Does Scout install anything on my site or server?

No. Scout is a fully external scanner. It looks at your domain and website the way an outside attacker or a search engine would, over the public internet. There is no agent, plugin, or server access required, so you can scan a site you do not control as easily as your own.

Is Scout really free?

Yes. Two domains are free forever with no credit card. The same scanning engine runs inside the Lavawall platform for MSPs and IT teams that want scheduled scans, multi-tenant dashboards, email reports, trend history, and white-label embedding on their own marketing site.

How is Scout different from WPSec, WPScan, or Sucuri SiteCheck?

WPSec and WPScan focus on WordPress plugin and theme vulnerabilities. Sucuri SiteCheck focuses on malware, blacklist status, and defacement. Scout covers the whole external attack surface in one scan: email authentication, TLS, DNS, security headers, open ports, WAF detection, CMS and plugin fingerprinting with CVE matching, exposed files, blacklist reputation, and content-change monitoring, plus it is multi-tenant for MSPs.

Will scanning trip a WAF or get me blocked?

Scout is deliberately quiet. WordPress-specific probes only run when the site is actually WordPress, file-discovery checks stop the moment a WAF block is detected, and user enumeration uses a single REST request rather than noisy author-ID brute forcing.

Lavawall® Scout — free external domain & website security scanner

Run a free scan → See pricing White-label Scout for your site

See your domain the way an attacker does

Most security problems on a website are visible from the outside long before anyone breaks in: a missing DMARC policy, an expired-soon certificate, an admin panel left open, a WordPress plugin three years out of date, a backup file sitting in the web root. Scout finds those things the way an outside attacker or a search-engine crawler would — over the public internet, with nothing installed on the target.

Point it at any domain — your own, a prospect’s, or a client’s — and in seconds you get a plain-English report of what is exposed and how to fix it.

No agent, no plugin, no server login. Scout is a fully external scanner.
Two domains free forever, no credit card.
The same engine runs inside the Lavawall® platform with scheduled scans, multi-tenant dashboards, email reports, and trend history.
White-label it on your own MSP marketing site to capture leads.

What Scout checks

One scan covers the whole external attack surface — not just one slice of it. Each finding is scored and explained in language a business owner can act on, with the technical detail underneath for the people who want it.

Email authentication & deliverability

SPF, DKIM, and DMARC presence and policy — including DMARC enforcement mode (none / quarantine / reject) and SPF qualifier (-all vs ~all), explained in plain English.
Mail provider detection (Microsoft 365, Google Workspace, and others) inferred from MX and authentication records.
Exposed email addresses harvested from public pages — the addresses spammers scrape for targeted phishing — listed so you can see exactly what is leaking.

Encryption & transport

TLS version support (flags sites without TLS 1.3) and certificate validity, issuer, and auto-renewal status.
HTTPS redirect chain and HSTS, so a site that quietly serves HTTP is caught.

Domain & DNS hygiene

Registrar, creation/expiry dates, transfer lock, and WHOIS privacy.
DNSSEC and CAA records — the controls that stop DNS spoofing and unauthorized certificate issuance.
security.txt presence for responsible-disclosure contact.

Web security headers & configuration

Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, and cookie flags (HttpOnly, SameSite).
WAF detection — identifies whether a web application firewall is in front of the site, and which one.
HTTP/2, compression, response time, and robots.txt posture.

Open ports & exposed services

Port scan with service and version identification.
Exposed admin panels — phpMyAdmin, Adminer, Mongo Express, and similar database front-ends that should never be Internet-facing.

CMS, plugins, libraries & known CVEs

WordPress core, plugin, and theme detection with versions — including premium plugins and versions surviving CDN rewriting.
Framework and JavaScript-library fingerprinting (jQuery, Bootstrap, and more) with version tracking.
Known-CVE matching against detected versions, drawing on an NVD-backed vulnerability database, so “outdated” becomes “this version has this known vulnerability.”
Abandoned- and stale-plugin detection — flags plugins removed from the directory or not updated in years.

WordPress exposure checks (only on WordPress sites)

These checks are gated to WordPress — they never run against a non-WordPress site, which keeps Scout quiet and avoids tripping firewalls without need.

User enumeration via the single REST endpoint — not noisy author-ID brute forcing — so you see which usernames an attacker could target.
Sensitive-file, backup, and config discovery: exposed .env, /.git/, wp-config.php backups, debug logs, and directory listing — with the probe batch stopping the moment a WAF block is detected.

Reputation & blacklist

Phishing/scam blocklist status via commercial-safe threat intelligence (PhishDestroy, with URLhaus and other feeds) — so you know if browsers and security products are already warning visitors away.

Content-change & defacement monitoring

Page-content fingerprinting that ignores dynamic tokens, so only real changes register.
New external script and outbound-link detection — the first sign of a card-skimmer, supply-chain compromise, or injected SEO-spam — with notifications when something changes.

Built for MSPs and lean IT teams

Scout is free for two domains, but it is also a first-class module of the Lavawall® platform. Inside Lavawall® the same engine adds:

Scheduled scans on a daemon, with trend history so you can show a client their posture improving over time.
Native email reports with an embedded issue-count chart and a trend graph, sent to the recipients you choose.
Multi-tenant dashboards — every client domain in one console.
White-label embedding — put Scout on your own marketing site to generate leads. See white-label Scout.

How Scout compares to WordPress & website scanners

Scout overlaps with the popular website scanners but covers a wider surface. WordPress-specific scanners go deeper on plugin vulnerability databases; malware scanners go deeper on payload signatures. Scout’s job is the whole external picture in one pass.

Capability	Lavawall® Scout	WPSec / WPScan	Sucuri SiteCheck
Works on any site (not just WordPress)	✓	✗ WordPress only	✓
SPF / DKIM / DMARC email authentication	✓ With policy & mode explained	✗	✗
TLS / certificate & DNSSEC / CAA	✓	✗	Partial (CMS/TLS surface)
Security headers & WAF detection	✓	✗	Partial
Open-port & exposed-admin-panel scan	✓	✗	✗
WordPress plugin/theme version detection	✓	✓ Deepest plugin DB	Partial (out-of-date CMS)
Known-CVE matching on detected versions	✓ NVD-backed	✓ WPScan vuln DB (WP only)	✗
WordPress user enumeration (quiet, gated)	✓	✓	✗
Exposed file / backup / config discovery	✓	✓	✗
Phishing/malware blacklist reputation	✓ Commercial-safe feeds	✗	✓ Strength
Malware payload / SEO-spam signature detection	Partial (defacement & injected-script)	✗	✓ Strength
Content-change / defacement monitoring	✓ With alerts	✗	Partial
Exposed-email harvesting check	✓	✗	✗
Scheduled scans, trend history & email reports	✓	✓ (paid)	✓ (paid platform)
Multi-tenant MSP dashboard	✓ Native	Limited	Limited
White-label embed on your own site	✓	✗	✗
Free tier	✓ Two domains free forever	✓ Limited free	✓ Free remote check

Read the detailed write-ups: Lavawall® vs WPSec · Lavawall® vs Sucuri SiteCheck · What is external attack surface management?

Quiet by design

A scanner that hammers a site is a scanner that gets blocked — and that annoys the client. Scout is built to be polite: WordPress probes only fire when the site is genuinely WordPress, file-discovery stops as soon as a firewall pushes back, and reputation and CVE lookups read from prepared data rather than blasting the target. You get the signal without the noise.

If you have any questions or want a walkthrough, reach us through chat, phone, or email on our contact page.