Welcome.

Probe hits your deployed app from the outside, with no credentials — the way an attacker would walk in cold. Paste your live URL; we look at everything reachable on the public internet.

• CVE checks — every dependency in your last lockfile snapshot, scanned against public CVE/GHSA feeds.
• Dependency confusion — checks if any of your private package names also exist on public npm (the lookalike attack vector).
• Secret leaks — JavaScript bundles served from your live URL, your connected GitHub repo, and full commit history (when GitHub is connected). Looks for AWS / Stripe / Anthropic / OpenAI / GitHub keys.
• Web surface basics — missing security headers, open admin paths, CORS misconfig, open redirects, reflected XSS.
• Subdomain enum (passive) — forgotten staging / preview deploys leaking via cert transparency.