Subdomain risk scanner
Free external scan tool: Subdomain risk scanner. Start from your domain using the same public scan flow - no duplicate submission logic.
The problem
Run an external scan to see how this area shows up for your hostname on your current plan.
Why it matters
Automated checks scale better than one-off manual spot tests and help catch drift after deploys.
How to check
Submit your domain in the scan form above the fold; review only visible findings for your token/account.
How to fix
Interpret results as signals, then follow the linked fix guides for any issue families you need to address.
- Identify owners for the affected component (app, edge, DNS, or mail).
- Make a minimal change and validate in staging or a canary route.
- Deploy with monitoring and rollback readiness.
- Re-run ExposureGrid to confirm the external signal improved.
Run a scan to verify this fix on your domain
Use the same public scanner as the homepage — results honor your plan tier.
Scan your domainWhat ExposureGrid checks
ExposureGrid performs outside-in checks without requiring an origin agent.
Scan your domain
Run a private scan from the edge — same public flow as the homepage free scanner, with plan-appropriate coverage on the results side.
FAQ
- Why does "Subdomain risk scanner" appear in ExposureGrid?
- Scanners observe externally visible signals. A finding means our rules matched - validate severity and applicability in your environment.
- Could this be a false positive?
- Yes, depending on context and coverage limits. Especially for heuristic, partial, or pattern-based checks, corroborate with manual review.
- What should I do after changing configuration?
- Re-run a scan to confirm the external signal changed, then enable monitoring where your plan supports it.
ExposureGrid continuously monitors these issues and alerts you before they become exploitable.