About
Built by a security engineer, for teams without one.
Scorifya builds two security tools: a public hardening scorecard that gives any URL a 0–100 score across TLS, headers, cookies, DNS/email, and infrastructure visibility, and Scorifya Controls, a self-hosted SOC 2, PCI DSS 4.0.1, and ISO/IEC 27001:2022 compliance tool with automated checks, manual control tracking, and cryptographic attestation timestamps. Both are built for teams that need real security tooling without enterprise pricing or a dedicated security headcount.
Built by practitioners
Scorifya is built by security and systems engineers with production experience designing and operating enterprise security controls, running compliance programs, and preparing the audit evidence that goes with them. The tools come from that work, not from reading framework documentation.
The check library and control framework were developed in consultation with security engineers, systems engineers, and cloud specialists whose backgrounds span PCI DSS and FedRAMP compliance audits, cloud architecture and operations across AWS, Microsoft Azure, and Google Cloud, and vendor security assessments across enterprise environments. That depth of real-world experience determines what the tools check, what gets flagged as critical, and what the remediation guidance actually says.
Scorifya is operated as Scorifya LLC, a registered company. The products are actively maintained, licensed, and supported, not an abandoned side project.
The scanner came from a recurring frustration: every "is my site secure" tool was either header-only, TLS-only, or paywalled behind an enterprise gate. Controls came from watching seed-stage teams attempt SOC 2 compliance in spreadsheets because Vanta and Drata cost $10,000–$15,000 a year before they had product-market fit. Both tools exist because the gap was real and the existing options weren't sized for the teams that needed them most.
The products
Scorifya Scanner
A free, no-signup 0–100 security hardening score for any public URL. Covers TLS and HTTPS configuration, security headers, session cookie flags, passive DNS and email authentication, and infrastructure visibility signals. Methodology is fully published. Not a penetration test, exploit scan, or compliance certification. It scores what visitors and browsers can already see.
Scorifya Controls
A self-hosted SOC 2, PCI DSS 4.0.1, and ISO/IEC 27001:2022 compliance tool with 54 automated checks across AWS, GitHub, GCP, and Azure, 36 manual controls with evidence file uploads, and RFC 3161 cryptographic timestamps on every attestation, issued by DigiCert and independently verifiable by your CPA firm without trusting Scorifya. Three tiers from $99/mo, monthly or annual, no per-seat pricing, your data stays on your infrastructure.
What we believe
Security tooling should be transparent. We publish how scoring works, what checks run, what the weights are, and what the tools do not do, so you can verify results instead of trusting a black box. The methodology for the scanner is public. The check library for Controls maps every automated check to a specific AICPA Trust Services Criterion.
Security tooling should be self-hostable when it touches sensitive infrastructure. Controls runs on your own server. Your AWS credentials, GitHub tokens, attestation records, and evidence files never leave your environment.
Security tooling should give you findings you can act on. A score without a fix path is a vanity metric. Every failing check in the scanner includes plain-language context and a remediation direction. Every automated check in Controls links to the specific TSC criterion so you know what gap you're closing.
Transparency
- How Scorifya works: scanner category weights, penalties, and scope.
- How Scorifya compares: deep TLS graders, browser-focused posture tools, and header-only checkers.
- Controls help guide: real-world questions about SOC 2 readiness, automated checks, auditor trust, and evidence.
- security.txt (RFC 9116) for coordinated disclosure.
Follow along
Follow Scorifya on LinkedIn or Reddit for updates and new tool announcements.
Contact
Questions about the scanner, Controls licensing, or anything else? Use the contact page.