Full transparency

How SecuriSky Scans Work

Every finding includes a confidence level and methodology explanation. No black boxes — you know exactly what was checked and how.

Scan Process

1

HTTP Fetch

We request your deployed URL exactly as a visitor would — no source code access, no repo access, no credentials.

2

Parallel Analysis

27+ scanner modules run simultaneously against the response: HTML, headers, JS bundles, API endpoints, routes.

3

AI Classification

Product DNA analysis classifies your product's maturity, audience, and business model using LLM (with regex fallback).

4

Scoring

Findings are weighted across 6 categories into a composite score (0-100) with letter grade (A-F).

5

Remediation

AI generates context-specific fix prompts and code snippets ready for Cursor, Lovable, or ChatGPT.

Scanner Modules by Category

Security

Weight: 30%

API Key Leak Detection

Scans JS bundles for 30+ token patterns (Stripe, OpenAI, AWS, Supabase, Firebase, GitHub). Matches against known prefix formats.

FPR: < 2% for CONFIRMED, ~5% for POSSIBLE

Supabase RLS Audit

Tests Row Level Security status via REST API probing. Checks for service_role key exposure and public table access.

FPR: < 1%

Firebase Security

Tests Realtime Database public read, Firestore unauthenticated list, Storage public access.

FPR: < 1%

Security Headers

Audits 13 headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Detects leaky headers (Server, X-Powered-By).

FPR: 0% — header presence is binary

Sensitive Route Scanner

Probes 30+ paths: .env, /admin, /wp-admin, /debug, /phpinfo, /_next/static/env.js, /api/*/config.

FPR: ~3% — some custom routes return 200 for all paths

AI Endpoint Scanner

Discovers AI endpoints (/api/chat, /api/completions) and tests prompt injection with 3+ payloads.

FPR: ~8% — some endpoints have legitimate 200 responses

CORS Misconfiguration

Tests for reflect-credentials, reflect-origin, wildcard, null-origin CORS patterns.

FPR: < 1%

TLS/SSL Audit

Checks for missing TLS, weak cipher suites, expired certificates, HSTS strength.

FPR: 0%

Git Exposure

Probes for exposed .git directories and source control leaks.

FPR: 0%

Dependency Exposure

Checks for exposed package.json, requirements.txt, Gemfile with version information.

FPR: < 1%

Rate Limit Probe

Tests if API endpoints enforce rate limiting under rapid request sequences.

FPR: ~10% — WAFs may interfere

CSP Deep Analysis

Analyzes Content Security Policy for unsafe-inline, unsafe-eval, overly permissive domains.

FPR: 0% — policy analysis is deterministic

Accessibility

Weight: 16%

WCAG 2.1 AA Check

Checks alt text, form labels, lang attribute, color contrast indicators, focus management, keyboard trap detection.

FPR: ~5% — contrast estimation from CSS is approximate

Conversion

Weight: 15%

CRO Signal Scanner

Evaluates value propositions, social proof, trust signals, urgency elements, CTA quality.

FPR: ~15% — subjective elements vary

Onboarding Friction

Detects signup/login friction, multi-step forms, paywall placement issues.

FPR: ~10%

Pricing Clarity

Analyzes pricing page structure, comparison tables, value proposition clarity.

FPR: ~12%

Performance

Weight: 15%

Performance Scanner

Measures page size, unoptimized images, render-blocking scripts, compression, font loading.

FPR: ~3%

UX

Weight: 12%

UX Friction Scanner

Evaluates CTA visibility, navigation complexity, form UX, mobile responsiveness, empty states, error messages.

FPR: ~12%

Design Originality

Detects template/boilerplate usage by comparing CSS patterns against common Shadcn/Tailwind defaults.

FPR: ~8%

Tech Currency

Identifies deprecated frameworks, old React patterns, jQuery, IE-specific code.

FPR: ~5%

SEO

Weight: 12%

SEO Foundation

Audits meta tags, Open Graph, structured data, heading hierarchy, readability (Flesch score), canonical tags.

FPR: 0% — tag presence is binary

Scoring Algorithm

Composite Score (0-100)

Each finding deducts points from its category. Categories are weighted and summed into a composite score.

30%

Security

16%

Accessibility

15%

Conversion

15%

Performance

12%

UX

12%

SEO

Security Gates

  • 1+ critical security finding → score capped at 59 (D grade max)
  • 3+ critical findings → score capped at 35 (F grade)
  • Security category < 60 → composite capped at 64 (C grade max)
  • Security category < 75 → composite capped at 79 (B grade max)

Severity Levels

Critical-20 pts (max -60)Immediate exploitation risk. Data breach, API key exposure, RLS disabled with public data.
High-10 pts (max -30)Significant risk. Missing critical headers, CORS misconfiguration, exposed admin routes.
Medium-5 pts (max -15)Moderate risk or significant UX/conversion issue. Weak CSP, no rate limiting, poor CTA.
Low-2 pts (max -8)Minor issues. Informational security findings, minor SEO gaps, small UX improvements.
Info0 ptsObservations only. Stack detection, product DNA classification, no score impact.

Confidence Levels

Every finding includes a confidence rating that tells you how certain the detection is.

CONFIRMED

Direct evidence captured from live response. False positive rate: ~0%.

Example: Actual API key prefix found in JS bundle

~POSSIBLE

Indirect signal detected. False positive rate: ~5%.

Example: Pattern match suggests RLS may be disabled

?UNVERIFIED

Weak signal. Manual verification recommended. False positive rate: ~15%.

Example: Admin route returned 200 but content unclear

What SecuriSky Does NOT Check

SecuriSky is a black-box external scanner. It analyzes your deployed app the same way an attacker or visitor would. This means:

  • Source code analysis — we never access your repository or codebase
  • Database internals — we cannot check your database schema, queries, or stored data
  • Authentication logic — we test the login page surface but cannot audit auth logic (JWT validation, session management, etc.)
  • Server-side business logic — payment processing, data transformations, background jobs
  • Infrastructure configuration — Docker setup, cloud IAM policies, network ACLs
  • Dependency vulnerability scanning — we don't run npm audit or Snyk-style CVE checks
  • Penetration testing — we do not attempt exploitation beyond passive probing

Recommendation

Use SecuriSky alongside manual penetration testing, dependency scanning (Snyk/npm audit), and code review. SecuriSky covers the public-facing surface — the fastest wins — while deeper audits cover the rest.

Financial Impact Estimates

Each finding includes an estimated financial impact. Here is how we calculate it:

Security Findings

Scaled estimates based on IBM Cost of a Data Breach Report 2024 (global avg $4.88M), Verizon DBIR 2024, and Ponemon Institute 2024 SMB data ($108K–$1.4M for small SaaS). Actual range for SaaS under $5M ARR: typically $50K–$500K.

UX / SEO / Performance / Conversion Findings

Estimated monthly revenue loss based on SaaS conversion and retention benchmarks (Baremetrics, ChartMogul 2024). Calculated by applying industry-average impact rates for the issue type against a median SaaS MRR of $10K–$50K.

These are estimates, not guarantees. Actual financial impact depends on your traffic, revenue, and specific business context.

Ready to scan your app?

Free plan — no credit card required.

Start Free Scan