Everything your website security team would check — automated, monitored, and explained.
WebHound combines passive security scanning, website change monitoring, grouped findings, professional reports, and WADE-powered anomaly detection in one dashboard.
12 capabilities, one dashboard
Each engine runs independently and reports findings with full context — no black boxes.
Passive Website Scanning
Safe, read-only analysis of your website's public surface. No credentials, no changes, no risk.
Crawls linked pages, resources, and headers without executing JS or making authenticated requests.
Security Headers & CSP
Checks every response header that browsers use to protect users from XSS, clickjacking, and data leaks.
Validates CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options.
TLS & DNS Security
Confirms your site uses strong encryption and your email domain is protected against spoofing attacks.
Certificate validity, cipher strength, HSTS preload, SPF, DKIM, DMARC, and DNSSEC presence.
Cookie Security
Audits every cookie your site sets and flags any missing protections that could expose user sessions.
Checks Secure, HttpOnly, and SameSite attributes. Flags cookies visible to JavaScript that shouldn't be.
JavaScript Risk Analysis
Detects risky JavaScript patterns in inline scripts and loaded files without executing untrusted code.
Scans for eval(), obfuscated code, document.write, credential exposure, and dangerous DOM APIs.
Third-Party Domain Monitoring
Maps every external source your website contacts — scripts, fonts, images, iframes, and API calls.
Categorizes by type (CDN, Analytics, Tracking, Payments) and flags unrecognized domains for review.
Sensitive Path Discovery
Checks whether common sensitive paths are publicly accessible — a frequent oversight on live sites.
Probes for admin panels, .env files, backup archives, debug endpoints, phpinfo(), and similar.
Secret Pattern Detection
Scans page source and loaded scripts for credential patterns that should never be publicly visible.
Detects API keys, tokens, AWS credentials, private keys, and common secret formats in HTML and JS.
Grouped Findings
Findings are organized by engine category, severity, and fix priority — not a flat wall of alerts.
Expandable rows show affected URLs, description, confidence score, and remediation per finding.
Engine Diagnostics
Transparent reporting on exactly which scan engines ran, what they checked, and what they found.
Per-engine timing, finding counts, and status so you always know the full scope of each scan.
Professional Reports
Export complete scan results in industry-standard formats, ready for developers, auditors, or clients.
SARIF (GitHub/Azure DevOps), CSV (spreadsheet/ticketing), and Markdown (wiki/PR-ready).
WADE Behavioral Monitoring
Detects meaningful website changes between scans — new scripts, domains, forms, and structural shifts.
Baseline fingerprinting with anomaly scoring. Filters CDN drift and minor changes from real signals.
Want to understand exactly how each engine works?
Built for safe, responsible monitoring
WebHound is designed to be safe to run on any live site, as often as you need.
Passive scanning only
Every analysis is read-only. We fetch publicly available content — exactly as a browser would.
No exploitation
We don't probe for exploitable vulnerabilities, brute-force credentials, or attempt injection attacks.
Authorized targets only
You confirm you own or are authorized to scan every website before adding it to your account.
No destructive testing
No fuzzing, no load testing, no rate-limit probing. Safe to run continuously against live production.
Baseline-safe comparison
WADE's change detection compares scan metadata — it never re-executes or modifies anything.
Start monitoring before attackers notice what changed.
Free scans. No installation. Passive, authorized monitoring from day one.