MyDomainRisk checks public security signals and authenticity indicators for domains, links and online services, helping teams spot exposed infrastructure, suspicious sites and brand-abuse risk before trust is misplaced.
I want to…
Check the security posture of any domain — 50+ external checks
No password. No credit card. Just your email to receive results.
One sign-in, both apps — Free, Pro or MSP covers security and authenticity. No second subscription.
Hosted on security-certified infrastructure providers.
acmecorp.com
Security posture: critical
/ 100
CRITICAL FINDINGS
Domain can be impersonated to send phishing email — no DMARC enforcement
Critical3 employee credentials found in stealer logs — active breach risk
CriticalSubdomain hijacking vulnerability — attacker can host content on affected domain
HighTLS certificate expires in 6 days — site will show browser security warnings
High2 lookalike domains actively resolving — phishing infrastructure detected
HighNo password · No credit card · Just your email
50+
Security checks
< 60s
Scan time
Clear
Risk rating
40+
Intel sources
Surface Compliance
Every scan includes advisory compliance cards alongside the main risk rating — externally visible evidence only, not a certification audit.
UK & EU — Article 32 technical advisory. ⓘ What's checked?
Advisory only. A passing score does not constitute GDPR compliance — organisational measures, DPAs, and data retention policies are out of scope.
PCI DSS 4.0 Surface + CCPA/CPRA advisory review. ⓘ What's checked?
PCI DSS 4.0 Surface
US Privacy — CCPA / CPRA
Advisory only. Not a PCI DSS certification or a legal CCPA compliance assessment — formal audits, cardholder-data-environment scoping, and organisational controls remain out of scope.
Sample Open Source Intel Providers
A comprehensive scan covering all the externally observable security signals that matter — with no special access or agent required.
Included free
Detects employee credentials harvested by malware.
Plain-English narratives of how detected weaknesses could be exploited.
Verifies email authentication records to prevent spoofing.
One-click remediation guidance for every finding.
Finds dangling DNS records attackers could claim.
Spots lookalike domains used for brand phishing.
Detects publicly accessible cloud storage buckets.
Validates certificates, ciphers, and encryption strength.
Checks that your web server sends all major browser security headers.
Checks the externally verifiable technical measures required under GDPR Article 32.
Advisory technical checks for the US market.
We name the corporate appliance instead of saying 'TLS error'.
Flags compromised credentials from known breach databases.
Export a shareable report for leadership or auditors.
Automated weekly or monthly scans on Pro; daily schedules on MSP.
No installation. No agents. No access keys.
No password, no credit card. We send you a secure sign-in link — click it and you're in.
MyDomainRisk performs 50+ non-intrusive security checks — TLS, headers, DNS, network infrastructure, threat intelligence, breaches, exposure — in under a minute.
Review the risk rating, prioritised findings and supporting evidence in the dashboard. Pro users can download a PDF report to share with leadership or auditors.
External DNS intelligence
Every scan builds a visual map of the domain's public DNS infrastructure — nameservers, mail servers, IP addresses, PTR records, and CT log subdomains — using only publicly available data.
Network Topology
DNS map for acmecorp.com — A, NS, MX, PTR and CT log subdomains only
Non-intrusive. Built exclusively from public DNS records, certificate transparency logs, and reverse-DNS lookups. All information shown is already accessible to anyone on the public internet.
Example findings
Every finding comes with a plain-English explanation of the risk and a specific action to fix it.
What this means
There is no DMARC record published for this domain. This means any attacker can send email that appears to come from the domain — staff, customers, and partners will see the brand in the From address with no way to distinguish it from a genuine message.
How to fix it
Publish a DMARC TXT record at _dmarc.yourdomain.com starting with p=quarantine to begin collecting reports. Once all legitimate senders are confirmed in SPF and DKIM, upgrade to p=reject to block spoofed email entirely.
What this means
Three sets of employee credentials associated with this domain have been identified in infostealer malware logs. These are active, real-world exposures — the affected accounts may already be accessible to threat actors.
How to fix it
Immediately reset passwords for affected accounts and revoke any active sessions. Enable MFA on all accounts if not already enforced. Notify affected employees and review access logs for signs of unauthorised access in the preceding 90 days.
What this means
A subdomain has a dangling CNAME record pointing to a cloud service (e.g. GitHub Pages, Heroku, Netlify) where the target resource no longer exists. An attacker can claim that resource and host arbitrary content — phishing pages, malware, or credential-harvesting forms — under the affected domain.
