Free Public Network Security Scan

Free tool

Passive scan of your public domain for open ports, subdomain takeover risk, and DNS posture (DNSSEC, CAA, wildcards). Safe to run against production.

  • Open ports
  • Subdomain takeover
  • DNS security
No credit card requiredProduction-safe (100% passive)No setup or code required
Trusted by 3,500+ security & engineering teams
Oracle logoShopify logoGoDaddy logoChubb logoToshiba logoMAPFRE logoBelfius logoGBG logoWEKA logoShift Technology logo

What you get for free

18 core security checks via this tool, passive scans, step-by-step remediation, security score on every result.

What Essential adds at $39/mo

+17 advanced checks, continuous monitoring, daily security score history, email alerts, GitHub SAST, board-ready PDFs, SOC 2 / ISO 27001 / PCI reports.

What this scan checks

  • Open ports exposure on common services
  • Subdomain takeover risk patterns
  • DNS security posture (DNSSEC/CAA/wildcards)

Why network exposure matters

Unnecessary open services and stale DNS records expand your attack surface. Tightening exposure at the edge and cleaning up DNS reduce both opportunistic and targeted attack paths.

How Barrion verifies this

Barrion enumerates your public attack surface from the outside in. We start by resolving your apex domain and discovered subdomains, then probe a curated set of common TCP ports to map exposed services without sending intrusive payloads or credential-guessing traffic.

For subdomain takeover, we follow every CNAME chain and compare the final target against a fingerprint set of third-party services (S3, Azure, GitHub Pages, Heroku, and others) that return takeover-indicative responses when the backing resource is gone. A subdomain only flags when the DNS still points somewhere but the upstream provider reports the resource as unclaimed.

DNS posture is checked by querying authoritative nameservers directly: we verify DNSSEC chain-of-trust, look for CAA records to restrict certificate issuance, and flag wildcard records or dangling delegations that broaden the attack surface. All checks are passive and safe to run against production.

How to reduce exposure

  • Close unused ports at the firewall or load balancer
  • Restrict admin panels by IP/VPN and enforce MFA
  • Remove orphaned CNAMEs, and add CAA restricting certificate issuance

Tool-specific questions

Is the scan intrusive?

No. We use lightweight checks on common ports and public DNS.

Why are open ports risky?

Open ports can expose services to the internet, increasing the chance of exploitation, brute force, or data exposure. Close unused ports and restrict access to reduce risk.

What is subdomain takeover?

It occurs when a DNS record (like a CNAME) points to a resource that no longer exists. Attackers can claim the resource and serve content under your subdomain. Remove stale records to prevent this.

Do I need DNSSEC and CAA?

DNSSEC helps prevent tampering with DNS responses. CAA restricts which certificate authorities can issue certs for your domain. Both improve domain integrity and reduce mis‑issuance.
Why Barrion

Built for the engineers who already have enough to fix.

Speed

Real-time results

Instant analysis with a detailed report. You see findings as the scan runs, not after.
Coverage

Comprehensive checks

35+ checks per scan covering TLS, headers, CORS, cookies, DNS, email auth, and more, in a single pass.
Action

Step-by-step fixes

Every finding ships with the exact remediation step for your framework. Hand it to the engineer who owns the surface.
Other tools

More free checks, for the rest of your surface.

Complete Security Scan

Complete website security analysis with comprehensive vulnerability detection

Pre-Pentest Security Scan

Passive scan that catches the misconfigurations a pentester finds first. Use it before a manual engagement to clear the easy issues.

Security Compliance Checker

Check compliance with PCI DSS, HIPAA, SOC 2, ISO 27001, and GDPR. Get compliance readiness reports.

WAF Checker

Detect Web Application Firewall presence through passive header analysis. Identify WAF/CDN providers.

Security Headers Test

Check your website's HTTP security headers configuration

TLS/SSL Security Checker

Validate your SSL/TLS configuration and certificate setup
Browse all security tools →
FAQ

Frequently asked.

What is Barrion and how does it enhance website security?
Barrion is a security testing and monitoring platform for engineering teams, covering three products: passive DAST that continuously watches your live web apps and APIs, SAST via GitHub that scans your codebase for secrets, insecure patterns and vulnerable dependencies, and AI pentesting that runs active, agent-driven attacks with proof-of-exploit. Findings come with step-by-step fixes you can ship immediately.
How safe is Barrion to use for security testing?
Every default Barrion scan is 100% passive and read-only. We never submit forms, brute-force endpoints or interact with state-changing routes, so it's safe to run against production.
What types of security issues does Barrion identify?
Barrion is a security testing and monitoring platform, so coverage spans three surfaces. Passive DAST flags misconfigurations across TLS/HTTPS, security headers, cookie flags, CORS policy, DNS records, email authentication (SPF/DKIM/DMARC), network exposure and common web hygiene issues. SAST via GitHub finds secrets in code, insecure patterns and vulnerable dependencies. AI pentesting adds exploitable findings like SQL injection, XSS and broken access control with proof-of-exploit.
What specific security checks does Barrion perform?
Barrion checks TLS/HTTPS configuration, HTTP security headers, cookie flags, CORS policy, DNS and email authentication records, network exposure and common web hygiene issues, then prioritises them by severity with clear remediation.
What is Barrion's smart crawling?
Smart crawling automatically discovers the pages and endpoints of your app so scans cover the surface that matters, without you manually listing every URL.
How often does Barrion perform security scans?
Manual scans on demand. Continuous monitoring runs automatically on Essential (weekly+) and Business (daily), and alerts you the moment a new issue appears.
Is Barrion suitable for security testing of all business sizes?
Yes. Barrion is a security testing and monitoring platform, with passive DAST, SAST via GitHub and AI pentesting available to solo developers, startups, scale-ups and enterprise security teams alike, without adding headcount.
How does Barrion handle data security and privacy during security testing?
Scans are passive and read-only by default, and we never store or expose sensitive data from your application. Pentests are rate-limited and non-destructive, designed to confirm exploitability without altering data or affecting availability.
What if I'm not satisfied with Barrion's security testing service?
Paid plans start with a free trial, and you can cancel anytime. If something isn't right, contact us and we'll make it work for your team.
How does Barrion help with SOC 2, ISO 27001, NIS2, and other compliance frameworks?
Barrion produces audit-ready PDF and CSV reports suitable for SOC 2, ISO 27001, PCI DSS and NIS2, ready to share with auditors, customers and your board.

Anything else? Email contact@barrion.io.

Run a full report on your site.

Free first scan covers every check, no signup needed. Sign up to save the report and turn on continuous monitoring.

Get free reportSee pricing