NEW Cactus is live. Scan any web asset free, no signup, no credit card. Launch scanner
Free tool · by Secure Purple

Meet Cactus.
The free scanner that shows you what attackers see.

Enter a domain. In minutes, Cactus maps your external attack surface, checks for common web exposures, and hands you a high-level security overview you can act on. No signup. No credit card. No obligation.

Launch Cactus How it works
Free forever Scan in ~2 minutes No login required
What Cactus gives you

A high-level security snapshot. In minutes.

Cactus is built by our offensive security team for people who want a fast, honest read on where their web assets stand — without running their own scanner stack.

Attack surface discovery

Subdomain enumeration, DNS records, live hosts, exposed services and stale assets — all mapped from a single root domain.

TLS & certificate health

Expiry, chain issues, weak ciphers, self-signed leaf certs and misconfigured SANs across every live host it finds.

Security headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — graded and explained.

Email auth posture

SPF, DKIM and DMARC records: is your domain spoofable? Cactus tells you, in plain English, with a copy-pasteable fix.

Tech fingerprint & known CVEs

Identify web stacks (nginx, Apache, Express, WordPress, Cloudflare, etc.) and flag known, publicly-disclosed CVEs against detected versions.

Shareable report

Get a clean, link-shareable report with severity-ranked findings — take it to your engineering team, your board, or your pentester.

Coverage

What Cactus actually checks

No black boxes. Here's the checklist Cactus runs against your domain on every scan.

  • Subdomain enumerationPassive sources: crt.sh, DNS, certificate transparency, common wordlists.
  • DNS record auditA, AAAA, CNAME, MX, TXT, NS — plus wildcard and dangling-CNAME detection.
  • TLS / SSL healthExpiry, chain trust, weak ciphers, TLS 1.0/1.1 fallback, HSTS preload status.
  • HTTP security headersCSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
  • Email auth (SPF / DKIM / DMARC)Is your domain spoofable for phishing? Cactus tells you, with a remediation snippet.
  • Exposed admin / auth endpoints/admin, /wp-admin, /phpmyadmin, basic-auth over HTTP, unprotected .git and .env.
  • Tech fingerprinting + CVEsDetect stacks and flag publicly known CVEs against identified versions.
  • Cookie & CORS hygieneMissing HttpOnly / Secure / SameSite, over-permissive CORS, wildcard origins.
How it works

Three steps. About two minutes.

Cactus is browser-based. Nothing to install, nothing to configure.

Enter a domain

Type your root domain. Cactus handles the rest — subdomains, DNS, certs, headers, email auth, exposed endpoints.

Cactus scans

Purely passive + low-noise active checks. No brute-force, no exploit payloads. Safe to run on production.

Get your report

A shareable, severity-ranked summary. Hand it to your engineers, your board, or come talk to us for a deeper pentest.

FAQ

Questions people ask before they scan.

Short answers. If yours isn't here, email ask@securepurple.com.

Is Cactus really free?

Yes. Cactus is genuinely free — no signup, no credit card, no "free trial". We built it as a community tool to help defenders and founders get a fast read on their external posture.

Is it safe to run on production?

Yes. Cactus is mostly passive (DNS, certificate transparency, public fingerprinting) plus a small amount of low-noise active checks (HEAD / GET on a handful of endpoints). It does not fuzz, brute-force or send exploit payloads.

Can I scan a domain I don't own?

Cactus only performs checks that any authorised visitor to a public site can already do (DNS lookups, certificate inspection, header reads). We still ask you to scan only assets you own or have permission to assess — it's the right thing to do.

Does it replace a pentest?

No, and we'll say so openly. Cactus gives you a high-level snapshot of your external posture. A real pentest digs into authentication, authorisation, business logic and chained exploitation. If Cactus surfaces enough to worry you, talk to us.

Do you keep my scan data?

Scan results are retained only for the duration needed to render and share your report. No scan data is sold, shared, or used for marketing. See our privacy policy for specifics.

See your attack surface in two minutes.

Free, hosted, and ready when you are. Enter your domain and let Cactus do the rest.

Launch Cactus