A free, browser-based external cyber posture check built for Australian and New Zealand small business. Point it at any domain you operate and, in under a minute, it surfaces what the open internet already knows: your DNS hygiene, whether your email can be spoofed, how your TLS and web headers look, where your brand is being squatted, and which subdomains you might have forgotten about. No install. No sign-up. Nothing leaves your browser except the public lookups themselves.
Enter any domain you own or want to check. We normalise the input, so https://www.example.com.au/contact and example.com.au both resolve to the same assessment.
We are querying public sources. Findings stream in as they land. Nothing leaves your browser except the public lookups themselves.
.
There is a lot of snake oil in this space. Here is exactly what this tool does and does not do, so you can judge the report for yourself.
Live DoH queries for A, AAAA, MX, NS, TXT, CAA, DNSKEY. We parse SPF, DMARC, DKIM (probing common selectors), BIMI, DNSSEC. You get plain-English findings on whether someone can spoof your email or hijack your domain. This is exactly the posture the ACSC Essential Eight and the NZ Privacy Commissioner expect you to keep tidy.
We read the public CT logs via crt.sh to reconstruct every certificate ever issued for your domain. That tells us your subdomain sprawl, issuer diversity, wildcard risk, and whether a forgotten dev box is still out there.
Via the Mozilla HTTP Observatory API we grade your site on CSP, HSTS, cookies, referrer policy, X-Frame-Options, subresource integrity, and the rest of the modern list. You get the grade and the exact remediation, not just a score.
We generate common lookalikes of your domain (homoglyph, TLD swap, character insertion, deletion, double-letter) and resolve each one. Anything that exists gets flagged. That is where phishing kits get hosted before they come for your staff.
No port scanning, no credential testing, no exploit probing, no WAF bypass, no authenticated crawling. This is passive external recon only. A pure static web tool cannot honestly do more than that, so we do not pretend to.
This free tool answers is my external posture sane. For anything deeper (internal reviews, phishing simulations, Microsoft 365 hardening, Essential Eight uplift, Privacy Act readiness) talk to us. Small-business prices. No big-firm margins.
Book a conversationThe legal floor has moved. If you hold customer data, take card payments, or run email in your business name, the posture this tool checks is the same posture regulators, insurers, and auditors look at first.
The Privacy Act amendments passed in late 2024 raised maximum penalties for serious breaches to the greater of $50 million, three times the benefit obtained, or 30 percent of adjusted turnover. The old small-business exemption (under $3 million turnover) is on its way out. Notifiable Data Breaches are mandatory, to the OAIC and to affected individuals.
Royal assent November 2024. Mandatory ransomware payment reporting, minimum standards for smart devices, protected information-sharing with the National Cyber Security Coordinator, and a Cyber Incident Review Board. It changes how incidents are reported, by whom, and in what window.
Still the practical baseline regulators and insurers measure you against. Application control, patching, MFA, admin privilege management, macro settings, application hardening, backups, and OS patching. Maturity Level 1 is the floor for demonstrating "reasonable steps" under the amended Privacy Act.
Mandatory notification of any breach causing, or likely to cause, serious harm. Notify the Privacy Commissioner and affected individuals as soon as practicable. Failure to notify is a criminal offence carrying a fine up to NZ$10,000. IPP 3A (indirect collection transparency) applies from 1 May 2026.
The NZ Information Security Manual is the public-sector bar, but it is the reference private-sector auditors reach for. CERT NZ's Critical Controls give small business a practical, plain-English checklist. Most of what this tool checks maps directly onto both.
We are not a law firm. We are a senior tech practice that has sat through enough audits, cyber insurance renewals, and incident post-mortems to know what "reasonable steps" actually looks like on the ground. If you want the regulatory read alongside the technical one, bring the situation.
See how we work