Free website security checks: what they cover and what they miss

By the zmam.ai team · 29 May 2026

“Free website security check” is one of the most-searched phrases in security, and also one of the most misunderstood. A free external scan is genuinely worth running — but only if you know precisely what it can and cannot tell you. Over-trust it and you will feel safe for the wrong reasons; dismiss it and you will ignore the cheapest risk reduction available to you.

What a free external check can see

External, non-intrusive checks read information that is already public and need no access to your systems:

• Whether your TLS certificate is valid, current, and correctly configured.
• Whether SPF, DKIM, and DMARC protect your email.
• Which HTTP security headers you send — and which you do not.
• Basic DNS hygiene and publicly visible subdomains.
• Publicly reachable services and, with deeper tooling, known vulnerabilities in the software those services advertise.

These are the issues an attacker finds first, precisely because they are visible to everyone. Closing them removes the easy opportunities — which is most of them.

Where the line falls

A non-intrusive external scan does not, and should not, do any of this:

• Log in, test passwords, or reach protected areas.
• Submit forms or change data.
• Exploit a vulnerability to prove it is real.
• See anything behind authentication or inside your network.

Those activities belong to a penetration test: an authorized, in-depth engagement where a tester actively probes your systems with permission. The free external check is the safe, lightweight first pass; the pen test is the deep, paid follow-up when you need assurance about a specific system. They answer different questions, and one is not a cheaper version of the other.

How to read the results

Treat the findings as a prioritized to-do list, not a grade. Fix the high-impact, low-effort items first — usually a missing DMARC policy, an expiring certificate, or absent security headers — and re-check after each change.

And be skeptical of any “free scan” that asks you to install software, demands broad access, or pressures you toward a paid product before it shows you anything. A legitimate external check needs nothing but your domain name.

How zmam.ai helps

zmam.ai is a free external check built around exactly this boundary. You submit a domain and a work email, confirm the email, and receive a plain-language report of your public-configuration issues. It is non-intrusive by design — no login, no form submission, no exploitation — and sensitive findings are never published or emailed in the clear.

Related

• How to tell if your website is exposed or compromised
• What is external attack surface management?