Frequently asked questions

How HatTest works, what it checks, and how pricing and ownership verification fit together.

What does HatTest do?

It scans your website — or the API / database backend behind your app — for things an attacker can already reach from the outside: leaked privileged keys and publicly-readable backend data. You get a free severity scoreboard; the full findings sit behind a one-time payment and proof you own the site.

Is the scan safe? Will it affect my site?

Yes, it's safe. The scan is strictly passive recon — we read what your site already serves to the public. We never run code on your site, never log in, and never write data.

What exactly do you check for?

Two things today: (1) leaked privileged keys — a Supabase service_role or secret API key shipped to the browser, which hands an attacker your whole database; and (2) publicly-readable backend data — tables that answer an anonymous request with data they shouldn't. We classify keys by role, so public, client-safe keys are never flagged. Deeper authenticated RLS-efficacy testing is in active development.

Why is the scoreboard free but the details cost money?

The free scoreboard shows how many issues and how serious — but no exploitable detail. Revealing the actual findings for a site to anyone who pays would make us a vulnerability-lookup service for attackers. So the details are released only after you prove you own the domain. You pay for the report; ownership is what makes it safe to show.

How much does it cost?

$100, one-time, per report. The scoreboard is free on any URL.

Why do I have to verify domain ownership?

So we only ever hand exploitable details to the site's actual owner — not to someone targeting you. You prove ownership with a meta tag on your homepage or a DNS TXT record (your choice).

When am I actually charged?

Your card is authorized when you pay, but only charged after ownership is verified. If you can't verify the domain, the authorization is released and you're not charged — so we never bill for a report we can't deliver.

Can I scan a site I don't own?

You can run the free scoreboard on any URL. But the full report — the actual findings and evidence — requires proving you own that domain.

What's in the full report?

Every finding with its evidence and a plain-English explanation of the risk. Evidence is redacted to prove the finding without exposing the live secret.

Do you store my scan or its findings?

Findings metadata and encrypted evidence are kept only to serve your report, and are automatically deleted after 30 days.

Is this a full penetration test?

No. It's automated, passive security recon focused on a few high-impact exposures. It's a fast, cheap first look — it complements, but doesn't replace, a human-led penetration test. We never claim a site is “secure.”

Still have a question? Contact us or email support@hattest.ai.