You paste a domain. Ten seconds later you get a single grade — A through F — covering 11 security checks.
No signup. No API key. Just a URL.
Try it right now → contrastcyber.com
Why I Built This
Every security scanner I found was either:
- Enterprise SaaS with a sales call
- A CLI tool that dumps 200 lines of raw output
- Free but limited to SSL-only
I wanted something that gives a single, opinionated score — like a credit score for your server's security posture. Something a developer can run in 10 seconds and immediately know where they stand.
So I wrote one from scratch. In C.
The Scanner: 2,300 Lines of C
The core scanner is a single C binary. No frameworks, no runtime dependencies beyond libcurl, openssl, libresolv, and cJSON.
It runs 11 checks and scores them out of 100:
| Module | Points | What It Checks |
|---|---|---|
| Security Headers | 25 | CSP, HSTS, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy |
| SSL/TLS | 20 | Protocol version, cipher strength, certificate validity |
| DNS Security | 15 | SPF, DKIM, DMARC |
| HTTPS Redirect | 8 | HTTP → HTTPS automatic redirect |
| Info Disclosure | 5 | Server header, X-Powered-By exposure |
| Cookie Security | 5 | Secure, HttpOnly, SameSite flags |
| DNSSEC | 5 | DNS response signature verification |
| HTTP Methods | 5 | Dangerous methods (TRACE, DELETE, PUT) |
| CORS | 5 | Cross-origin misconfiguration |
| HTML Analysis | 5 | Mixed content, inline scripts, SRI, form security |
| CSP Analysis | 2 | Deep Content Security Policy inspection |
The output is a single JSON object:
$ ./contrastscan example.com
{
"domain": "example.com",
"total_score": 85,
"max_score": 100,
"grade": "B",
"headers": { "score": 20, "max": 25 },
"ssl": { "score": 20, "max": 20 },
"dns": { "score": 15, "max": 15 },
...
}
Why C?
Speed and control. The scanner does raw TCP handshakes for SSL checks, direct DNS queries via libresolv, and HTTP header parsing with libcurl. A full scan completes in under 3 seconds. No garbage collector, no startup time, no 400MB node_modules.
#include <curl/curl.h>
#include <openssl/ssl.h>
#include <arpa/nameser.h>
#include <resolv.h>
#include <cjson/cJSON.h>
// That's it. Five libraries. 2,300 lines. 11 modules.
The Web App
The C scanner is wrapped in a Python FastAPI backend that handles:
- Domain validation & sanitization
- Rate limiting (60 scans/hour per IP)
- SQLite scan storage
- HTML report rendering
- SVG grade badges for README files
- Async passive reconnaissance (WHOIS, tech stack, WAF detection, subdomains)
The frontend is pure HTML/CSS/JS — no React, no build step. When you submit a scan, you get an animated progress overlay showing each module completing in real-time, then the full result page.
API Access
Every scan is also available as JSON:
curl "https://contrastcyber.com/api/scan?domain=example.com"
Or download a plain text report:
curl "https://contrastcyber.com/api/report?domain=example.com" -o report.txt
Going Deeper: ContrastAPI
After building the scanner, I wanted more. CVE intelligence. Code analysis. Domain reconnaissance at scale.
So I built ContrastAPI — a full security intelligence API with 13 endpoints:
CVE Intelligence
# Search CVEs by keyword
curl "https://api.contrastcyber.com/v1/cve/search?q=apache&limit=5"
# Get EPSS score (exploitation probability)
curl "https://api.contrastcyber.com/v1/cve/CVE-2024-3094/epss"
# Check if it's in CISA KEV (Known Exploited Vulnerabilities)
curl "https://api.contrastcyber.com/v1/cve/CVE-2024-3094/kev"
Domain Recon
# Full domain intelligence
curl "https://api.contrastcyber.com/v1/domain/example.com"
Returns DNS records, WHOIS data, SSL certificate details, subdomains, WAF detection, and technology stack — all in one call.
Code Security
# Check code for secrets, injection, misconfigurations
curl -X POST "https://api.contrastcyber.com/v1/code/check" \
-H "Content-Type: application/json" \
-d '{"code": "password = \"admin123\"", "language": "python"}'
MCP Support (for AI Agents)
ContrastAPI is also an MCP server. If you use Claude, Cursor, or any MCP-compatible AI tool:
{
"mcpServers": {
"contrastapi": {
"url": "https://mcp.contrastcyber.com/mcp"
}
}
}
Your AI agent gets 19 security tools — CVE lookup, domain recon, code scanning — without writing any integration code.
Numbers
- 2,287 lines of C (scanner)
- 905 tests across both projects
- 340K+ CVEs indexed with EPSS scores
- 1,500+ CISA KEV entries
- 11 security checks, 100-point scoring
- < 3 seconds per scan
- $0 cost to use
Stack
| Layer | Tech |
|---|---|
| Scanner | C (gcc, libcurl, openssl, libresolv, cJSON) |
| Web Backend | Python, FastAPI, SQLite |
| API Platform | Python, FastAPI, SQLite, MCP SDK |
| Frontend | Vanilla HTML/CSS/JS |
| Server | Hetzner VPS, nginx, systemd, Let's Encrypt |
| Security | fail2ban, Suricata IDS, ipset, AIDE |
No Docker. No Kubernetes. No cloud functions. One VPS, two systemd services, done.
What I Learned
1. C is underrated for web tooling. Everyone reaches for Python or Go. But when you need to do raw TLS handshakes and DNS queries, C gives you direct access to the system libraries that are already there. No wrappers, no abstractions.
2. A single score changes behavior. When I show someone a wall of security headers, they glaze over. When I show them "Grade: D", they immediately want to fix it. Opinionated scoring works.
3. Ship the smallest thing that's useful. The first version had 3 checks. Now it has 11. But the first version was already useful — SSL + headers + DNS covers 60% of what matters.
4. MCP is a distribution channel. Adding MCP support to ContrastAPI took a day. Now any AI agent can use it as a security toolkit. That's distribution I didn't have to build.
Try It
- Scan a domain: contrastcyber.com
- API docs: contrastcyber.com/api
- Full API platform: api.contrastcyber.com
- Source code: github.com/UPinar/contrastscan
No signup, no API key, no paywall. Scan something and tell me what you think.
I'm a solo developer building security tools. If you have feedback or feature requests, drop a comment or reach out at contact@contrastcyber.com.
Top comments (0)