Blog
Updates on what we ship and how we think about public hardening checks, not penetration testing.
Run the scanner from the homepage; ship fixes faster with stack guides.
July 5, 2026
SOC 2 readiness checklist: steps before your first audit
A practical SOC 2 readiness checklist for startups. Learn what readiness means, scoping, policies, evidence collection, and when to engage an auditor.
Read moreJuly 2, 2026
Controls now maps every check to PCI DSS 4.0.1, not just SOC 2
Scorifya Controls now produces PCI DSS 4.0.1 evidence alongside SOC 2 in the same self-hosted deployment. One image, both frameworks, on every tier, with no per-framework add-on. Here is what shipped and who it is for.
Read moreJune 30, 2026
Introducing Scorifya Controls: Your Path to SOC 2 Readiness
Exciting news! Scorifya Controls is here to streamline your SOC 2 readiness with automated checks and easy attestation. Discover how it can help your business!
Read moreJune 27, 2026
How we built cryptographic timestamps into a SOC 2 compliance tool, and why auditors can trust them
Most compliance tools timestamp evidence server-side and ask you to take their word for it. Here is how RFC 3161 trusted timestamping moves that trust to DigiCert, and how your CPA can verify every attestation with a single OpenSSL command, no Scorifya account required.
Read moreJune 23, 2026
Introducing Scorifya's New DNS Checker: Practical Insights for Your Site
Discover Scorifya's new DNS feature that enhances security and performance. Learn how it works and why it’s essential for your website's health.
Read moreJune 22, 2026
Introducing Discord Webhook Integration for Scorifya
Send Scorifya's domain-monitoring alerts to a Discord channel: score changes, certificate expiry, email-auth drift, and attack-surface changes. Team-scoped, set up in minutes.
Read moreJune 21, 2026
How a web agency keeps every client site secure with Scorifya
A simple, repeatable workflow for agencies and freelancers: baseline every client site, monitor them for drift, get alerted in Slack or email, and show clients their score with a shareable scorecard.
Read moreJune 21, 2026
Security alerts in Slack and email, the moment a site you watch changes
Add the sites you manage to Scorifya and get a Slack message or email when a security score drops, a certificate is about to expire, or a new subdomain appears. Set it once, then stop manually re-checking.
Read moreJune 21, 2026
Plain-English scan summaries, plus a chat that answers questions about your results
Scorifya can turn a security scan into a readable summary and let you ask follow-up questions in plain language, so you do not need to be a security engineer to act on the results.
Read moreJune 17, 2026
Currently exploited — week of June 17, 2026
Newly catalogued exploited vulnerabilities affecting Widget Factory, Cisco, and others — per CISA's KEV feed this week.
Read moreJune 15, 2026
New in Scorifya: attack-surface mapping, supply-chain checks, and subdomain-takeover monitoring
Scorifya can now map every subdomain your domain has ever exposed, flag the hijackable ones, catch compromised third-party scripts, outdated libraries, and exposed source maps, check your domain reputation, and monitor watched domains for takeovers. Here is everything new and how to use it.
Read moreJune 10, 2026
Currently exploited — week of June 10, 2026
Newly catalogued exploited vulnerabilities affecting Google, Cisco, and others — per CISA's KEV feed this week.
Read moreJune 3, 2026
Currently exploited — week of June 3, 2026
Newly catalogued exploited vulnerabilities affecting Linux, Android, and others — per CISA's KEV feed this week.
Read moreJune 2, 2026
I scanned 20 famous SaaS landing pages for security. Here's the report card.
Stripe scored 98. GitLab scored 70. In between: GitHub, Figma, Notion, Linear, and 14 others. Here is what the public-facing hardening actually looks like across 20 dev-loved SaaS sites, and what almost every one of them is still missing.
Read moreJune 2, 2026
Scorifya is now a Chrome extension, instant security score on any site you visit
The Scorifya Chrome extension is live on the Chrome Web Store. Open the popup on any website and get a 0-100 security score with top findings in seconds, no tab-switching required.
Read moreMay 26, 2026
Publish your scan: shareable scorecard pages and embeddable badges by hostname
Turn any scan into a public, indexable scorecard at /scan/<hostname>, with a per-scan social card that bakes the score into the link preview and an SVG badge you can drop into a README, footer, or status page. Opt-in, easy to unpublish, and built so a single hostname has one canonical public URL.
