Tools / Cyber Check

See your business the way an attacker does.

A free external posture check. Point it at any domain you operate. Under a minute, nothing installed, nothing behind a login.

Run a scan How it works

Step one

Enter a domain.

Any domain you own or want to check. The tool normalises the input, so example.com.au and a full URL resolve to the same assessment.

. Overall posture

Running assessment.

Querying public sources. Findings stream in as they land. Nothing leaves your browser except the public lookups themselves.

0Critical

0High

0Medium

0Low

0Info

Optional, free

Prove you own the domain, unlock the deep scan.

The report above is the external view: everything an outsider can see without touching anything they shouldn't. If you are the owner, add a single DNS TXT record and it unlocks a much deeper assessment. Wider DKIM selector coverage, historical certificate timeline, full HTTP Observatory breakdown, extended typosquat sweep, and a printable report you can hand to your board, your insurer, or your auditor.

Add this TXT record

In your DNS provider (GoDaddy, Cloudflare, Route53, etc.), add a new TXT record:

Host / Name: _c31-verify
Type: TXT
Value: .
TTL: 300 (or default)

The token is generated in your browser and tied to the domain you entered. It is not sent anywhere. Nothing about your domain becomes public. This TXT proves, to me and to you, that you can edit authoritative DNS.

Wait for propagation

DNS changes usually take 1 to 10 minutes with a low TTL. Some providers are slower. Once it is live, come back here and press verify.

Verify

The tool queries public DNS for _c31-verify.example.com. If the token is found, the deep scan kicks off automatically.

How this works

What gets checked, honestly.

Exactly what the tool does, and what it does not, so you can judge the report for yourself.

DNS and email

SPF, DMARC, DKIM, DNSSEC, CAA. Whether someone can spoof your email or hijack your domain.

Certificates and TLS

Every certificate ever issued for your domain, from the public CT logs. Subdomain sprawl and forgotten boxes surface here.

Web headers

CSP, HSTS, cookies and the rest, graded by Mozilla Observatory. You get the grade and the exact fix.

Brand and typosquats

Lookalikes of your domain, resolved and flagged. That is where phishing kits live before they come for your staff.

What it does not do

No port scanning, no credentials, no exploits. Passive external recon only, and honest about it.

Want a real red team?

For internal reviews, phishing simulations, Microsoft 365 hardening or Essential Eight uplift, talk to us. Small business prices. Book a conversation

Why this matters

Small business is not exempt any more.

The legal floor moved in both Australia and New Zealand. These findings map straight onto the posture regulators, insurers and auditors look at first.

Talk it through

Legal note. Only run this tool against domains you own or have written permission to test. Even though every check is passive and uses already public data, some jurisdictions treat unauthorised security testing broadly. By using this page you confirm you have the right to assess the domain entered. Company31 provides this tool as is, with no warranty. Results are a starting point for a conversation, not a substitute for a qualified security review, a penetration test, or legal advice under the Privacy Act (AU) or Privacy Act 2020 (NZ).