Is your vendor CRA & NIS2 ready?
Enter any company's website. We probe its public security signals (security.txt, CSAF, MTA-STS, TLS, DMARC, HSTS, disclosure pages), fetch the actual policy text, and grade the substance with AI against the EU Cyber Resilience Act and NIS2 Directive.
Free forever. We pay the AI bill. No signup, no credit card, no marketing list — we just email the report to you when it's ready.
We email the report to this address when the scan finishes — you can close the tab and come back. No marketing list, nothing shared with third parties (privacy). Public scans only · re-scan every 48h · 5 scans per IP per hour.
What we check
- RFC 9116
security.txt— presence, contact/policy fields, andExpiresvalidity - CSAF advisory feed at
/.well-known/csaf/provider-metadata.json(CRA Article 13) - HTTP security headers and HSTS strength (max-age, includeSubDomains, preload)
- TLS certificate validity and HTTP → HTTPS redirect at the apex
- Mail authentication: SPF, DMARC, MTA-STS (RFC 8461) and TLS-RPT (RFC 8460)
- Trust-center, disclosure, advisories, SBOM, imprint and privacy pages on the public site
- AI scoring of the homepage and 1–2 compliance-related sub-pages against CRA & NIS2 criteria