AI QA Monkey
AI Security Intelligence
Enterprise-grade recon engine

Free Security Scan

Check your website security score for free in 60 seconds. No registration required to run the initial scan.

One-time Report (primary)

Unlock a full executive PDF with prioritized findings and recommended fixes for just $29.

Continuous Monitoring (optional)

From $7.99/month — automated daily or weekly re-scans with email alerts. Self-serve, cancel anytime. Free for 30 days with any report. See plans.

Secure Access

Your report links are protected using tokens and ownership checks. Use My Reports to access and re-download.

Raw Data Export (JSON / CSV)

Download your scan results as JSON or CSV. Hand the raw data to your IT team, import it into ticketing systems, or feed it directly to AI tools for automated fixes.

Developer-Friendly Output

Paste the JSON output into Cursor, ChatGPT, or any AI coding assistant and get instant fix suggestions for every finding — no manual interpretation needed.

One-Click Copy Fix

Every vulnerability includes "Copy Fix" and "AI Fix Prompt" buttons. Copy remediation steps or a full AI prompt to your clipboard in one click.

Interactive Security Dashboard

Severity charts, category radar, score trend sparklines, real-time scan step indicators, and a visual attack surface map — all built in.

Advanced Threat Detection

CORS misconfigurations, exposed API endpoints, subdomain takeover risks, cloud storage leaks, and HTTP/2 protocol analysis — all checked automatically.

Share Results

One-click sharing to X (Twitter), LinkedIn, or copy a direct link. Show clients and stakeholders your security posture with built-in social proof.

Kill Chain Visualization

See how an attacker would chain your vulnerabilities — exposed assets, file leaks, and compliance gaps mapped in a single attacker-perspective view.

Secure Report Access

Reports are protected with unique access tokens and ownership verification. Only you can access your scan data — no unauthorized access, ever.

Monthly Monitoring — automated daily or weekly re-scans, email alerts, and score tracking.
Self-serve from $7.99/month. Cancel anytime — free for 30 days with any paid report.
See monitoring plans

About Our Free Security Scan

What does the free security scan check?
Our free scan checks for common, high-impact security issues including:
  • SSL/TLS configuration and certificate validity
  • Security headers (HSTS, CSP, X-Frame-Options, Permissions-Policy, COOP, CORP)
  • Exposed sensitive files (like .env, .git)
  • Open ports that could be exploited
  • WordPress vulnerabilities and user enumeration
  • CORS misconfiguration and API endpoint discovery
  • Subdomain takeover risk detection
  • Cloud storage exposure (AWS S3, Azure Blob, Google Cloud)
  • HTTP/2 protocol support and modern transport security
  • DKIM, SPF, and DMARC email authentication validation
  • Technology fingerprinting (server, CMS, frameworks, CDN, WAF)
  • IP blacklist and reputation monitoring
  • Basic GDPR compliance indicators
The scan runs 100+ checks, is completely free, and takes about 60 seconds to complete.
Is the free scan safe to use? Will it harm my website?
Yes, our scan is completely safe. It only performs passive reconnaissance and non-intrusive checks against publicly accessible endpoints. We don't attempt any exploits, we don't try to break into your site, and we don't perform any actions that could impact your website's performance or availability.
Do I need to register to run a free scan?
No registration is required to run the initial scan. You only need to provide an email address if you want to receive the results or unlock the full report.
What's a "security score" and how is it calculated?
Your security score is a number from 0-100 that represents your website's overall security posture. Scores of 80+ are considered "Verified Secure." The score is calculated based on multiple factors including SSL implementation, security headers, exposed sensitive files, open ports, and other security best practices. Each factor is weighted according to its potential impact on your site's security.

