Feature
170+ automated checks produce a score. The AI-powered analysis layer examines what those checks find, follows leads across discoveries, and produces the findings a human security analyst would write.
An automated scanner checks if a header exists. The deep assessment reads what is in your JavaScript, identifies what your tracking scripts do before consent loads, and determines whether your compliance claims match what is actually observable. The difference is context.
Your production JavaScript bundles are analysed for exposed API keys, hardcoded secrets, AI system prompts, internal URLs, and configuration that should not be in client-side code.
Found: sk-ant-api03-****** in app-main.js
Context: ...apiKey: "sk-ant-api03-kJ9xM2...", endpoint: "/v1/messages"...
If your source maps are publicly accessible, your entire application source code is readable. Internal API routes, authentication logic, database queries, environment variable references. Every JavaScript file is checked for a corresponding .map file. If it returns valid content, the finding is CRITICAL.
Source map accessible: app.example.com/main.js.map
847 source files exposed (4.2MB). Includes: /src/api/auth.ts, /src/db/queries.ts
Every network request is recorded from the moment your page starts loading. If tracking scripts, session recording tools, or analytics fire before the consent banner renders, the scan captures the evidence with timestamps and exact load order.
3 tracking services fire before consent:
0.4s: Google Analytics (script loaded)
0.6s: HotJar (session recording started)
1.1s: Segment (identify call sent)
2.3s: Cookie consent banner renders
Each scan is analysed individually. The AI layer follows leads, connecting discoveries across different checks. An exposed source map might reveal an internal API endpoint. That endpoint might respond without authentication. That combination is more significant than either finding alone.
Analysis chain:
Source map at /main.js.map exposes internal routes
↓ Found reference to /api/internal/admin in source
GET /api/internal/admin returns 200 without authentication
↓ Response includes user enumeration endpoint
Combined severity: CRITICAL (source code exposure + unauthenticated admin API)
Not a line in a spreadsheet. Every finding includes severity, evidence, compliance impact, and step-by-step remediation guidance specific to your stack.
Description
Source maps at app.example.com/main.js.map expose your complete application source code, including internal API routes, authentication logic, and environment variable references.
Evidence
https://app.example.com/main.js.map → 200 OK
Content: valid source map, 4.2MB, 847 source files
Compliance impact
Remediation
Block .map files at your CDN or web server.
CloudFront: Add a behavior for *.map returning 403
nginx: location ~* \.map$ { return 403; }
Vercel: Add { source: '/(.*)\.map', destination: '/404' } to vercel.json rewrites
The free snapshot gives you the counts. A Monitor subscription gives you the full, AI-verified assessment, continuously.
Run a free snapshotDeep scans are part of the Monitor subscription. See pricing
Cookie information
This site uses strictly-necessary cookies for authentication (Clerk) and bot protection (Cloudflare). No tracking, advertising, or analytics cookies are set, so no consent is required. Details in our privacy policy.