Tripline · External attack surface scanning
Three triangles · one alert
01 / external security scan

See what attackers see.
Fix it before they find it.

Tripline scans your SaaS from the outside — front end and back end, across your main site and its app, API, and admin subdomains — then ranks every exposure by severity with the exact steps to close it.

Scan my site — free →

Free scan · no login · no agent · results in ~90 seconds

7
Check categories
~90s
Time to a full report
30+
Built-in fix guides
0
Credentials we store
02 / the problem

While you ship, they scan.

Attackers don't pick targets by size — they pick by exposure, automatically. The moment your app is public, it's being probed. The numbers are not on your side.

28.65M

Live secrets — API keys, database passwords, tokens — were leaked into public code in 2025 alone, up 34% in a year. One exposed .env is all it takes.

GitGuardian · State of Secrets Sprawl 2026

Growth in one year of attacks exploiting internet-facing edge and VPN devices (3% → 22% of exploited breaches). Anything you expose is being hit.

Verizon DBIR 2025
32 days

The median time companies take to patch a known flaw — while vulnerability-based breaches rose 34%. Your exposure window is weeks; an attacker needs minutes.

Verizon DBIR 2025
88%

Of small-business breaches involve ransomware — more than double the 39% rate at large companies. Being small makes you a better target, not a safer one.

Verizon DBIR 2025
$4.44M

Average cost of a single data breach — $10.22M in the US. A startup rarely survives even a fraction of that, plus the lost trust on launch day.

IBM · Cost of a Data Breach 2025
70%

Of leaked secrets are never rotated and stay live for years. The key you exposed months ago may still be opening every door right now.

GitGuardian · State of Secrets Sprawl
+ Legal

And then it stops being just your problem. If an attacker reaches your Stripe or Supabase, exposed payment and customer data triggers mandatory breach-notification laws and regulator scrutiny — under GDPR alone, fines reach €20M or 4% of global revenue. A leak becomes a legal and compliance event, not just a technical one.

You can't fix what you can't see.

Show me what's exposed →
Sources: Verizon 2025 DBIR · GitGuardian State of Secrets Sprawl · IBM Cost of a Data Breach 2025
03 / what we check

Front end and back end, every host.

Every check is passive and external — Tripline never logs in, runs exploits, or touches your data. It scans your main site and its app, API, and admin subdomains together, reading only what any visitor can already see.

01 / SSL · TLS

Certificate & transport

Expired or weak certificates, deprecated TLS 1.0/1.1, missing HSTS, downgrade risk.

02 / Headers

Security headers

Missing CSP, clickjacking protection and nosniff, plus dangerously permissive CORS.

03 / Secrets

Exposed files & keys

Public .env, .git, backups, source maps, and live API keys leaked in your bundle.

04 / Backend · API

Backend & API surface

Exposed Swagger/OpenAPI docs, GraphQL playgrounds, Spring actuator, debug pages, and directory listings.

05 / Email

Domain & mail auth

SPF, DKIM and DMARC gaps that let anyone send phishing mail as your domain.

06 / Services

Exposed surface

Forgotten staging sites, open admin panels, and database UIs reachable from the internet.

07 / Stack

Stack & dependencies

Outdated frameworks, CMS versions and front-end libraries with known vulnerabilities.

— / output

Every host graded

Main site and each subdomain graded, all findings ranked by severity with a plain-language fix guide. PDF ready.

04 / how we operate

Safe by design. Honest by default.

The scan is built to be safe to run on a live product and straight with you about what it finds.

Passive & external

We read only what's public. No login, no exploit, no attack on your site.

Secrets redacted

If we find a leaked key, its value is redacted and never stored in plaintext.

No fake findings

We report only what we actually detect, ranked honestly by severity.

Built for founders

One focused tool: external security scanning a non-expert can actually act on.

05 / what you get

Every finding comes with the fix.

This is a real example of one finding from a Tripline report — what it is, why it matters, and the exact steps to close it.

01
HIGH Exposed Secrets & Files high confidence

Exposed .env file containing a live Stripe secret key

A .env environment file is publicly downloadable at /.env and contains a live secret key.

Why it mattersThese files routinely hold live database passwords, API keys, and secret tokens. Anyone who downloads it can take over connected services.
How to fix it
  1. Remove the file from the web root immediately.
  2. Treat every secret it contained as compromised and rotate all of them now.
  3. Block dotfiles at the server: deny access to any path starting with a dot.
  4. Ensure .env is in .gitignore and never deployed to the public directory.
06 / how it works

From URL to fix list in four steps.

01

Paste your URL

One field. No account, no install, no credentials.

02

We scan from outside

Seven check categories run in parallel against what's publicly visible.

03

Get a graded report

Findings ranked by severity, each with what it is and why it matters.

04

Fix with the guide

Step-by-step remediation for non-experts. Hand it to a dev or do it yourself.

07 / pricing

Simple. Priced per scan.

Every plan returns the same full report: all findings, all seven categories, and the complete fix guide. No per-seat pricing, no contracts.

One-time
Single Scan
$99
$99 / scan
One full external scan and fix guide. Perfect right before or after a launch.
  • 1 full external scan
  • All findings, all 7 categories
  • Step-by-step fix guide per finding
  • Branded PDF report
  • 30-day access via secure link
Get a single scan
Most popular
Scan Pack
$299
$75 / scan · save 25%
Four scans to use whenever you ship. Re-scan after every fix to confirm it's closed.
  • 4 full scans, use anytime
  • Everything in Single Scan
  • Re-scan to verify fixes
  • Fix-progress tracking across scans
  • Credits valid 12 months
Get the 4-pack
Subscription
Daily Monitoring
$699 / mo
Re-scanned every day
Automatic daily re-scan with an alert the moment a new exposure appears.
  • Automated scan every day
  • Email alert on any new exposure
  • Always-current full report
  • Fix guidance on every finding
  • Cancel anytime
Start monitoring

Prices in USD. Daily Monitoring billed monthly. Many domains to cover? See the FAQ.

08 / questions

Answered plainly.

Yes. Every check is passive and external. Tripline only reads what any visitor can already see — response headers, TLS configuration, public DNS records, and publicly reachable files. It never logs in, runs exploits, brute-forces, or attacks your site.
No. You paste a URL. There's no agent, no OAuth, and no credentials. That's the whole point: zero setup, results in about 90 seconds.
A graded report listing every finding by severity, with a plain-language explanation of what it is, why it matters, and exact steps to fix it. Download it as a PDF and hand it to a developer or work through it yourself.
All three deliver the same full report and fix guide. Single Scan is one scan. The Scan Pack gives you four to use whenever you ship — handy for re-scanning after fixes. Daily Monitoring re-scans automatically every day and alerts you the moment something new is exposed.
No. Discovered secret values are redacted in the report and never stored in plaintext. We show you enough to confirm the exposure and tell you to rotate the key — we don't keep the key.
Yes. The Scan Pack covers any mix of domains you own, and Daily Monitoring can be added per domain. For a portfolio of sites, reach out and we'll set you up.

You just shipped.
See what you left open.

Run your first scan now and get a prioritized fix list before anyone else finds the gaps.

Scan my site →