AI white-hat pen test

See what an attacker can already read from your site

HatTest scans your website — or the API / database backend behind your app — for what an attacker can already reach. Paste a URL for a free severity scoreboard; unlock the full findings and evidence when you’re ready. No signup to scan.

Strictly passive · we never run code on your site · authorized-use only.

By scanning, you agree to our Terms and Privacy Policy.

Passive & anonymous Evidence-backed Never claims “secure” Evidence deleted in 30 days

How it works

Start free and anonymous. Pay and verify only when you want the details.

1

Paste your URL

Any website — or the REST / GraphQL / BaaS backend behind your mobile or SPA app.

2

See your scoreboard — free

A strictly-passive recon pass returns a severity scoreboard: how many issues and how serious. Details stay hidden. No signup.

3

Pay, then verify

One $100 payment for the report, then prove the domain is yours with a meta tag or DNS record. You’re only charged after ownership checks out.

4

Get the full report

Every finding with its evidence and a plain-English explanation.

What we find

Deterministic checks with evidence on every confirmed finding. Trust over coverage — we classify by role and sensitivity, so public-by-design things never cry wolf.

Critical
Leaked privileged keys

A Supabase service_role or secret API key shipped to the browser hands an attacker your whole database. We classify keys by role — public, client-safe keys aren’t findings, so you don’t get false alarms.

High
Publicly readable backend data

Backend tables that answer an anonymous request with data they shouldn’t — the classic Supabase / PostgREST exposure behind many app breaches.

Deeper authenticated RLS-efficacy testing is in active development.

What we’re built to scan

HatTest is sharpest on apps that reach a database or API straight from the browser or a mobile client — the setups where one backend misconfiguration leaks in public. It runs on any website; the depth just depends on the stack.

Best fit
  • Apps on a backend-as-a-service — Supabase, Firebase, PocketBase, Appwrite, AWS AppSync, Nhost
  • Single-page apps (React, Vue, Angular, Svelte) calling a public REST or GraphQL API
  • Mobile or desktop app backends — paste the API base directly, no web page needed
Also covered
  • WordPress & CMS sites — known-CVE version and plugin checks
  • Any site — leaked keys in JS, exposed files (.env, .git), and open S3 / GCS / Azure buckets
  • Static & JAMstack front ends built against a hosted backend

Sites fully behind a login wall or an aggressive bot-wall may come back as an honest “scan incomplete” — we never guess a verdict we couldn’t measure.

Evidence, not guesses.

Every confirmed finding shows the exact artifact an attacker would see.

Built to not cry wolf.

Public-by-design keys and endpoints are never flagged — only real, privileged exposure.

Black-box. Nothing to install.

No repo, no agent, no access. We never run your code — or anyone’s.

Pricing

The severity scoreboard is free on any URL. Pay once, per report, only when you want the findings.

Free scan
$0
  • Strictly-passive recon on any URL
  • Full severity scoreboard (issue counts)
  • No signup, anonymous
Scan your site

Find your leaks before someone else does.

Scan your site