Infrastructure scanning and the config layer are two different jobs
Intruder is a paid, cloud based continuous vulnerability scanner. It runs checks across external and internal networks, web applications, and connected cloud accounts, and adds attack surface management and emerging threat scans. It is built for teams that want a managed, paid service covering their infrastructure, and it requires an account and a subscription.
The web configuration layer is a different question, and it is the layer attackers probe first. A site can sit on patched infrastructure and still ship without a Content Security Policy, serve cookies missing the Secure or HttpOnly flag, run with a weak Permissions-Policy, or lack DNS email authentication. SiteSecurityScore gives you everything you need for that layer in one free scan, graded with copy and paste fixes in seconds. It is the fastest way for a developer to verify and fix posture before a deploy, with free continuous daily monitoring so you catch every change after you ship. This is the essential layer you should not skip.
Intruder vs SiteSecurityScore: side by side feature comparison
Web Configuration Layer
| Feature | SiteSecurityScore | Intruder |
|---|---|---|
| HTTP security header analysis | Partial | |
| Deep CSP policy breakdown | ||
| HSTS configuration check | Partial | |
| Cookie security attributes | ||
| CORS header analysis | ||
| security.txt validation | ||
| Letter grade scoring |
TLS & DNS
| Feature | SiteSecurityScore | Intruder |
|---|---|---|
| TLS/SSL configuration check | ||
| Certificate validity and expiry | ||
| DNS records (SPF, DKIM, DMARC) | Partial | |
| CAA record check | ||
| Mixed content detection |
Access & Workflow
| Feature | SiteSecurityScore | Intruder |
|---|---|---|
| Free with no account for basic scans | ||
| Instant in browser results | ||
| Continuous monitoring with alerts | ||
| Daily configuration drift monitoring | Partial | |
| PDF report generation | ||
| REST API for automation | ||
| Browser extension (authenticated pages) | ||
| MCP connector for AI coding tools | ||
| Free header generator tools |
Audience Fit
| Feature | SiteSecurityScore | Intruder |
|---|---|---|
| Geared to developers and engineers | ||
| Aimed at small and mid market sites | ||
| Suited to enterprise security teams |
Infrastructure Vulnerability Scanning
| Feature | SiteSecurityScore | Intruder |
|---|---|---|
| External network scanning | ||
| Internal network scanning | ||
| Web app vulnerability detection (DAST) | ||
| Cloud misconfiguration checks | ||
| Attack surface management | ||
| Emerging threat scans |
What Intruder covers, and what the config layer covers
Intruder scans infrastructure for known vulnerabilities. SiteSecurityScore owns the web configuration layer that sits on top of that infrastructure, the layer attackers probe first, and grades every part of it in one scan. Here is how the two divide the work.
Intruder: infrastructure scanning
External and internal network scanning, web app vulnerability detection, cloud misconfiguration checks, attack surface management, and emerging threat scans across your estate. This is paid infrastructure coverage that SiteSecurityScore does not perform.
SiteSecurityScore: security headers
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, and CORP, all in one scan. Every header is graded with a copy and paste fix so you close gaps in seconds before a deploy.
Deep CSP analysis
A full directive by directive breakdown of your Content Security Policy. It pinpoints unsafe-inline, overly broad wildcards, and missing directives that a network scanner reports only as a single line, then hands you the exact fix.
Cookie security audit
HttpOnly, Secure, SameSite, Path, Domain, and prefix checks for every cookie, so you can spot session hijacking and CSRF risks at a glance.
DNS and TLS checks
SPF, DKIM, DMARC, and CAA records alongside TLS configuration, certificate validity, and mixed content detection in the same instant scan.
CORS and security.txt
Reviews Access-Control-Allow-Origin and credential settings to flag permissive cross-origin rules, and verifies your security.txt disclosure file is present and correct.
Free continuous monitoring with email alerts
Continuous coverage of the basics should not require a paid platform. Intruder runs monitoring across infrastructure as a paid service. SiteSecurityScore watches the configuration layer of your site and tells you the moment something drifts, at no cost.
SiteSecurityScore runs automated daily scans of your HTTP security headers, Content Security Policy, TLS certificate, DNS records (SPF, DKIM, DMARC), and cookies in one pass, for free. When anything changes, you get an email alert right away. You can also wire up CSP violation and NEL reporting so real browser reports flow back to you. No manual re-testing required, and no paid plan needed.
Automated daily scans
Every monitored site is scanned once per day covering headers, CSP, TLS, DNS, and cookies.
