Cybersecai A HomeAuto studio product · Singapore
AUTONOMOUS SECURITY SCANNER · v4.0

Find vulnerabilities in your Singapore website before attackers do.

Point Cybersecai at your domain and get a detailed PDF report in minutes — every finding explained in plain English, with copy-paste fixes your team can actually ship.

https://
No signup, no email — just results Web-layer report on-screen in ~30s Read-only · non-intrusive
4m 12s
avg. scan time
312+
checks per scan
11
scan layers · from web to breach intel
0
false-positive complaints*
— 01 / WHAT WE SCAN

Nine layers, one verdict.

Free scans cover the web layer — enough to know if your site is leaking the basics. adds seven deeper layers: browser-level interception, email security, network reconnaissance, threat-surface analysis, a full Nuclei sweep, and live IOC threat intelligence.

Most scanners check one slice of your stack. Cybersecai correlates findings across your web app, browser behaviour, network surface, and global threat feeds — so a flagged IP ties to the open port that exposes it.

Included free
WEB APP LAYER

What everyone can see.

The basics that should already be in place — and frequently aren't. Free, unlimited, on every domain you bring us.

  • SSL cert + security headers
  • Exposed paths, CORS, open redirect
SERVER VULNERABILITY CHECK

What a hacker would find knocking on every door.

Scans for thousands of known-dangerous files accidentally left on your server — old config files, backup archives, default passwords, test pages. Like a security guard checking every window and door in your building.

  • Outdated server software with known flaws
  • Default passwords and admin pages
  • Dangerous test files left behind
  • Server misconfigurations that leak info
HIDDEN ENTRY POINTS

What else is connected to your domain that you forgot about.

Maps all subdomains connected to your main website — old staging sites, test environments, admin portals, back-end services. Attackers scan for these first. We tell you what is exposed before they find it.

  • Forgotten staging and test environments
  • Admin portals accessible from the internet
  • Old subdomains still pointing to live services
  • Tech-stack fingerprinting on every host
API BACK-END CHECK

Are your app back-end doors properly locked?

Tests the invisible data pipes your mobile app and website use behind the scenes. Checks if they leak user data without proper keys, reveal too much when they error, or accept unlimited requests from anyone.

  • Unprotected data endpoints leaking user info
  • API error messages revealing internal details
  • Missing rate limits (anyone can hammer your server)
  • Old API versions still running without security
NETWORK LAYER

The surface attackers see.

Ports, services, banners, certificates — mapped, fingerprinted, and matched against the CVE database.

  • Port scan across 17 common ports
  • Service fingerprinting + banner grab
  • CVE lookup for detected services
THREAT LAYER

What you forgot to lock.

Admin doors left ajar, login pages quietly defaced, third-party scripts you stopped pinning two years ago.

  • Admin panel + directory exposure
  • Login page defacement detection
  • Subresource integrity (supply-chain risk)
NUCLEI SCANNER

The pentester's toolkit.

Hundreds of community-maintained CVE and misconfiguration templates — the same scanner professional pentesters reach for.

  • Hundreds of CVE + misconfig templates
  • Same tool professional pentesters use
  • PDF report · AI-written fixes
  • Overall grade A–F · emailed instantly
BROWSER LAYER

What runs inside the page.

Playwright headless browser intercepts every request — catching risks that static header checks miss entirely.

  • Mixed content detection (HTTP on HTTPS)
  • Auth header leakage to third-party origins
  • Clickjacking posture check
  • Cookie flags · CSRF field audit
IOC THREAT INTEL

Global reputation, in real time.

Three live threat-intelligence feeds cross-check your IP against known malicious actors, malware campaigns, and abuse reports.

  • AbuseIPDB — IP abuse confidence score
  • OTX AlienVault — malware pulse count
  • URLhaus — active malware URL index
EMAIL SECURITY

Is your email spoofable?

Checks SPF, DMARC, and MX records to see if attackers can forge emails from your domain — a top phishing vector.

  • SPF record — prevents email spoofing
  • DMARC policy — blocks forged emails
  • STARTTLS encryption — protects email in transit
PASSWORD & BREACH CHECK

Your credentials — leaked or safe?

Cross-references emails against known data breaches via Have I Been Pwned, and evaluates password strength against NIST standards.

  • Breach database lookup — Have I Been Pwned
  • Password strength scoring — NIST SP 800-63B
  • Common pattern detection — dictionary checks
— 02 / HOW IT WORKS

Three steps. About four minutes.

No agents to install. No code to instrument. Just a domain — Cybersecai handles discovery, scanning, prioritization, and the write-up.

i.

Point us at your domain.

Drop in a URL or upload a list. We discover subdomains, origins, and APIs — including the staging environment your team forgot about.

ii.

Cybersecai runs the scan.

An autonomous agent runs 550+ checks across nine layers: your web app, browser behaviour, network surface, server vulnerabilities, hidden subdomains, forgotten admin panels, API back-end doors, threat intelligence feeds, and a comprehensive CVE scanner. Findings are deduped, ranked, and tied to real-world exploitability — not just severity scores.

iii.

Get a fix-it PDF report.

Every issue comes with a plain-English explanation, the exact request that triggered it, a step-by-step fix, and a verification check you can re-run.

