AI white-hat pen test
See what an attacker can already read from your site
HatTest scans your website — or the API / database backend behind your app — for what an attacker can already reach. Paste a URL for a free severity scoreboard; unlock the full findings and evidence when you’re ready. No signup to scan.
How it works
Start free and anonymous. Pay and verify only when you want the details.
Paste your URL
Any website — or the REST / GraphQL / BaaS backend behind your mobile or SPA app.
See your scoreboard — free
A strictly-passive recon pass returns a severity scoreboard: how many issues and how serious. Details stay hidden. No signup.
Pay, then verify
One $100 payment for the report, then prove the domain is yours with a meta tag or DNS record. You’re only charged after ownership checks out.
Get the full report
Every finding with its evidence and a plain-English explanation.
What we find
Deterministic checks with evidence on every confirmed finding. Trust over coverage — we classify by role and sensitivity, so public-by-design things never cry wolf.
A Supabase service_role or secret API key shipped to the browser hands an attacker your whole database. We classify keys by role — public, client-safe keys aren’t findings, so you don’t get false alarms.
Backend tables that answer an anonymous request with data they shouldn’t — the classic Supabase / PostgREST exposure behind many app breaches.
Deeper authenticated RLS-efficacy testing is in active development.
Every confirmed finding shows the exact artifact an attacker would see.
Public-by-design keys and endpoints are never flagged — only real, privileged exposure.
No repo, no agent, no access. We never run your code — or anyone’s.
Pricing
The severity scoreboard is free on any URL. Pay once, per report, only when you want the findings.
- Strictly-passive recon on any URL
- Full severity scoreboard (issue counts)
- No signup, anonymous
- Every finding with full evidence
- Plain-English explanation of each
- Owner-verified before reveal