduled Monitoring

Automated weekly or monthly scans with email alerts on changes.

Up and running in three steps

No installation. No agents. No access keys.

1

Enter your email

No password, no credit card. We send you a secure sign-in link — click it and you're in.

2

We run the checks

MyDomainRisk performs 40+ non-intrusive security checks — TLS, headers, DNS, network infrastructure, threat intelligence, breaches, exposure — in under a minute.

3

Get your score & report

Review your full security score and findings in the dashboard. Pro users can download a PDF report to share with leadership or auditors.

External DNS intelligence

See your domain's network topology

Every scan builds a visual map of your domain's public DNS infrastructure — nameservers, mail servers, IP addresses, PTR records, and CT log subdomains — using only publicly available data.

Network Topology

DNS map for acmecorp.com — A, NS, MX, PTR and CT log subdomains only

Live feature

Non-intrusive. Built exclusively from public DNS records, certificate transparency logs, and reverse-DNS lookups. All information shown is already accessible to anyone on the public internet.

Root domain
IP / A record
Nameserver
Mail server (MX)
CT log subdomain
Dangling CNAME (hijackable)
Click to expand
acmecorp.comRoot domain104.26.10.45A recordCloudflare, Inc.ns1.cloudflare.comNS record · 162.159.0.31Cloudflare, Inc.ns2.cloudflare.comNS record · 162.159.1.31Cloudflare, Inc.smtp.office365.comMX record (pri 0)40.107.4.2Microsoft 365www.acmecorp.comCT log subdomain · Cloudflarestaging.acmecorp.com⚠ Dangling CNAME → Heroku
Nodes are draggable and zoomable in the app · Data sourced from public DNS queries only← scroll →

Example findings

Remediation actions for acmecorp.com

Every finding comes with a plain-English explanation of the risk and a specific action to fix it.

No DMARC enforcement — domain can be spoofed
Critical

What this means

There is no DMARC record published for this domain. This means any attacker can send email that appears to come from your domain — staff, customers, and partners will see your brand in the From address with no way to distinguish it from a genuine message.

How to fix it

Publish a DMARC TXT record at _dmarc.yourdomain.com starting with p=quarantine to begin collecting reports. Once all legitimate senders are confirmed in SPF and DKIM, upgrade to p=reject to block spoofed email entirely.

Employee credentials found in stealer logs
Critical

What this means

Three sets of employee credentials associated with this domain have been identified in infostealer malware logs. These are active, real-world exposures — the affected accounts may already be accessible to threat actors.

How to fix it

Immediately reset passwords for affected accounts and revoke any active sessions. Enable MFA on all accounts if not already enforced. Notify affected employees and review access logs for signs of unauthorised access in the preceding 90 days.

Subdomain hijacking vulnerability detected
High

What this means

A subdomain has a dangling CNAME record pointing to a cloud service (e.g. GitHub Pages, Heroku, Netlify) where the target resource no longer exists. An attacker can claim that resource and host arbitrary content — phishing pages, malware, or credential-harvesting forms — under your domain.

How to fix it

Remove the dangling CNAME record from your DNS immediately. If the subdomain is still needed, reclaim the corresponding resource in the cloud platform before re-publishing. Audit all subdomains regularly for stale records.

TLS certificate expires in 6 days
High

What this means

The TLS certificate for this domain expires in under a week. When it expires, all major browsers will display a full-page security warning to visitors, blocking access until the certificate is renewed. This affects both customer trust and any automated systems that validate certificates.

How to fix it

Renew the certificate immediately through your certificate authority or hosting provider. If using Let's Encrypt, check that the auto-renewal cron job or ACME client is running correctly — it should renew automatically at 30 days remaining.

Lookalike domains actively resolving
High

What this means

Two typosquatted domains closely resembling this domain are registered and actively resolving — meaning they are live and potentially serving content. These are commonly used to conduct phishing campaigns against your customers and employees.

How to fix it

Monitor the identified lookalike domains via threat intelligence feeds. Where feasible, register the most likely typosquat variants defensively. If a lookalike is hosting phishing content, report it to the registrar and relevant abuse contacts for takedown.

Every scan generates a full remediation plan like this — specific to your domain, ready to share with your team or auditors.

Not sure where to start?

Fix It with Claude

Every finding in your report has a Fix with Claude button. One click opens Claude.ai with your domain's details already filled in. Just hit send — Claude will tell you exactly what to change, in plain English, written for your setup.

Step-by-step guides

Every finding also links to a written guide with the exact DNS record or config value to add, instructions for the most common platforms, and how to verify the fix worked. No jargon.

GDPR Article 32

GDPR Technical Baseline

Every scan includes an advisory check of the externally verifiable technical measures required under GDPR Article 32 — at no extra cost.

What we check

  • HTTPS redirect enforcedArt. 32(1)(a)Free

    HTTP requests on port 80 redirect to HTTPS, ensuring encryption in transit from the first connection.