Read moreMay 16, 2026
CVE pages, second pass: keyword search, AI interpretation, and broader NVD coverage
The Latest CVE notices page and per-CVE detail pages got a substantial rebuild this week: keyword and ID search across the full NVD catalog, a new Newest tab for fresh disclosures regardless of severity, plain-English plus technical AI summaries on every detail page, and faster load times via deferred rendering. Awareness coverage now extends well past the curated CISA KEV slice.
Read moreMay 8, 2026
Scorifya is now on the iOS App Store
Scorifya for iOS pairs with the web product so you can run a public hardening scan from your phone, browse the latest CISA KEV CVEs on the go, and manage your watch list without opening a laptop. Free to download, free to scan; Pro unlocks higher limits via Apple in-app purchase.
Read moreMay 5, 2026
When to run another scan (deploys, DNS, or a new app)
A short playbook for coming back to Scorifya after the kinds of changes that usually move TLS, headers, or mail DNS,so your score matches what visitors actually see.
Read moreApril 29, 2026
Wave 3 progress: watched domains live; email digest and Sign in with Apple coming next
Watched domains are live for signed-in users, Free can watch one, Pro supports many more (fair-use cap), with automatic weekly re-scans. The weekly KEV digest and Sign in with Apple are next on the roadmap.
Read moreApril 28, 2026
Wave 2 shipped: per-CVE pages, per-check guides, stack guides, and RSS
We turned the existing scan vocabulary into real, indexable pages: every KEV CVE has a /cve/[id] page, every finding id with hand-tuned guidance has a /checks/[id] page, and four stack guides under /guides reuse the same content blocks.
Read moreApril 27, 2026
Wave 1 shipped: free Pro trial, shareable scan permalinks, and embeddable score badges
Pro now starts with a 7-day free trial (no card required). Every scan can become a public, indexable permalink at /r/[token] with a dynamic OG image, plus an SVG score badge you can paste anywhere.
Read moreApril 27, 2026
Share permalink lifetimes now scale by plan
Anonymous scan permalinks now persist for 1 day, signed-in free accounts for 5 days, and Pro for 30 days. Same indexable /r/[token] page, same SVG badge, just lifetime tuned to how the share is most likely to be used.
Read moreApril 26, 2026
New page: Latest CVE notices (CISA Known Exploited Vulnerabilities feed)
Scorifya now publishes a Latest CVE notices page sourced from CISA’s Known Exploited Vulnerabilities catalog feed, with the latest 50 notices, built-in search, and vendor advisory links where available.
Read moreApril 26, 2026
Fix Priority Engine: rank remediation by impact, severity, and effort
Scorifya now surfaces a Top Fixes First list that ranks findings by potential score impact, then severity, then likely effort, with a projected score estimate and confidence note.
Read moreApril 22, 2026
Deeper TLS snapshots, robots.txt, and more passive DNS signals in every scan
What we added: bounded TLS 1.2/1.3 handshake views and curated cipher probes, robots.txt hygiene, CAA plus MTA-STS and TLS-RPT when MX exists, BIMI on the apex label, and richer security.txt fields,still passive, still explained on the methodology page.
Read moreApril 13, 2026
TLS versions, certificate expiry, and HTTPS redirects in one browser-style check
Why teams bundle TLS hygiene with headers and DNS when they want a release-week score,not a raw certificate dump or a disconnected header list.
Read moreApril 12, 2026
DMARC, SPF, and what a public scan can infer about email posture
How passive DNS fits a website hardening score: what we read from TXT and MX without sending mail, and why p=none versus reject still shows up in your scorecard context.
Read moreApril 11, 2026
How to check if your site sends an HSTS header (and what “preload” means)
A practical mental model for Strict-Transport-Security: what scanners can observe on first request, how preload lists differ from a one-line header, and where Scorifya surfaces copy-ready fixes.
Read moreApril 10, 2026
Smarter hardening checks: fix what matters first
Scorifya now surfaces the most impactful issues first, with clearer severity labels and copy-ready config examples,still a public hardening check, not a penetration test.
Read more
Get a weekly digest
New KEV CVE notices and (later) score changes on the domains you watch. One email a week, easy unsubscribe. We don't share or sell your address.
By subscribing you confirm you can receive transactional security updates from Scorifya at this email.