How to fix it
Remove the dangling CNAME record from your DNS immediately. If the subdomain is still needed, reclaim the corresponding resource in the cloud platform before re-publishing. Audit all subdomains regularly for stale records.
What this means
The TLS certificate for this domain expires in under a week. When it expires, all major browsers will display a full-page security warning to visitors, blocking access until the certificate is renewed. This affects both customer trust and any automated systems that validate certificates.
How to fix it
Renew the certificate immediately through your certificate authority or hosting provider. If using Let's Encrypt, check that the auto-renewal cron job or ACME client is running correctly — it should renew automatically at 30 days remaining.
What this means
Two typosquatted domains closely resembling this domain are registered and actively resolving — meaning they are live and potentially serving content. These are commonly used to conduct phishing campaigns against your customers and employees.
How to fix it
Monitor the identified lookalike domains via threat intelligence feeds. Where feasible, register the most likely typosquat variants defensively. If a lookalike is hosting phishing content, report it to the registrar and relevant abuse contacts for takedown.
Every scan generates a full remediation plan like this — specific to the domain under review, ready to share with your team or auditors.
Not sure where to start?
Every finding in your report has a Fix with Claude button. One click opens Claude.ai with the relevant domain details already filled in. Just hit send — Claude will tell you exactly what to change, in plain English, written for the detected setup.
Every finding also links to a written guide with the exact DNS record or config value to add, instructions for the most common platforms, and how to verify the fix worked. No jargon.
GDPR Article 32
Every scan includes an advisory check of the externally verifiable technical measures required under GDPR Article 32 — at no extra cost.
HTTP requests on port 80 redirect to HTTPS, ensuring encryption in transit from the first connection.
A publicly accessible privacy policy exists at a standard path, meeting transparency obligations.
A consent management platform is detected on the homepage for obtaining lawful consent for non-essential cookies.
The homepage does not load resources over unencrypted HTTP, which would undermine HTTPS protection.
A security.txt Policy field links to a disclosure programme, supporting the ability to test and evaluate security measures.
Identifies analytics and tracking scripts — each is a data processor requiring a DPA and disclosure in your privacy policy.
This check assesses externally verifiable technical measures only. A passing result does not mean your organisation is GDPR compliant.
Full GDPR compliance also requires organisational measures that no automated domain scan can assess, including:
Article 32 of GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure security appropriate to the risk — including encryption of personal data, ability to ensure ongoing confidentiality and integrity, and a process for testing and evaluating security measures.
MyDomainRisk checks the technical measures that are observable from outside your organisation — the publicly visible signals that a Data Protection Authority or auditor could independently verify. Think of it as the first layer of your Art. 32 evidence pack, not the whole picture.
Pricing
Start free. Upgrade when you need scheduled monitoring, more domains, or deeper analysis.
One account, both apps — one subscription. Free, Pro or MSP, a single MyDomainRisk sign-in unlocks both apps — the security app (harden the external configuration of any domain you want to assess) and the authenticity app (check whether a suspicious link or supplier domain is genuine). Same non-intrusive checks underneath, different lens depending on the question you're asking. One tier, one subscription, both tools.
For checking any domain
Free
No credit card required. Start scanning immediately.
For IT teams and consultants monitoring multiple domains
Pro
Everything you need to monitor a full domain portfolio.
50 security domains · 50 scans per day · 50 history per domain
Managing multiple separate customer estates?See MSP →
No lock-in. Cancel any time, or downgrade at the end of the period and keep Pro until the billing date.
For consultancies, MSPs and agencies managing many client estates
MSP
Everything in Pro, plus Portfolio clients, branded report bundles with report checks, delegated read-only portal access, a client audit trail, and per-client Priorities work queues and Alerts.
Need more than 250 security or 150 authenticity domains? support@mydomainrisk.com
No lock-in. Cancel any time, or downgrade to Pro / Free at period end.
Do I need a credit card to try it?
No. The Free plan requires only your email address — no payment details at any point.
Will this affect my website or cause any disruption?
No. Every check is a passive, external observation — we query publicly available data and DNS records only. Nothing is sent to your server and nothing is changed.
Can I cancel my Pro subscription at any time?
Yes. You can downgrade to Free or cancel immediately from your account page. No contracts, no minimum term.
What happens to my data after a scan?
Scan results are stored against your account in line with your plan limits. You can export or delete your data at any time. See our Privacy Policy for full details.
Free for up to 5 domains. No card required. Pro plans unlock bulk scanning, scheduled monitoring, and full breach reports.
Full domain scan — free, 60 seconds