FAQ

Frequently asked questions

What SecureMonk does, how the score works, and what we do with your data.

Is SecureMonk free to use?
Yes. You can scan any public website, ask security questions, and read the daily news brief without an account. There are no scan limits on the free tier and no card required.
What does the scanner check?
Three things on every scan. Your TLS configuration (cipher suites, protocols, certificate, HSTS preload status), your HTTP security headers (CSP, HSTS, X-Frame-Options and others), and an optional vulnerability scan that fingerprints detected software and looks up known CVEs.
How is the security score calculated?
The score is TLS out of 50 plus headers out of 50. It is capped at 64 if a critical issue is present (missing CSP, missing HSTS, untrusted certificate, or no modern TLS). The math is transparent and every penalty that affected your score is shown alongside the result.
Is my scan data private?
No account is required and scans are not linked to individuals. The scanned hostname and resulting score are stored so we can show daily and historical statistics. Full scan results are retained temporarily for diagnostics. The privacy policy has the full details.
Can I scan any website?
Only systems you own or have received explicit written authorization to test. Public bug bounty programs and security demo sites that invite testing count as authorization. Scanning systems without permission may violate computer misuse laws in your jurisdiction even for passive checks like ours. The scanner refuses requests to private IP ranges (RFC1918, loopback, link-local, cloud metadata endpoints) as a safety measure on our side, but that is not a license to scan anything else.
What is Ask Monk?
An AI security advisor built into the site. You can ask about a specific finding from your scan, general questions about web security, or get help understanding a CVE. Defensive scope only. Ask Monk will not produce exploit code or attack guidance.