— 03 / THE REPORT

Built to be actionable, not impressive.

Most security reports are designed to scare a CTO into a meeting. Ours is designed for the engineer who has to fix the issue at 11pm on a Tuesday.

  • Plain-English explanationsEvery finding answers: what's actually wrong, what's the worst case, and why does it matter. No jargon walls.
  • Step-by-step fixesCopy-paste config, code diffs, and rollout notes — written for your stack (we infer it from your responses).
  • Real-world prioritizationWe rank by exploitability, not severity. A medium that's reachable beats a critical that lives behind your VPN.
  • Verification checksRe-run any single finding to confirm a fix landed. Diff-against-last-scan tells you what regressed week-over-week.
  • Auditor-readySOC 2 / ISO 27001 mapping baked in. Your auditor gets a section that speaks their language; your team gets the rest.
Vulnerability Report
acme.io · scan #a91f · 2026-05-09 14:03 UTC
D+RISK GRADE
4CRITICAL
3HIGH
5MEDIUM
1LOW
CriticalBlind SQL injection · /api/v2/search
The q parameter is concatenated into a raw SQL query. An attacker can read any row in the users table — including hashed passwords and session tokens.
FIX → switch to parameterized queries; sample diff in §4.1
CriticalLeaked production AWS key · pastebin/qK9h
An AKIA… key with s3:* permissions was posted publicly 6 days ago. Status: still active.
FIX → rotate via IAM, audit CloudTrail back to 2026-05-03
HighSubdomain takeover · staging-old.acme.io
CNAME points to a deprovisioned Heroku app. An attacker can claim the app name and host content on your domain.
FIX → remove the CNAME or re-claim the Heroku app
MediumMissing CSP · all origins
No Content-Security-Policy header is set. Any reflected-XSS vector becomes execution.
FIX → ship the report-only policy in §5.2 for one week, then enforce
— 04 / PRICING

Three ways to scan.

Start free — unlimited web-layer scans, forever. Pay $5 once for all nine layers with a detailed PDF report. Or $39 a year to scan your domain automatically every month.

Free
$0
Get a pulse on your website. Forever.
  • Unlimited scans
  • Web app layer only
  • SSL cert + security headers
  • Exposed paths, CORS, open redirect
  • Results on-screen, no email needed
One-time scan
$5
The full pentest, once.
  • Everything in Free
  • + Browser check · clickjacking, mixed content, cookie leaks
  • + Network check · open ports, weak encryption, DNS holes
  • + Server scan · outdated software, default passwords, dangerous files
  • + Hidden entry points · forgotten subdomains, staging sites, admin portals
  • + API back-end check · data leaks, missing rate limits, old unsecured versions
  • + Threat intel · your IP checked against global abuse databases
  • 550+ checks · PDF report · plain-English fixes
— Best value
Annual
$39/year
Stay scanned. Stay ahead.
  • Everything in one-time scan
  • Unlimited scans all year
  • Scan history — track your grade over time
  • Scheduled monthly auto-scan
  • Email alert if your grade drops
  • Priority scan queue
— 05 / FAQ

Questions, answered.

Q · 01
Is the scan safe to run on production?

Yes. Cybersecai is read-only and rate-limited by default — we won't post forms, brute-force inputs, or trigger destructive actions. If you'd like a deeper, authenticated scan, you can opt in and we'll run it against staging.

Q · 02
How is this different from a traditional pentest?

Pentests are deep, manual, and quarterly. Cybersecai is broad, automated, and continuous — designed to catch the 80% of issues that show up between pentests. Most teams use both.

Q · 03
Do you store my data?

Reports and scan history are stored in your account, encrypted at rest. We never train models on your scan data. You can wipe everything in one click.

Q · 04
What stack do you support?

The scanner is stack-agnostic — we test the surface, not the source. The fix-it section auto-tunes its examples for the language and framework we detect (Node, Rails, Django, Go, Java, .NET, PHP, etc.).

Q · 05
Can I prove ownership of a domain I'm scanning?

For free web-layer scans, no — they're read-only and non-intrusive. For paid scans (network + threat layers) and recurring scanning, yes — DNS TXT or HTTP file verification. We won't run aggressive checks on a domain you don't control.

Your next breach is already in progress somewhere.

Free, unlimited web-layer scans. Upgrade once you want full nine-layer coverage with PDF report.

https://
— 06 / FROM THE STUDIO

Built by HomeAuto. Shipped from Singapore.

Cybersecai is one of eight products from HomeAuto, a Singapore technology studio. Same engineering team, same opinionated craft.

SECURITY · 2025

ScamGuard

Paste a message, URL or screenshot — instant scam-risk verdict for Singapore consumers.

MARKETPLACE · 2024

OriginSpace

Cross-border renovation marketplace, escrow-protected, zero middlemen.

LOGISTICS · 2024

Logify

Sea-freight management for China–Singapore cargo. CBM, tracking, last-mile.

EDUCATION · 2025

PSLE Prep

AI study tools for Singapore's PSLE — practice papers, instant marking.

+ four more on homeauto.sg — smart home, WiFi planner, StayHub, AreYouOK