Free tier · live · 1 scan / 10 min

We watch the perimeter so leaks don't sneak past.

Leakwarden checks your public-facing websites for the things developers accidentally ship: exposed .git/config, plaintext .env files, hardcoded API keys baked into JS bundles, and the dozen other classes of misconfig researchers find in their sleep.

We'd rather you find them first.

A stylized lighthouse at twilight casting an amber beam across a sparse city skyline.

Free tier runs 9 surface checks. If you provide an email we'll send a one-time link to the report — never used for marketing. By submitting you confirm you are authorized to scan this domain — see AUP.

Surface checks

The free tier scans for the highest-impact leaks: .git, .env, server-status, exposed configs, hardcoded keys.

Deep one-shot

Subdomain enumeration, the full Nuclei exposures/ + misconfiguration/ template set, JS-bundle key scan, branded HTML report. Pay-as-you-go.

Continuous watch

We subscribe to certificate-transparency logs. Every fresh cert your domain issues triggers a re-scan within minutes — and you only hear from us when something new shows up.

Working principles

Scanning is legal. Abuse is not — we throttle, honor robots.txt, and refuse regulated targets without authorization.
Disclosure is free. Monitoring is paid. We will never make payment a condition of telling you about a leak we found.
Findings are sensitive data — encrypted at rest, never emailed in full, free-tier results auto-purged after seven days.