Reports & PDF Downloads

What's included in the full security report?
The full security report ($29) includes:
  • Comprehensive executive summary
  • Detailed vulnerability findings with severity ratings
  • Step-by-step remediation instructions with one-click "Copy Fix" and "AI Fix Prompt" buttons
  • Interactive security dashboard with severity charts, category radar, and score trend sparklines
  • Visual attack surface map showing ports, files, subdomains, WAF, and SSL status
  • Advanced checks: CORS, API discovery, subdomain takeover, cloud storage exposure
  • Attack surface analysis and compliance mapping (OWASP, ISO 27001, PCI DSS, GDPR, SOC 2)
  • Kill chain visualization — see how an attacker would chain your vulnerabilities
  • One-click share results to X (Twitter), LinkedIn, or copy a direct link
  • Secure report access with unique tokens — only you can view your data
  • Technical evidence and recommendations
  • Downloadable PDF format for sharing with stakeholders
How do I get the one-time PDF report?
After your scan completes, click the "Get Full Security Report" button. After purchase, you'll receive an email with a secure link to download your PDF. You can also access and re-download your reports anytime from the My Reports section.
I paid, but I don't see my PDF. What should I do?
First, check your email for the download link. Then, open My Reports and verify your email address is correct. If the report still doesn't appear, contact Support and include your email address and scan ID (if available).
Can I share my security report with my team or clients?
Yes! The PDF report is designed to be shared with stakeholders. It's formatted professionally with an executive summary for management and technical details for your development team. Many agencies use our reports to demonstrate security value to their clients.

Monthly Monitoring & Advanced Services

What does continuous monitoring include and what does it cost?
Continuous monitoring re-scans your site automatically — on the schedule you choose — and emails you the moment your security score drops or a new critical issue appears. It includes:
  • Automated daily or weekly re-scans
  • Email alerts on score drops and new critical findings
  • Security score & vulnerability trend history
  • Always tested against our newest checks — we add new detections continuously
It's free for 30 days with any paid report, or ongoing on a monitoring plan: Monitor ($7.99/mo, 1 domain, monitoring only), Pro ($29/mo, 1 domain + up to 30 report downloads/month), and Agency ($79/mo, up to 10 domains). All plans are self-serve and cancellable anytime. See plans.
What's the difference between one-time vs monthly?
One-time report ($29): A full security snapshot with copy-paste fixes and a downloadable PDF — a single payment per domain, no subscription. Best for fixing issues now or meeting a specific compliance requirement.

Monitoring plans (from $7.99/month): Ongoing, automated re-scans and alerts so new problems are caught as they emerge. Optional and cancellable anytime. Pro ($29/mo) also includes up to 30 report downloads a month; Agency ($79/mo) covers up to 10 domains. Ideal for business-critical sites and agencies.
How do I sign up for monitoring, and can I cancel?
It's fully self-serve — no waiting and no manual setup. Pick a plan on our Plans & Pricing page and check out; after payment you add the domain you want watched and choose daily or weekly scans. You can cancel anytime from your Gumroad account or by emailing support@aiqamonkey.com — there's no lock-in. When you cancel, monitoring stays active until the end of your paid period, then stops.
Is AI QA Monkey a subscription? Do I have to pay monthly?
No subscription is required. You can scan for free and buy the full report as a one-time $29 payment per domain — no recurring charge. Monthly monitoring plans (from $7.99/month) are entirely optional, for people who want ongoing automated re-scans and alerts. Start or cancel anytime; there is no lock-in.
Can I scan or monitor multiple domains?
Yes. The free scan and the one-time report work per domain — scan as many as you like. For ongoing coverage, the Agency plan ($79/month) monitors up to 10 domains with daily or weekly scans and up to 30 report downloads per domain each month — ideal for agencies and teams. Need more than 10 domains? Email support@aiqamonkey.com and we'll help.

Privacy & Security

Do you store passwords or private credentials?
No. Our scans only check publicly accessible endpoints. We never ask for or store your hosting login, admin passwords, or private keys. Your security is our priority.
How do you protect my scan data and reports?
All scan data and reports are encrypted both in transit and at rest. Access to your reports requires authentication and is protected by secure tokens. We follow industry best practices for data protection and regularly audit our security measures.
Can I delete my data from your systems?
Yes. You can request deletion of your scan data and reports at any time by contacting our support team. We comply with data protection regulations including GDPR.