  • Privacy policy accessibleArt. 13 / 14Free

    A publicly accessible privacy policy exists at a standard path, meeting transparency obligations.

  • Cookie consent mechanismePrivacy / Art. 7Free

    A consent management platform is detected on the homepage for obtaining lawful consent for non-essential cookies.

  • No mixed contentArt. 32(1)(a)Pro

    The homepage does not load resources over unencrypted HTTP, which would undermine HTTPS protection.

  • Vulnerability disclosure policyArt. 32(1)(d)Pro

    A security.txt Policy field links to a disclosure programme, supporting the ability to test and evaluate security measures.

  • Third-party tracker enumerationArt. 28 / Art. 13Pro

    Identifies analytics and tracking scripts — each is a data processor requiring a DPA and disclosure in your privacy policy.

Important scope statement

This check assesses externally verifiable technical measures only. A passing result does not mean your organisation is GDPR compliant.

Full GDPR compliance also requires organisational measures that no automated domain scan can assess, including:

  • Data processing agreements with all processors
  • Lawful basis documented for each processing activity
  • Records of processing activities (Art. 30)
  • Data subject rights procedures (Art. 15–22)
  • International transfer safeguards (Art. 46)
  • Staff training and access controls
  • Data breach response procedures (Art. 33)
  • Data Protection Impact Assessments where required

Where this fits in GDPR

Article 32 of GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure security appropriate to the risk — including encryption of personal data, ability to ensure ongoing confidentiality and integrity, and a process for testing and evaluating security measures.

MyDomainRisk checks the technical measures that are observable from outside your organisation — the publicly visible signals that a Data Protection Authority or auditor could independently verify. Think of it as the first layer of your Art. 32 evidence pack, not the whole picture.

Pricing

Simple, transparent pricing

Start free. Upgrade when you need scheduled monitoring, more domains, or deeper analysis.

One account, both apps — no upgrade, no extra cost. Free or Pro, a single MyDomainRisk sign-in unlocks both apps — the security app (harden the configuration of domains you own or manage) and the authenticity app (check whether a suspicious link or supplier domain is genuine). Same non-intrusive checks underneath, different lens depending on the question you're asking. One tier, one subscription, both tools.

For checking your own domain

Free

£0/month

No credit card required. Start scanning immediately.

Full domain scan — free, 60 seconds
  • 3 domains · 5 scans/day (shared with the authenticity checks) · last 5 scans per domain
  • Security score with full breakdown — TLS, headers, DNS, exposure and more
  • DNS & email security — detect if your domain can be spoofed (SPF, DMARC, DKIM)
  • Subdomain takeover detection
  • Lookalike domain detection — spot phishing infrastructure targeting your brand
  • Attack Scenarios — plain-English risk narratives from your scan findings
  • Cloud storage exposure — public S3, GCS, and Azure Blob buckets
  • Infostealer exposure — employee and user credential counts from malware logs
  • GDPR Technical Baseline — UK + EU advisory score on every scan
  • US Compliance advisory — PCI DSS Surface + CCPA/CPRA scores on every scan
  • Fix with Claude — one-click remediation guidance for every finding
Most popular

For IT teams, consultants and MSPs monitoring multiple domains

Pro

£19/month

Everything you need to monitor your full domain portfolio.

Upgrade to Pro
  • Everything in Free
  • 100 domains · 100 scans/day (shared with the authenticity checks) · 1,000 scan history
  • Automated weekly/monthly monitoring with email alerts when your posture changes
  • Data breach detection — Have I Been Pwned cross-reference on every scan
  • Infostealer full detail — infection records, internal URLs mapped by attackers, IP check
  • Track your security posture over time with scan-to-scan comparison
  • Bulk scan up to 30 domains in one run — ideal for client portfolios
  • PDF security report ready to share with leadership or auditors
  • IP reputation and page threat analysis
  • US Compliance drill-down — per-signal PCI DSS Surface table (TLS versions, exposed DB port list) + full CCPA detail (Do-Not-Sell link, GPC endpoint)
  • GDPR Technical Baseline — full Pro analysis (mixed content, tracker enumeration, disclosure policy, scored n/20 with Article mapping)

100 domains · 100 scans/day (shared with authenticity checks) · 1,000 scan history records

Frequently asked questions

Do I need a credit card to try it?

No. The Free plan requires only your email address — no payment details at any point.

Will this affect my website or cause any disruption?

No. Every check is a passive, external observation — we query publicly available data and DNS records only. Nothing is sent to your server and nothing is changed.

Can I cancel my Pro subscription at any time?

Yes. You can downgrade to Free or cancel immediately from your account page. No contracts, no minimum term.

What happens to my data after a scan?

Scan results are stored against your account in line with your plan limits. You can export or delete your data at any time. See our Privacy Policy for full details.

Ready to check your domain?

Free for up to 3 domains. No card required. Pro plans unlock bulk scanning, scheduled monitoring, and full breach reports.

Full domain scan — free, 60 seconds