🛡️ Exposed

Enter any domain for an instant security exposure report. Checks data breaches, attack surface, email authentication, security headers, threat intelligence, and exposed files — all from public sources, no signup required.

By

Last updated:

💀 Breaches
🌐 Attack Surface
📧 Email Security
🔒 Security Headers
⚠️ Threat Intel
📂 Exposed Files

What is Exposed?

Exposed is a free, instant domain security scanner that combines 15+ public intelligence sources into a single comprehensive exposure report. Think of it as a free alternative to commercial security rating platforms like SecurityScorecard, BitSight, or UpGuard — but with immediate results and zero signup.

What Does It Check?

Data Breach Exposure
Searches the Have I Been Pwned database of 900+ breaches to find if the domain has been involved in any data breaches. Shows total accounts exposed, breach dates, and what data types were compromised (passwords, emails, credit cards, etc.).
Attack Surface Mapping
Discovers subdomains via HackerTarget and Certificate Transparency logs, then checks each resolved IP against Shodan InternetDB for open ports, known CVEs, and running services. Identifies infrastructure sprawl that increases exposure.
Email Authentication
Validates SPF, DKIM, and DMARC records to assess email spoofing resilience. Checks DNSSEC validation and CAA certificate authority restrictions. Poor email authentication allows attackers to send convincing phishing emails as your domain.
Security Headers
Analyzes HTTP response headers including HSTS (transport encryption), Content-Security-Policy (XSS protection), X-Frame-Options (clickjacking), X-Content-Type-Options (MIME sniffing), and Referrer-Policy. Missing headers leave visitors vulnerable.
Threat Intelligence
Cross-references the domain and its IPs against AlienVault OTX pulse database and abuse.ch feeds (Feodo botnet C2, URLhaus malware distribution). Reveals if any infrastructure has been flagged as malicious.
Exposed Files
Searches the Wayback Machine for historically archived sensitive paths like .env files, .git directories, wp-admin panels, database dumps, and configuration files. Even if removed, their existence in archives suggests past exposure.

How Is the Security Grade Calculated?

The overall A through F grade is a weighted composite of six category scores. Breach exposure and attack surface carry the highest weight because they represent confirmed or high-probability compromise vectors. Email authentication and security headers are weighted moderately as preventive controls. Threat intelligence and exposed files contribute to the final score as indicators of ongoing or historical risk.

The 10 Best Data Breach Checkers in 2026, Ranked

The best free data breach checkers in 2026 are Have I Been Pwned and Mozilla Monitor for everyday email checks, with DeHashed and Intelligence X for deeper investigative searches and Hudson Rock for infostealer-malware exposure. The ranked list below notes what each covers and what is genuinely free. Use these only to check your own data (or data you are authorised to investigate) — using leaked credentials to access someone else's account is illegal.

  1. Have I Been Pwned — the gold standard, built by security researcher Troy Hunt. Enter an email or phone number and it lists the known breaches your data appeared in; its Pwned Passwords feature checks individual passwords. Try our HIBP breach catalog and password check. Cost: Free.
  2. Mozilla Monitor — from the makers of Firefox. Scans your email against known breaches and monitors up to five addresses for free, with a paid Plus tier that automatically removes your data from 190+ broker sites. Best for set-and-forget consumer monitoring. Cost: Freemium.
  3. DeHashed — the largest and fastest searchable breach engine: query by email, username, IP, phone, name, or address, with wildcards. Powerful but built for investigators, not casual users. Cost: Freemium.
  4. Intelligence X — searches breaches, leaks, pastes, and darknet sources that mainstream checkers miss. Best for deep and darknet exposure. Cost: Freemium.
  5. Google Password Checkup — built into Chrome and Google accounts, it flags reused and compromised saved passwords automatically. The easiest option if you already store passwords with Google. Cost: Free.
  6. HPI Identity Leak Checker — run by Germany's Hasso Plattner Institute, it emails a detailed report of where your address appears across leaks. A trusted, independent academic option. Cost: Free.
  7. LeakCheck.io — searches by email, username, password, or domain, with clear results. A solid middle ground between consumer checkers and investigator tools. Cost: Freemium.
  8. Hudson Rock — its free tools check whether your email or domain appears in infostealer-malware logs, an exposure that breach-database checkers like HIBP do not cover. Best for catching stolen-credential infections. Cost: Free tools (paid platform).
  9. Snusbase — fast, researcher-grade lookup by email, username, IP, or hash. Popular in security teams. Cost: Paid.
  10. BreachDirectory — a quick free check of an email or username against breach datasets, with partial previews. A handy second opinion. Cost: Free.

