Authorized defensive analysis only

See external exposure clearly before it becomes a problem.

Vivi Analyzer runs ten passive checks against a domain or IPv4 — DNS, TLS, headers, ports, mail auth, WHOIS — and returns a single snapshot with a transparent risk score. No accounts, no agents, no active exploitation.

Launch Dashboard View example output

DNSPortsHTTPSHSTSCSPSPFDMARCDKIMDNSSECHTTP/3WHOIScrt.sh

/dashboard · scan result

example.com

standard · 1.4s · 93.184.216.34

38/100

Medium

Duration

1.4s

Findings

Open ports

High

MySQL port exposed (3306)

Database port publicly reachable — should be restricted immediately.

110

143

443

465

587

993

995

1433

2375

3000

3306

3389

5432

6379

8080

8443

27017

5900

9200

openfilteredclosed

Capabilities

What each scan actually checks

Ten analyzers run in parallel and merge into one result object. Everything is observable from the public internet — no authenticated probes, no body downloads.

DNS Intelligence

A · AAAA · MX · NS · TXT · CNAME records via dns/promises.

dns/promises

Port Visibility

~20 common TCP ports probed — open, closed, filtered.

passive

HTTP Fingerprint

Status code, server header, six standard security headers.

HEAD only

TLS Certificate

Subject, issuer, validity window, expiry, self-signed flag.

X.509

CDN / WAF Detection

Heuristic match on response headers and nameserver patterns.

heuristic

DDoS Posture

DNSSEC AD flag, HTTP/3 alt-svc, anycast hints, CDN tier.

alt-svc

Public Exposure

robots.txt sensitive paths · security.txt · sitemap · humans.

RFC 9116

Email Security

SPF policy + 10-lookup limit · DMARC · DKIM probe · MTA-STS.

SPF/DMARC

Security Header Grade

Mozilla-Observatory-style A+ through F weighted rubric.

A+ → F

Registration & WHOIS

Registrar, domain age, expiry, transfer-lock, abuse contact.

RDAP

Scan depths

Three modes, one snapshot

Pick based on how much of the surface you need today. All modes finish in under a minute.

Quick

~5s

Fastest sanity check — resolves records and hits the root endpoint.

DNSHTTP

Recommended

Standard

~15s

Full passive sweep — ports, certificate, exposure files, mail auth, WHOIS.

DNSPortsSSLExposureEmailWHOIS

Deep

~30s

Standard plus passive subdomain discovery via certificate transparency.

StandardSubdomainscrt.sh

Transparency

A risk score you can audit

The 0–100 score is computed from observable findings — not a black-box model. Every +18, +8, or −8 on a result page is traceable back to the table on the right.

Findings and score deltas render inline with each result, so you can sanity-check the weighting and swap the table for your own rubric if the defaults don't fit.

0 – 25

Low

26 – 60

Medium

61 – 100

High

Condition

Impact

FTP (21) exposed

+18

MySQL / PostgreSQL exposed

+20

RDP (3389) exposed

+20

Redis (6379) exposed

+22

No HTTPS

+20

Missing HSTS

SSL certificate expired

+15

DNSSEC disabled

SPF missing (with MX)

DMARC missing

Domain expired

+20

CDN with strong DDoS tier

−8

Historical diff

Every re-scan compares against the previous

Score delta

▼−12

New findings

Resolved

Ports opened / closed

+0/−2

Each scan of the same target is compared against the previous one, stored locally in your browser. No server-side history.

Safety & data handling

Defensive by design, not by marketing

Authorized targets only. Use against systems you own or have explicit written permission to assess.
Pre-flight IP filter. Rejects private, loopback, link-local, and CGNAT ranges before any probe can fire.
10 requests per minute per IP. Best-effort sliding window on a cold-start serverless runtime.
No bodies downloaded. Headers only; response bodies are never fetched or persisted.
No server-side history. The last 10 scans live in your browser's localStorage and nowhere else.

Open the dashboard

No sign-up. No configuration. Works on any domain you're authorized to analyze.

Launch Dashboard