Data Export & Integration

Can I export the raw scan data for my IT team?
Yes! Every report can be downloaded in three formats from My Reports:
  • PDF — Executive-ready report for stakeholders and management
  • JSON — Machine-readable output with full vulnerability details, scores, and metadata
  • CSV — Spreadsheet-friendly format for tracking, filtering, and importing into ticketing systems (Jira, Linear, etc.)
The JSON and CSV exports contain the same raw findings data used to generate the PDF, so nothing is lost.
Can I use the JSON output with AI tools like Cursor or ChatGPT to fix issues?
Absolutely — this is one of the most powerful ways to use your report. Download the JSON file and paste it directly into any AI coding assistant (Cursor, Windsurf, ChatGPT, Claude, Copilot, etc.). The structured format lets the AI understand each vulnerability, its severity, and the affected component, so it can generate precise code fixes, configuration changes, or server hardening commands. Many of our users go from scan to fix in minutes using this workflow.
What's included in the JSON export?
The JSON export includes:
  • Scan ID, domain, and overall security score
  • Scan timestamp and payment date
  • Full vulnerability/findings array with severity, category, description, and evidence
  • Remediation recommendations per finding
It's the same data that powers the PDF — just in a format your tools and scripts can consume directly.

New Features

What are the "Copy Fix" and "AI Fix" buttons?
Every vulnerability in your scan report now includes two action buttons:
  • Copy Fix — Copies the remediation instructions to your clipboard so you can paste them directly into your server config, code editor, or ticketing system.
  • AI Fix Prompt — Copies a pre-built prompt with full context (severity, issue, description, and remediation) that you can paste into ChatGPT, Claude, Cursor, or any AI coding assistant to get instant, precise code fixes.
What is the Interactive Security Dashboard?
After each scan, you'll see a visual dashboard with three interactive charts:
  • Severity Distribution — A color-coded bar showing the breakdown of Critical, High, Medium, Low, and Info findings.
  • Category Radar — An SVG radar chart showing your scores across six security categories: Application, Infrastructure, Transport, Email, Compliance, and Reputation.
  • Score Trend — A sparkline showing how your security score has changed over multiple scans, so you can track improvement over time.
During the scan, animated step indicators show real-time progress through each phase (DNS, SSL, Headers, Ports, Files, Tech, Analysis, Score).
What is the Visual Attack Surface Map?
The Attack Surface Map is an interactive network graph that visualizes your domain's full external exposure at a glance. Your domain sits at the center, with connected nodes showing:
  • Open ports (highlighted in red)
  • Exposed sensitive files (highlighted in red)
  • Discovered subdomains
  • WAF protection status
  • SSL certificate validity
  • Detected CMS/technology
This gives security teams and stakeholders an immediate visual understanding of the attack surface without reading through tables of data.
What are CORS, API discovery, and subdomain takeover checks?
These are advanced security checks we recently added:
  • CORS Misconfiguration — Detects if your server allows any domain to make cross-origin requests (wildcard *), especially dangerous when combined with credentials.
  • API Endpoint Discovery — Probes for publicly accessible API routes like /swagger.json, /graphql, /api/v1/, and OpenAPI documentation that should be restricted.
  • Subdomain Takeover — Identifies dangling CNAME records pointing to unclaimed cloud services (AWS, Azure, Heroku, Netlify, etc.) that attackers can hijack to serve malicious content on your subdomain.
  • Cloud Storage Exposure — Scans your page source for references to AWS S3 buckets, Azure Blob containers, and Google Cloud Storage that may be misconfigured.

Help & Support

How can I get help fixing security issues?
We offer several options:
  • The full PDF report includes step-by-step remediation instructions
  • Visit Improve Your Ranking to see our remediation packages
  • For custom assistance, contact Support
How do I contact support?
You can reach our support team by visiting our Support page and filling out the contact form. We typically respond within 24 business hours.
Do you offer refunds?
One-time report: if you applied the recommended fixes and your security score did not improve, contact our support team within 30 days for a full refund. Once the report materials have been delivered and downloaded, refunds are not available if no fix attempt was made.

Monitoring plans: subscription fees are non-refundable and not prorated, but you can cancel anytime to stop future renewals — your plan stays active until the end of the current paid period.