For individuals, start with Have I Been Pwned and Mozilla Monitor, then check Hudson Rock for infostealer exposure; change passwords and enable two-factor authentication on anything flagged. For a whole domain or business, run our Exposed scanner above, and pivot to our email lookup to map exposed addresses.

Is My Email on the Dark Web? How to Check for Free

You cannot (and should not) browse the dark web to look for your own email — but you can check for free whether your address has turned up in the breach dumps, combolists, and stealer logs that circulate there. "On the dark web" almost always means your email appeared in leaked data being traded on forums and markets, not that someone is actively targeting you.

How to check, for free:

  1. Have I Been Pwned — tells you which breaches your address appears in and what data was exposed.
  2. Mozilla Monitor — scans your address and monitors it for free, alerting you to new exposures.
  3. The Exposed scanner above — checks your email or domain against breach sources in one place.
  4. Hudson Rock — its free tools check whether your address appears in infostealer-malware logs, a dark-web exposure ordinary breach checks miss.

If your email turns up, the fix is straightforward: change the password anywhere you reused it, turn on two-factor authentication, and consider ongoing monitoring. See our ranked breach checkers for the full list. These tools tell you that you are exposed so you can secure your accounts — they never hand out the leaked password itself.

How to Check Your Digital Footprint (Free)

To check your digital footprint, investigate yourself the way an analyst would: search your name, email, usernames, and phone across search engines, breach checkers, people-search sites, and reverse-image tools. This free self-audit shows exactly what is exposed so you can decide what to remove.

  1. Search engines. Google your full name in quotes with a city or employer, then repeat for your usernames and phone number. Note every page that surfaces real details.
  2. Breach exposure. Run your email through the Exposed scanner above and Have I Been Pwned to see which breaches you appear in.
  3. People-search sites. Check TruePeopleSearch and similar for your listed address, relatives, and phone (see our people-search list).
  4. Usernames and images. Run your handles through a username search, and reverse-image your profile photos to see where else they appear.
  5. Act on it. Once you know what is out there, follow our removal guide to opt out and lock down what you found.

🛡️ Exposed — Frequently Asked Questions

How do I check my digital footprint for free?

Search your name in quotes plus a city, run your email through Have I Been Pwned and the Exposed scanner, check people-search sites like TruePeopleSearch, run your usernames through a username search, and reverse-image your profile photos. Together these show what a stranger can find about you for free.

How do I check if my email is on the dark web?

Use free tools that check breach and leak data rather than browsing the dark web yourself: Have I Been Pwned and Mozilla Monitor show which breaches your address appears in, and Hudson Rock checks infostealer-malware logs. If you appear, change reused passwords and enable two-factor authentication.

What does it mean if my email is on the dark web?

It usually means your address showed up in a data breach, combolist, or stealer log being traded on dark-web forums — not that you are being personally targeted. The risk is credential stuffing and phishing, so secure any account where you reused the exposed password.

What is the best free data breach checker?

Have I Been Pwned is the gold standard — free, trusted, and able to check an email or phone number plus individual passwords. Mozilla Monitor adds free ongoing monitoring for up to five addresses, while DeHashed and Intelligence X go deeper for investigators.

How can I check if my information was leaked online?

Enter your email at Have I Been Pwned and Mozilla Monitor for a fast first pass, then run a deeper search with DeHashed or Intelligence X. To catch stolen credentials from malware infections, check Hudson Rock. Change passwords and enable two-factor authentication on anything that appears in a breach.

How do I check a domain for data breaches?

This scanner checks a domain against breach databases and probes for misconfigurations and leaked data — the same exposure an attacker would find — so you can fix it first. Free and in-browser.

What does the Exposed scanner check?

Exposed performs six categories of security checks: data breach exposure via HIBP, attack surface mapping (subdomains, open ports, CVEs), email authentication (SPF, DKIM, DMARC, DNSSEC), HTTP security headers (HSTS, CSP, X-Frame-Options, etc.), threat intelligence (OTX, Feodo, URLhaus), and exposed sensitive files via the Wayback Machine. Each category is graded and combined into an overall A through F security score.

Is this a free alternative to SecurityScorecard or BitSight?

Yes. Exposed provides similar domain security visibility using entirely free, no-auth public APIs. While commercial platforms like SecurityScorecard and BitSight offer deeper enterprise features, Exposed gives instant results without signup, contracts, or per-scan fees.

Does scanning a domain alert the target?

No. Exposed only queries public databases and passive intelligence sources. It does not actively probe the target's servers, send packets, or interact with the domain directly except for DNS lookups. All data comes from pre-indexed sources like Shodan, HIBP, and certificate transparency logs.

Domain Recon

Complete attack surface mapping.

Tech Stack Detector

Detect website technology.