TCSR
English Türkçe Eesti
Your first security report is free

Know exactly where yourwebsite stands, on demand.

Run a 15-check security scan on your domain and get a clear, AI-authored PDF — executive summary, prioritized fixes, and a remediation roadmap you can act on. Independently verifiable, in minutes.

Run your first report free See how it works

No credit card to start · upgrade only when you need active testing

15
security checks
3
scan tiers
~1 min
to first result
100%
verifiable PDF
Ownership-gated
We never scan a domain until you prove control of it.
In-house engine
Our own scanner — not a reseller of third-party tools.
Tamper-evident
Every report carries a public reference & SHA-256.
EU company
Talivio Technology OÜ, Tallinn, Estonia.
How it works

From domain to defensible report in four steps

Ownership first, scan second. Every report is tied to a verified asset and signed for verification.

01

Add your domain

Register the asset you want assessed.

02

Verify ownership

Prove control via DNS TXT, an HTML file/meta tag, or WHOIS email.

03

Run the scan

Our engine runs the modules your package allows — passive to full active.

04

Get your report

AI writes the narrative; download a verifiable PDF.

What we check

15 modules across three depths

Each tier unlocks deeper modules. Active and deep modules run only against verified-owned domains.

Passive (Insight)

  • DNS records
  • Email security (SPF/DMARC)
  • WHOIS / RDAP
  • SSL/TLS certificate
  • HTTP security headers
  • Technology fingerprint
  • Subdomains (CT logs)

Light active (Assess)

  • Exposed files (.git/.env/backups)
  • Directory listing
  • security.txt policy
  • TLS configuration
  • Cookie security flags

Deep active (Audit)

  • Port scanning
  • Known-CVE matching (NVD)
  • Vulnerability probes
  • HTTP method / TRACE checks
  • Compliance mapping

Plus: optional deep internal agents

On a domain you have verified, install a lightweight agent (server, PHP, WordPress or JS) to surface internal findings the external scan cannot see — config, versions, permissions — feeding an even deeper report.

Why TCSR

A report your board, lawyer, or auditor can act on

Most tools dump raw findings. TCSR turns them into a decision-ready document.

AI-authored narrative

Findings become a clear executive summary, risk view, and prioritized roadmap — in your language.

Compliance-aware

Every finding is mapped to KVKK, GDPR and ISO 27001 controls.

Independently verifiable

Each PDF has a public reference and SHA-256 — recipients confirm authenticity on our site.

Continuous monitoring

Opt in to daily re-scans and get alerted the moment something changes.

Standards & frameworks

Aligned with the standards the world already trusts

Our testing methodology and every report are built to align with the recognised global security standards — so the document speaks the language your auditor, board and customers expect. Alignment is not certification: TCSR is not an accredited audit.

Testing methodology

  • NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
  • OWASP Top 10 Top 10 Web Application Security Risks (2021)
  • OWASP WSTG Web Security Testing Guide
  • PTES Penetration Testing Execution Standard

TCSR is automated — it covers the automatable technical-testing subset of these guides. Manual penetration testing and business-logic review are out of scope.

Control & governance frameworks

Data-protection law

  • GDPR EU General Data Protection Regulation — Art. 32 Security of processing
  • KVKK Türkiye Kişisel Verilerin Korunması Kanunu — m.12 Veri güvenliği
NIST 800-115 OWASP Top 10 OWASP WSTG PTES ISO/IEC 27001 NIST CSF 2.0 CIS Controls PCI DSS v4.0 SOC 2 GDPR KVKK

Logos and standard names are referenced to indicate methodological alignment only and do not imply certification, accreditation, endorsement, or affiliation.

Trust, but verify

Reports anyone can authenticate

Every TCSR report carries a unique reference and a SHA-256 fingerprint. Recipients paste the reference at our public verification page and upload the PDF — the hash is checked entirely in their browser. No tampering goes unnoticed.

Open the verification page
Security Report
TCSR-2026-0620-AB12
Verified
Domain
example.com
Tier
Audit · full active
Grade
B
SHA-256
9f2c…a7b40 ✓ matches

And a trust badge for your footer

After each assessment, embed a self-updating security-grade badge that links to a public status page — visitors can verify it themselves.

TCSR SecurityA
Packages

Scan depth that matches your need

Start free with a passive Insight report, then go monthly or yearly when you need active testing. Cancel anytime.

Insight

Passive OSINT

€49 /month
  • DNS, WHOIS & SSL/TLS analysis
  • Email security (SPF/DMARC)
  • HTTP header & tech fingerprint
  • Subdomain discovery (CT logs)
  • AI-authored PDF report
Choose Insight
Most popular

Assess

Passive + light active

€149 /month
  • Everything in Insight
  • Security header deep analysis
  • Exposed file checks (.git/.env)
  • TLS configuration testing
  • security.txt & directory listing
Choose Assess

Audit

Full active

€399 /month
  • Everything in Assess
  • Port scanning
  • Known-CVE matching
  • Vulnerability probing
  • Compliance mapping (KVKK/GDPR/ISO)
Choose Audit

Compare plans in detail →

FAQ

Questions, answered

No — and that's the point. TCSR only scans domains after you prove ownership (DNS, file, meta tag, or WHOIS). Active and deep modules run exclusively against verified assets, so you stay on the right side of the law.
Never. The verification page computes the SHA-256 hash entirely in your browser using the Web Crypto API. Your file is not transmitted to our servers.
A professional PDF: executive summary, prioritized findings grouped by severity, a security grade, a remediation roadmap, and compliance mapping (KVKK/GDPR/ISO 27001) — plus a public verification reference.
Passive scans return in about a minute; deep audit scans take a few minutes. Reports are generated right after and delivered as a downloadable PDF.
Yes. Once a domain is assessed you get a self-updating SVG trust badge for your footer that links to a public status page showing your current grade — without exposing detailed findings.
Enable continuous monitoring and TCSR re-assesses daily, alerts you on changes, and generates a fresh report. You can also schedule the internal agents (server, PHP, WordPress, JS) via cron.
Yes. Plans are monthly or yearly via Stripe and can be cancelled whenever you like from your billing portal.

Your first finding could be the one that matters.

Create a free account and see exactly where your domain stands — your first report costs nothing.

Start free View pricing