Security Assessment

Find out what your website is exposing.

A white-hat, evidence-backed security review of your site: HTTPS, security headers, exposed files, vulnerable libraries, and email spoofing posture — graded A–F, explained in plain English, and re-verified after the fixes.

Small-business sites are the easy targets.

Attackers automate. They do not care how small the business is — they care that nobody is watching.

Nobody has ever checked

Most small-business sites launch, change hands a few times, and never get a single security review.

Old libraries, known holes

JavaScript libraries age into publicly documented vulnerabilities while the site keeps running on them.

Files left in the open

Backup archives, config files, and version-control folders sitting on public URLs — findable by anyone who looks.

Trust is the real cost

A browser warning, a defaced page, or a leaked customer list does more damage to a small business than the fix would have cost.

Six checks, every one evidenced.

Every finding comes with the proof attached — the header, the screenshot, the CVE reference — so you never have to take our word for it.

01

HTTPS & TLS configuration

Certificate health, protocol versions, and whether every path actually forces a secure connection.

02

Security headers

The browser-level protections — content security policy, frame, sniffing, and transport rules — graded against current best practice.

03

Exposed files & paths

Passive checks for backups, config files, version-control folders, and admin paths that should never be public.

04

Vulnerable JavaScript libraries

Every script on the site checked against the public vulnerability databases, with the CVE references to prove it.

05

DNS & email security

SPF, DKIM, and DMARC posture — whether someone can send email that looks like it came from your business.

06

Graded report & fix order

A letter grade, the evidence behind every finding, and a prioritized fix list in plain English — not a scanner dump.

White-hat, consented, and re-verified.

Passive assessment with written authorization — we observe what is public, we never attack your systems.

01

Scope and consent

We confirm the domains in scope and get written authorization. Everything we do is white-hat and passive — we assess what is publicly observable, we never attack your systems.

02

The assessment runs

Our own security engine reviews the site and captures evidence for every finding — screenshots, headers, and references, archived so answers do not depend on re-scanning.

03

You get the graded report

A letter grade, what each finding means for the business, and the fix order — written for an owner, with the technical detail attached for whoever does the work.

04

Fixes get re-verified

After remediation, we re-run the assessment and issue the before/after receipt. The grade improving is the deliverable, not our word.

Standard in our builds. Standalone when it counts.

We do not sell fear. If the free audit’s security grade comes back clean, we will tell you that instead.

Built into every build

Every Website System ships with this posture as standard — headers, HTTPS, and dependency checks are part of the build, not an upsell.

Standalone when you need it

Sold on its own when there is a real reason: an incident, an insurance or compliance questionnaire, a client requirement, or a site you just inherited.

Scoped, not metered

A fixed quote before work begins, based on the size of the site and what is in scope. No subscriptions, no surprise line items.

Security assessment questions

Most questions are about what this is, what it is not, and when it is worth paying for.

Is this a penetration test?
No, and we say that plainly. A penetration test actively attacks systems to prove exploitability. This is a passive, white-hat assessment: we evaluate what is publicly observable — configuration, headers, exposed files, vulnerable libraries, DNS and email posture — with written authorization and without ever attacking your systems. For most small businesses it finds the problems that actually matter, at a fraction of pentest cost.
What do I get?
A graded report (A–F) with the evidence behind every finding — screenshots, headers, and CVE references — a plain-English explanation of what each finding means for the business, and a prioritized fix order. After fixes, a re-run and a before/after receipt.
How much does it cost?
It is scoped and quoted before work begins, based on the size of the site and what is in scope. If we build or care for your site, this posture is already included — the standalone assessment exists for sites we did not build.
Will this break or slow down my website?
No. The assessment is passive and read-only — it observes the site the way a browser does. Nothing is modified, stressed, or attacked.
When is this worth doing?
After a security scare, when an insurer or a large client sends a security questionnaire, when you inherit a site from a previous developer, or when the free audit’s security grade comes back poor and you want the full picture with evidence.
Who actually runs the assessment?
We do, on our own security engine — the same tooling we use to hold our own builds to a standard. Findings are verified by a person before they reach your report; you never get a raw scanner dump.

Not sure your site has a security problem?

Start with the free Website + System Audit — it includes a security grade. If the grade says you need the full assessment, you will know exactly why.