WAF detection
Find out which WAF or CDN sits in front of a hostname — and whether it's actually blocking. Detection is passive and works on any host. The block-mode test fires benign, attack-shaped canaries — so it only runs on domains you verify you own.
Deep inspection scan
The full audit: 40+ checks across headers, TLS, DNS, exposure and cloud posture, with an AI-written report and remediation plan.
Run a deep scan →Want this watched for you?Managed Defence
We run and tune these protections continuously across your WAF, CDN and cloud — and respond when something fires.
Book a defence review →Detectionreads a single normal response and fingerprints the edge from headers, cookies, server banners and challenge-page signatures — no attack traffic is sent, so it's safe to run against any host. We recognise Cloudflare, Akamai, Imperva, AWS, Azure, Google Cloud, F5 BIG-IP, Fastly/Signal Sciences, Sucuri, Barracuda and more.
The block-mode test proves whether those rules actually enforce. After you publish a DNS TXT record proving you control the domain, we send benign canaries that match the shape of SQLi, XSS, path traversal, command injection, Log4Shell and other classes, then report which your WAF blocks. The payloads do nothing harmful — they just trip correctly-configured rules. For a full edge, TLS and exposure audit, run the deep inspection scan.
$ ask an AI to summarise this page