Email alerts on changes
Get notified when a header is removed, a CSP policy changes, or a certificate nears expiration.
Free security header generator tools
Knowing which headers are missing is only half the job. You also need correct values. SiteSecurityScore includes a full set of free generator tools that produce copy and paste configurations for your web server, so you go from gap to fix in minutes.
Scan authenticated pages and automate from your workflow
Chrome Extension, API, and MCP connector
The SiteSecurityScore browser extension captures real response headers from your authenticated sessions, so you can scan admin panels, internal dashboards, and staging environments with one click. For automation, a REST API and an MCP connector for Claude Code and ChatGPT Codex let you run graded scans straight from your existing developer workflow, with no setup and no sales calls.
Run a free website security scan
Enter any URL and get a complete configuration layer audit covering HTTP headers, CSP, HSTS, TLS certificates, DNS records, and cookie security. No account required.
Start scanningFrequently asked questions
Is SiteSecurityScore a replacement for Intruder?
They cover different parts of the problem. Intruder is a paid, cloud based continuous vulnerability scanner that checks network, web app, and cloud infrastructure for known vulnerabilities. SiteSecurityScore is the fastest way to grade and fix your security posture at the configuration layer attackers probe first, covering HTTP security headers, deep Content Security Policy analysis, TLS, DNS records, cookies, CORS, and security.txt. It is free, instant, and needs no account or setup. You get a letter grade with copy and paste fixes in seconds, plus free continuous daily monitoring with email alerts. For the configuration layer, SiteSecurityScore gives you everything you need in one scan, and it is the layer you should not skip. If you also need full infrastructure vulnerability scanning, that is what a paid platform like Intruder is for.
What does SiteSecurityScore check that a network vulnerability scanner like Intruder does not focus on?
SiteSecurityScore is purpose built for the web configuration layer that broad infrastructure scanners treat as a single line item, and it goes deep where it counts. That includes a directive by directive Content Security Policy breakdown, every HTTP security header (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP), cookie attributes (HttpOnly, Secure, SameSite), CORS configuration, security.txt validation, mixed content, and DNS email authentication records (SPF, DKIM, DMARC, CAA). It hands you a clear letter grade with copy and paste fixes in seconds, so you can close every gap fast.
Is SiteSecurityScore free, and does Intruder require an account?
SiteSecurityScore is free and needs no account for basic scans. You enter a URL and get a graded result instantly, with no setup and no sales calls. Intruder is a paid platform that requires an account and a subscription to use. SiteSecurityScore paid plans add PDF reports, REST API access, and higher scan limits, while the core security scan and free continuous daily monitoring stay free for everyone.
Can SiteSecurityScore monitor my site continuously like Intruder does?
Yes, for the configuration layer, and it is completely free. SiteSecurityScore runs automated daily scans of your security headers, CSP, TLS certificate, DNS records, and cookies, then sends an email alert the moment something changes, such as a removed header, a CSP change, or a certificate nearing expiration. You get continuous protection for the configuration layer at no cost. Intruder also runs continuous monitoring, but across infrastructure and as a paid service.
Does SiteSecurityScore do network and cloud vulnerability scanning?
No, and that is by design. SiteSecurityScore is purpose built for the HTTP, TLS, DNS, cookie, and CSP layer, the configuration layer attackers probe first, and it owns that layer completely. If you also need external and internal network scanning, web app vulnerability detection, cloud security posture checks, and attack surface management, that is the job of a paid platform like Intruder. SiteSecurityScore is the free, instant, developer friendly scanner that grades and fixes your configuration layer in seconds, and it is the layer you should not skip.
How fast is SiteSecurityScore compared to a full vulnerability scan?
SiteSecurityScore returns a full configuration layer audit, graded and ready to fix, in seconds with no scheduling, no agents, and no onboarding. A platform like Intruder runs scheduled and continuous scans across infrastructure, which covers a different surface and is not an instant in browser check. SiteSecurityScore is the fastest way for a developer to grade and fix header, TLS, DNS, cookie, and CSP posture right before a deploy.
Can SiteSecurityScore scan pages behind a login?
Yes. SiteSecurityScore ships a Chrome browser extension that captures real HTTP response headers from your authenticated sessions, so you can scan admin panels, internal dashboards, and staging environments for header and cookie issues with one click. It also gives you a REST API and an MCP connector for Claude Code and ChatGPT Codex, so you can run graded scans straight from your existing workflow.