Security

See what's exposed before it ships.

Real browser-grade TLS, certificate, header, DNS, and tech-stack analysis — turned into an A–F grade with prioritized, remediable findings and tracked over time.

Illustrative product preview

Latest endpoint scan

https://api.example.com

Example grade

B

82 / 100

  • Content-Security-Policy is missingHigh
  • Deprecated TLS 1.1 is acceptedMedium
  • Certificate chain verifiedPassed

Fixed example scan · 12 Jul 2026 · 09:40 UTC

What you get

Browser-grade TLS analysis

Real uTLS ClientHello fingerprinting enumerates supported TLS versions and ciphers with forward-secrecy and strength ratings — not a header sniff.

Certificate chain & OCSP

Full leaf-to-root chain extraction with validity windows, key strength, signature algorithms, SANs, and OCSP stapling detection.

Header & protocol coverage

HSTS, CSP, X-Frame-Options and more — plus HTTP/2 & HTTP/3 support and HSTS preload eligibility.

DNS & endpoint posture

DNSSEC, SPF, DMARC and CAA, plus WAF/CDN detection, insecure-cookie flags, and security.txt disclosure.

Tech-stack CVE / EOL

Fingerprints frameworks and versions, then matches them against an embedded CVE and end-of-life advisory database.

One scan, five phases

Every category is independently scored and weighted into a single A to F grade, so you know exactly where to spend the next hour.

  1. 01

    Passive TLS & headers

    Negotiated TLS version, certificate, and the seven critical security headers, captured in a single request.

  2. 02

    Active uTLS enumeration

    Browser-grade ClientHello fingerprinting enumerates supported versions and ciphers with forward-secrecy and strength ratings.

  3. 03

    Certificate chain & protocol

    Full leaf-to-root chain, OCSP stapling, HTTP/2 & HTTP/3 support, and HSTS preload eligibility.

  4. 04

    DNS posture

    DNSSEC, SPF, DMARC, and CAA, validated with a DNSSEC-aware resolver.

  5. 05

    Endpoint & tech CVE

    WAF/CDN detection, insecure cookies, security.txt, and tech-stack matched against a CVE / end-of-life database.

Illustrative product preview

Latest endpoint scan

https://api.example.com

Example grade

B

82 / 100

  • Content-Security-Policy is missingHigh
  • Deprecated TLS 1.1 is acceptedMedium
  • Certificate chain verifiedPassed

Fixed example scan · 12 Jul 2026 · 09:40 UTC

Illustrative product preview

Deprecated transport detected

https://api.example.com

Security conditionActive
Observed evidence
TLS 1.1 accepted
Alert condition
Deprecated TLS enabled
Service
Example API
Delivery
Email and webhook

Fixed example alert; current scan evidence drives the rule.

Track posture, alert on current risk

Telesis records each endpoint’s grade on every scan. Alert rules evaluate the current scan for a configured share of categories below 70, deprecated TLS, weak ciphers, invalid certificate chains, and missing security headers.

Routes to Slack, email, and webhooks.

Why teams pick it

  • Real uTLS browser fingerprinting, not a header sniff
  • A+–F grade with prioritized findings, remediation, and reference links
  • DNS posture — DNSSEC / SPF / DMARC / CAA — in a single scan
  • Security posture history with configurable current-state alerts

Ready to try Security Scanning?

Real browser-grade TLS, certificate, header, DNS, and tech-stack analysis — turned into an A–F grade with prioritized, remediable findings and tracked over time.