Free security tools for any domain
Run a single check without spinning up the full pipeline. Same engines as the paid product — DNS, TLS, headers, email, ports, subdomains — exposed individually. No signup. No install.
- [Email Security]
DKIM, SPF & DMARC Checker
Validate your domain's email security in seconds. We check SPF mechanism strictness, DKIM record existence, DMARC policy and alignment — RFC-compliant via checkdmarc. No signup.
Open tool → - [HTTP Security]
Security Headers Checker
See exactly which security headers your site sends — and which it's missing. Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, Permissions-Policy, COOP/COEP/CORP — all in one check.
Open tool → - [TLS / Certificate]
SSL/TLS Certificate Checker
Check certificate validity, protocol versions, cipher suites, and known TLS vulnerabilities (BEAST, POODLE, ROBOT, Heartbleed). Powered by testssl.sh.
Open tool → - [Domain Info]
WHOIS Lookup
RDAP-powered domain lookup: registrar, registration date, expiry, and name servers. Works for all gTLDs and most ccTLDs.
Open tool → - [DNS]
DNS Records Lookup
Resolve all DNS record types for a domain in one shot — including DNSSEC chain status. Useful for debugging propagation, SPF/DMARC TXT records, and CNAME chains.
Open tool → - [Network]
Online Port Scanner
Check which ports are open and reachable on your domain from the public internet. We probe the most security-relevant ports and flag exposed databases, caches, and remote-admin services — the ones that should never face the open web.
Open tool → - [HTTP Security]
CORS Misconfiguration Checker
Test whether your site's Cross-Origin Resource Sharing (CORS) policy can be abused. We send crafted Origin headers and inspect the Access-Control-Allow-Origin / Allow-Credentials response to catch the misconfigurations that let any website read your authenticated API responses.
Open tool → - [Recon]
Subdomain Finder
Discover the subdomains of any domain from public Certificate Transparency logs. Every TLS certificate ever issued is logged publicly, so this surfaces the hosts — including forgotten dev, staging, and admin subdomains — that make up your real attack surface.
Open tool →
Why standalone tools
A full SteelSuit scan checks every category in parallel and takes about 30 seconds. Sometimes you just want one answer: is my DMARC record correct, is my certificate about to expire, which headers am I shipping. These tools run a single step from our pipeline — same parsers, same severity grading — in seconds.
Anonymous use gets you a handful of checks a day; a free account raises the cap, and a paid plan lifts it far higher and unlocks the full scan pipeline, continuous monitoring, and the REST API. Every tool here is also available via the API at POST /api/v1/integrations/tools/<slug> for CI pipelines and security automations.