beacon

Find out if your website has the same weaknesses that caused real data breaches at other businesses.

Tell us your industry and we'll adjust the scan for what matters most to your type of business.

43% of UK businesses experienced a cyber breach last year. Most didn't know until someone else told them.
Source: UK DSIT Cyber Breaches Survey, 2025

What the scan checks

Seven independent scanners, each checking a different layer of your website's security. The scan takes 3–6 seconds and doesn't install anything on your site.

LayerWhat it checksWhy it matters
Encryption (TLS)Protocol version, certificate validity, HSTS enforcement, HTTP→HTTPS redirectWithout encryption, anyone on the same network can read what your visitors type — passwords, card numbers, personal details
Email authenticationSPF, DKIM (18 selectors), DMARC policy, DNSSECWithout these records, anyone can send emails that appear to come from your domain. This is how invoice fraud works — £150M+ lost across UK law firms since 2022
Exposed files25 paths including .env, .git, database backups, admin panels, API documentationMisconfigured servers sometimes expose files containing passwords, API keys, or full database dumps. Twitch lost 125GB of source code this way
Security headersCSP, X-Frame-Options, referrer policy, permissions policy, version disclosureHeaders tell browsers what scripts are allowed to run and what data can be shared. Without them, a single injected script can steal everything on the page
Third-party tracking20+ known trackers, session recording tools (Hotjar, FullStory, Clarity), SRI validationSession recording tools capture every mouse movement and form interaction. If clients enter passport numbers or financial details, those recordings exist on someone else’s servers
Forms & uploadsGoogle Forms, WhatsApp links, HTTP form actions, file upload securityPassport copies submitted through Google Forms are stored on Google’s consumer infrastructure. WhatsApp provides no audit trail and no guaranteed deletion
CookiesHttpOnly, Secure, SameSite flags on session and tracking cookiesAn insecure session cookie means an attacker can log in as your user — seeing their account, their documents, their data

How the grades work

Each finding has a severity level. The overall grade starts at 100 and deducts points based on what we find. Two hard rules override the score: any critical finding = automatic F, and two or more high findings cap the grade at D. A site with perfect headers but an exposed database backup is not a B.

Grade scale

A
Strong

No critical or high-severity issues. Better than most.

B
Reasonable

Solid foundation, some gaps. The issues found are what attackers check first.

C
Weak

Significant weaknesses. Every issue here has caused a real breach elsewhere.

D
Poor

Serious exposure. Multiple weaknesses being actively exploited across the internet.

F
Critical

At least one finding that has caused major breaches, fines, and business closures.

Severity weights

Critical
−40 points

Automatic F regardless of other findings

High
−20 points

Two or more = grade capped at D

Medium
−8 points

Weakens posture, makes other attacks easier

Low
−2 points

Minor issue, signals low security priority

Info
0 points

Worth knowing, no action required

Industry context

If you select an industry, severity levels adjust. For example: no DMARC on an immigration agency is bumped from high to critical because that agency sends payment instructions and case updates by email. The same finding on a restaurant stays high.

115 breach precedents, all sourced

Every finding in your report is matched to a real incident where the same weakness was exploited. Not hypothetical risk — documented breaches with named companies, regulatory fines, and cited sources.

DPP Law, Merseyside (2022)
Triggered by: No MFA on admin account
ICO enforcement

32.4GB of client data on the dark web. 682 clients affected. £60,000 ICO fine.

I’m now a prisoner in my own home again. In fear of my life. My family’s also.

British Airways (2018)
Triggered by: No Content-Security-Policy
ICO / The Register

429,000 payment cards stolen. £20 million ICO fine.

Orion S.A. (2024)
Triggered by: No email authentication (DMARC)
TechCrunch / SEC filing

$60 million in fraudulent wire transfers.

Tuckers Solicitors, London (2020)
Triggered by: No MFA on remote access, unpatched systems
ICO / Law Gazette

972,191 files encrypted. 60 court bundles — including rape and murder cases — posted on the dark web. £98,000 ICO fine.

Twitch (2021)
Triggered by: Exposed configuration files
The Verge

125GB of source code, streamer payment data, and internal tools leaked.

115 total precedents21 vulnerability categories100% have source URLsSources: ICO, FTC, FBI IC3, court filings, peer-reviewed research

What this scan does not do

Honesty about limitations is more useful than false confidence.

This is passive analysis. beacon does not attempt authentication bypass, payload injection, or any form of exploitation. A clean scan does not mean your site is secure — it means the publicly visible configuration has no obvious weaknesses.
Third-party detection works on the initial HTML only. Scripts loaded dynamically after page render (via Google Tag Manager, for example) are not detected.
DKIM selector enumeration checks 18 common selectors. Custom selectors used by some providers won’t be found.
Cookie analysis only covers cookies set on the initial page load. Session cookies that appear after login are not captured.
The breach precedent database is manually curated and will always be incomplete. It covers the most consequential incidents, not every case.

Questions

How the scan works, technically

When you enter a domain, beacon makes standard HTTP requests to the site — the same requests any browser makes. It connects over TLS to check the encryption configuration, reads the HTTP response headers, queries DNS records for email authentication, and requests a set of common file paths that are sometimes accidentally left public.

The scan sends a standard User-Agent header identifying itself. It does not execute JavaScript, does not submit forms, does not attempt login, and does not probe for injection vulnerabilities. Everything beacon checks is information your site already serves to every visitor.

Each finding is matched against a database of 115 documented breach incidents across 21 vulnerability categories. The matching is deterministic — a missing DMARC record always maps to the email spoofing category, which contains cases like the FBI IC3 report on $55 billion in business email compromise losses and the UK solicitor invoice fraud epidemic.

If you select an industry (immigration, law, accounting, healthcare), the scan adjusts severity levels and appends industry-specific risk context to findings. A missing DMARC record on a general business website is high severity. On an immigration agency — which sends payment instructions and handles passport data by email — it becomes critical.