Check a supplier's security before you sign.

A security questionnaire tells you what a supplier believes — or wants you to believe — about their own setup. It is filled in by hand, once, by someone under deadline pressure. Expired certificates, spoofable email, and forgotten exposed services don't show up in a Word document.

An external scan is the other half of due diligence: it reads the supplier's domain the way the rest of the internet does, and reports what is actually there on the day you check.

• Certificate health — whether their encryption is valid, current, and properly configured.
• Email authentication — whether their domain could be spoofed to send your finance team a convincing fake invoice.
• Exposed services — databases, admin panels, and cloud storage visible to anyone who looks.
• Web security basics — the headers and hygiene that separate a maintained site from a neglected one.
• Threat-intelligence signals — whether the domain or its infrastructure appears in phishing and abuse feeds.
• Lookalike domains — copycat registrations that could be used to impersonate them (and reach you).

Every check is external and non-intrusive: nothing is installed, no credentials are used, and nothing touches the supplier's systems beyond what any visitor on the internet could already observe. That means you can run it during procurement without asking, the same way you'd look up their Companies House filing. Read exactly what we do and never do on How we scan.

The instant check on our homepage needs no account — paste the supplier's domain and read the result in about a minute.

1. Run the free scan on the supplier's domain before the contract is signed.
2. Add the domain on the Free plan (5 domains, no card) so you keep a baseline and can see whether things improve or slip.
3. On paid plans, export the PDF report for the procurement file, schedule rescans, and get alerts if a supplier's posture gets worse mid-contract.