How secure is your domain from the outside? That question is harder to answer than it seems. Security insights are scattered across separate tools, technical reports and specialist sources. That takes time and makes it hard to quickly see where the real points of concern lie.
That is why we built ScanZeker.nl: a free security scanner that provides a complete picture of your domain's external security in around 30 seconds. Without an account, without cost and without storing scan results. Enter a domain name and you immediately receive a clear report with twelve security checks.
Two outputs, one scan
Each scan populates two complementary views that you can switch between with a single click. The security report shows the score per module with explanations in both plain and technical language, along with concrete recommendations. The risk map brings subdomains, services and risk paths together on an interactive canvas, so that you can see at a glance how your infrastructure looks from the outside.
The twelve security modules
ScanZeker carries out twelve independent scans on your domain. Each module focuses on a specific aspect of security and produces a score with concrete recommendations.
Website Headers (14% of the total score) Security headers tell the browser how to handle the content of your website. ScanZeker checks Content Security Policy (including effectiveness analysis on unsafe inline, wildcard sources and known bypass domains), Strict Transport Security with max age and preload, X Content Type Options, X Frame Options, Referrer Policy and Permissions Policy. The scan works in three layers: first a direct HTTP connection, then a real browser in case of a WAF block, and finally the Mozilla Observatory as a fallback.
SSL/TLS Deep Scan (18% of the total score) The SSL/TLS module checks not only whether your certificate is valid, but assesses the entire encryption configuration. Protocol support (TLS 1.0 to 1.3), forward secrecy, OCSP stapling and known vulnerabilities such as Heartbleed, POODLE, BEAST and ROBOT are tested via the Qualys SSL Labs API. If SSL Labs is unreachable, an own TLS handshake is carried out as a fallback.
Email security (12% of the total score) Email spoofing is one of the most common attack methods in phishing. ScanZeker checks SPF (record presence and policy), DKIM (selectors and key strength) and DMARC (policy and reporting). In addition, MX records, MTA STS and TLS RPT are checked. For domains that do not send mail, a separate scoring model is applied.
DNS Security (8% of the total score) ScanZeker checks DNSSEC via multiple providers (Google and Cloudflare DNS over HTTPS), nameserver redundancy, SOA records, CAA records for restricting certificate issuance and RPKI route origin validation. DNSSEC prevents attackers from manipulating DNS responses, an attack that is hard to detect but can have major consequences.
Server Exposure (12% of the total score) Via Shodan, open ports and services are identified, including control panel ports (cPanel, Plesk, Webmin) and management ports. Every port reported by Shodan is verified live via a TCP handshake. Known CVE vulnerabilities are enriched via the NVD database. Threat intelligence from AbuseIPDB and AlienVault OTX is used as a context amplifier: an elevated abuse score only counts once there is also an open service that can be concretely misused.
Technology Stack (5% of the total score) ScanZeker identifies web servers, frameworks, CMS systems and WAF solutions via HTTP headers, HTML patterns and cookie fingerprinting. External scripts are inventoried per domain, with checks on Subresource Integrity (SRI) and supply chain risk via trust tiers. Server header information leakage and directory listing are also assessed.
Domain Security (2% of the total score) Via WHOIS and RDAP, the domain age, registrar information, DNSSEC signing and privacy protection are checked.
Reputation Check (2% of the total score) ScanZeker checks your domain and IP address against Google Safe Browsing, Spamhaus (ZEN and DBL), Barracuda, SURBL, URIBL, SpamCop and the Composite Blocking List. Only sources with a good reputation count; known noise sources are deliberately omitted to prevent false alarms.
Certificates (5% of the total score) All SSL certificates that have ever been issued for your domain are checked via Certificate Transparency logs. Unexpected certificates can be a sign that someone else is trying to impersonate your organisation.
Subdomains and Infrastructure (8% of the total score) Via three sources (Certificate Transparency, Certspotter and AlienVault OTX), subdomains are discovered. Each subdomain is checked for reachability, sensitive names (admin, staging, test) and subdomain takeover risk via dangling CNAMEs. In deep scan mode, TLS configuration, missing security headers, login page detection and Shodan host enrichment are also carried out per subdomain.
Data Breaches (10% of the total score) Via Have I Been Pwned and HudsonRock Cavalier, it is checked whether email addresses from your domain appear in known data breaches or on computers that have been infected with password-stealing malware. A distinction is made between employees and users, because employee accounts weigh more heavily for organisational risk.
Cookies and Privacy (4% of the total score) ScanZeker opens your site with a real browser and measures which cookies and tracking scripts are placed before a visitor has given consent. Checks are carried out on three levels: pre-consent compliance (are non-essential cookies placed before consent?), privacy profile (which tracking is active after consent?) and cookie hygiene (lifecycle, security flags, third party domains).
Possible attack paths
ScanZeker does not only show individual findings. Signals from multiple modules are combined into possible threat scenarios. Leaked credentials combined with weak email authentication and a public login endpoint, for example, form an Account Takeover scenario. Missing SPF/DMARC in combination with no CSP header points to phishing and spoofing risk. An open database port with version detection and associated CVEs is flagged as a Server Exploitation scenario.
These attack paths are scenarios based on observable signals, not confirmed vulnerabilities. They are intended as a starting point for verification by a security professional.
How the score is calculated
The total score is a weighted average of all modules. Fundamental security measures weigh the heaviest: SSL/TLS (18%), Website Headers (14%), Email and Server Exposure (12% each), Data Breaches (10%), DNS and Subdomains (8% each), with the remaining modules weighing less. On top of the base score, a security impact correction is applied for findings that weigh more heavily than configuration alone, such as directly reachable databases or management ports. This correction can lower the score by up to 25 points.
The score also takes context into account. The same observation can have a different meaning depending on the environment. A management port on a hosting panel weighs differently than the same port on your own server. Threat intelligence signals only weigh heavily once there is also a technical foothold that can be exploited.
The full methodology and source accountability is available at https://www.scanzeker.nl/methodologie
Privacy by design
ScanZeker collects no personal data. There are no cookies, no analytics, no accounts. Scan results are not stored. After closing the browser, the result is gone. This is a deliberate choice: we want organisations to be able to check their security without barriers and without concerns about privacy.
From scan to action
A scan is valuable, but the real value lies in the follow-up. ScanZeker provides concrete recommendations in plain language for each component. For each finding, it indicates whether it is something you can adjust yourself, something that runs via your hosting provider, or something that is part of your platform choice.
For organisations that want to go further, Secure Audit offers extensive security assessments, penetration tests and IT audits. A ScanZeker scan is a good starting point, but only covers the outside of your digital presence. Internal configuration, access management, policy and processes require a more in-depth assessment.
Try it yourself
Go to https://www.scanzeker.nl, enter your domain and see within 30 seconds how your domain scores. It is free, it is independent, and it gives you immediate insight into what could be improved.
About the author
Partner | IT Auditor