We scanned 10 well-known sites with our security tool. Here's what we found.

A few weeks ago I shipped SecURL — a passive external security posture tool I'd been building on and off for longer than I care to admit. The pitch is simple: paste a URL, get a graded read of your site's full external security posture — headers, TLS, DNS/email trust, third-party surface, and passive intelligence signals, all ranked by what to fix first.

I wrote a short post about finally shipping it. But "I built a thing" isn't particularly useful to anyone. What's more useful is seeing the tool do something real.

So I ran it against 10 well-known public sites — UK government, public sector, major tech companies — and I'm publishing the raw results here. No editorialising, no cherry-picking. Just what the engine found.

The scan setup

All scans used quiet mode via the open-source npm package: