Skip to main content

Vysiro is the agentless attack-surface monitor built for the AI era. Type your domain to detect, fix, and prove your security posture in under 60 seconds. Every scan runs 162 deterministic checks across 29 scoring categories - DMARC, SPF, DKIM, SSL/TLS, DNSSEC, MTA-STS, TLS-RPT, BIMI, CAA, DANE, security headers, IP reputation, threat intelligence, MCP and AI agent readiness - and returns a 0-1000 TrustScore with grade, per-finding evidence, copy-paste DNS fixes, and signed proof packs for SOC 2, PCI DSS, NIS2, CISA, NIST, GDPR, and EU AI Act compliance. Push one-click fixes via the Cloudflare API. Free forever tier. Paid plans from $29/month. REST API and MCP server for developers and AI agents.

External Attack-Surface Monitor
Detect · Fix · Prove

Can hackers fake your email, break your site, or fool your customers?Find out - with the exact fix for every gap - in 60 seconds.

vysiro.com/scan - model v1.7

Accepts: example.com · www.example.com · https://example.com

Watch a live scan:

Map your open DMARC, DNS, email, and AI-agent (MCP) exposure, get a 0-1000 TrustScore with the exact copy-paste fix for every gap, and a signed compliance pack for your auditor.

No signup. No agent to install. No tech skills needed - every risk explained in plain English, with the exact fix handed to you.

Vysiro scans your public, external attack surface - DNS, email authentication, TLS, and AI-agent (MCP) exposure - from the outside in. It never touches your internal network, endpoints, or source code.

Free forever tierAI-guided fixesResults in secondsREST API + MCPPlain-English results
example.com · sampleGrade A
803/1000

You’re in good shape - one quick fix away from great.

Email safety92%
Website safety78%
DNS safety100%
Top fix · MTA-STS+18 pts

Your emails can be read while traveling between mail servers - paste this record to close it:

_mta-sts.example.com TXT
"v=STSv1; id=2026"
Deterministic & signed — same input, same score, auditor-ready
See the scoring methodology

Under the hood: 162 security checks29 scoring categories9 compliance frameworks29 free tools

We translate. You act.

Other scanners hand you jargon. Vysiro tells you what it means.

Every finding below is a real Vysiro check - the right column is the exact wording the product uses. Prefer the raw detail? One toggle flips the whole product to Technical.

DMARC p=none

Anyone can send email pretending to be you

TLSA record missing (DANE)

Attackers could impersonate your mail server

DNSSEC not enabled

Hackers could redirect your visitors to a fake site

MTA-STS policy absent

Your emails can be read while traveling between mail servers

IP listed on DNSBL

Your emails are more likely to land in spam

Covers the core job of 15+ point tools

One scan replaces your entire tool stack

DMARC dashboards, SSL Labs, MxToolbox, dnstwist, MCP checkers - point tools you remember to run quarterly when you're lucky. Vysiro folds them into a single 60-second scan with a 0-1000 score and a copy-paste fix.

DMARC report parsing + policy monitoring

Typical point tools

EasyDMARC, Dmarcian

In Vysiro

Reads your DMARC record, scores policy strength, parses aggregate XML reports inline.

DMARC category (T-class), DMARC RUA tool

DNS records + blacklist lookup

Typical point tools

MxToolbox

In Vysiro

Full DNS resolution across 5 DoH resolvers, RBL cross-check on every MX host.

DNS + IP Reputation categories

TLS / SSL grade

Typical point tools

SSL Labs

In Vysiro

Cipher + protocol grading on every scan, no separate report to run.

SSL/TLS category

Security headers grade

Typical point tools

SecurityHeaders.com

In Vysiro

CSP, HSTS, X-Frame-Options, Referrer-Policy scored in the same call.

Security Headers category

SPF record validation + flattening

Typical point tools

autospf

In Vysiro

Lookup count, mechanism order, recommended flattening surfaced as a Fix It issue.

SPF category + SPF Flattener tool

DNSSEC verification

Typical point tools

Verisign DNSSEC Debugger

In Vysiro

DNSSEC chain validated end-to-end on each scan.

DNSSEC category

BIMI record + VMC readiness

Typical point tools

BIMI Group inspector

In Vysiro

BIMI presence, logo URL, VMC link checked alongside DMARC enforcement.

BIMI category

MTA-STS + TLS-RPT compliance

Typical point tools

Hardenize, aykira

In Vysiro

Policy file fetched, version parsed, TLS-RPT endpoint validated.

MTA-STS + TLS-RPT categories

Certificate Transparency log search

Typical point tools

crt.sh, Cert Spotter

In Vysiro

CT log tail on every scan; subdomain inventory surfaces orphan certs.

Certificate Lifecycle category + CT Log tool

Typosquatting / lookalike detection

Typical point tools

dnstwist

In Vysiro

Generates and resolves common permutations to flag live impersonators.

Brand Integrity category

IP reputation / blacklist scoring

Typical point tools

Spamhaus, Barracuda RBL

In Vysiro

Multi-RBL lookup with graduated scoring (1, 2-3, 4+ list hits).

IP Reputation category

Subdomain takeover scanning

Typical point tools

nuclei takeover templates

In Vysiro

8 dedicated takeover checks covering S3, Heroku, GitHub Pages, etc.

Subdomain Takeover block (TAKEOVER_001-008)

Expiry Guard: cert, chain, DNSSEC + VMC expiry monitoring

Typical point tools

TrackSSL, UptimeRobot SSL, StatusCake

In Vysiro

One daily monitor watches every silent-expiry failure mode: leaf certificate, intermediate CA chain, DNSSEC RRSIG signatures, and the BIMI VMC behind your verified logo. Alerts at 30 / 14 / 7 days before each notAfter, with an auto-renew-aware downgrade so ACME certs do not spam.

Certificate Lifecycle + DNSSEC + BIMI categories, via expiry-guard.ts + /api/cron/cert-expiry

Uptime / availability monitoring + downtime alerts

Typical point tools

UptimeRobot, StatusCake, Better Stack

In Vysiro

Periodic HTTPS check, status-change alerts via email / webhook. Edge availability and resolver health rolled into the same monitor.

Edge Hosting + DNS Resilience + /api/cron/uptime

WHOIS + domain-expiry monitoring + alerts

Typical point tools

WhoisJSON, whois.com, Uptime.com

In Vysiro

Daily RDAP / WHOIS check with 30 / 14 / 7 / 1 day expiry alerts. Catches the disaster nobody ever monitors until it happens.

Domain Hygiene category + /api/cron/whois-expiry

DNS change monitoring + drift alerts

Typical point tools

DNS Spy, Domain Monitor

In Vysiro

Scheduled re-scan diffs DNS records (A / MX / NS / TXT) and fires drift alerts. CT-log tail catches new cert issuance within ~60 seconds.

Scheduled re-scan + /api/cron/dns-drift

MCP / llms.txt exposure

Typical point tools

(none - greenfield)

In Vysiro

llms.txt audit + MCP endpoint discovery + auth-header probe ship today; deeper MCP coverage staged in the registry.

Agent Readiness category (live); MCP block (MCP_001-025) staged in the registry

How It Works

Detect. Fix. Prove. In under 60 seconds.

The only platform that completes the full loop: scan 162 checks, push one-click fixes via Cloudflare, generate compliance evidence for SOC 2, PCI DSS, and NIS2.

1000
TrustScore

Get your TrustScore

Comprehensive analysis across 29 categories, 162 checks

• DMARC Security
• SPF Validation
• DKIM Signing
• SSL/TLS Config
• DNS Security
• MX Validation
• DNSSEC Status
• Header Analysis
Why Vysiro

The only platform thatdetects, fixes, and proves

162 security checks across 29 categories. One TrustScore. One-click fixes. Compliance evidence for SOC 2, PCI DSS, and NIS2.

Step 1

Scan in Under 60 Seconds

One scan checks 29 security categories across email, web, DNS, and compliance. No setup, no agents, no configuration.

Step 2

See Every Weakness

TrustScore 0-1000 gives you one number to track. Drill into any category to see what is wrong, which RFC it violates, and how it compares to benchmarks.

0/ 1000
Step 3

One-Click Push Fix

Vysiro generates the exact DNS record for each issue. Copy-paste into Route 53 or Google Cloud DNS. Or connect Cloudflare and Push Fix deploys the record in one click.

How Vysiro compares to other tools

Feature
Other Tools
Vysiro
Protocols scanned
1-3 (DMARC/SPF only)
11 DNS protocols in one scan (DMARC, SPF, DKIM, DNSSEC, DANE, MTA-STS, TLS-RPT, BIMI, CAA, MX, NS) plus SSL/TLS, security headers, IP rep, AI-agent surface
Time to results
30s to several minutes
Under 60 seconds for all 11 protocols
TrustScore (0-1000)
No unified scoring
Single score across all categories with grade A+ to F
Fix generation
Manual docs / copy from RFC
AI auto-fix with provider-specific records (Cloudflare, Route 53, Google DNS)
AI-guided fixes
Not available
AI generates ready-to-paste DNS records for Cloudflare, Route 53, Google DNS
Compliance mapping
None or single framework
9 frameworks (PCI DSS 4.0, NIS2, CISA BOD, NIST, SOC 2, GDPR, PDPA, Essential Eight, EU AI Act)
AI agent support
None
MCP server + REST API for agent integration
Subdomain scanning
Separate tool required
Built-in subdomain discovery + per-subdomain scoring
Typosquat detection
Not available
Lookalike domain detection with risk scoring
DMARC report parsing
Basic aggregate view
RFC 7489 parser with source IP analysis + alignment breakdown
Post-quantum readiness
Not tracked
PQC readiness checks (ML-KEM, ML-DSA, hybrid TLS)
Score history + alerts
Not available
Score trend chart + regression alerts on score drop
Multi-domain portfolio
$100+/mo add-on
Built-in portfolio dashboard with bulk scan + comparison
Embeddable trust badge
Not available
Live SVG badge with real-time score for your website
Free tier
7-14 day trial only
Free forever - unlimited scans, no credit card
Pricing (paid)
$5K+/yr enterprise contracts
Starter $29/mo, Growth $99/mo - self-serve
162+
Security Checks/Scan
29
Scoring Categories
8s
Avg Scan Time
9
Compliance Frameworks
Security Threats

See how attacks happen - and how Vysiro catches them

Real attack patterns. Real-time detection.

DMARCSPFDKIM

Attacker sends fake CEO email

No DMARC = email delivers

Employee sends $50K

Vysiro Detects & Alerts
Detection Active

Vysiro detects missing DMARC p=reject, SPF misalignment, no DKIM

DNSSECCAADNS Health

Attacker compromises DNS

Visitors redirected to fake site

Credentials stolen

Vysiro Detects & Alerts
Detection Active

Vysiro detects DNSSEC disabled, no CAA records, nameserver changes

SSL/TLSHeadersPQC

Attacker forces weak cipher

Intercepts encrypted traffic

Reads sensitive data

Vysiro Detects & Alerts
Detection Active

Vysiro detects weak TLS, missing HSTS, no security headers

Domain GraphBIMIMonitoring

Attacker registers vysir0.com

Sends phishing emails

Victims click malicious links

Vysiro Detects & Alerts
Detection Active

Vysiro detects lookalike domains, checks BIMI verification

ComplianceProof Packs

PCI DSS 4.0 deadline passes

No DMARC configured

Audit fails, fines issued

Vysiro Detects & Alerts
Detection Active

Vysiro maps compliance in real-time with deadline tracking

MTA-STSDANETLS-RPT

Attacker intercepts mail relay

No MTA-STS forces plaintext fallback

Sensitive emails read in transit

Vysiro Detects & Alerts
Detection Active

Vysiro detects missing MTA-STS, DANE records, and TLS reporting

MCP Detectionllms.txtAI Crawler Policy

Attacker discovers unauthed /mcp endpoint

llms.txt leaks internal paths and tokens

AI agent exfiltrates data via tool calls

Vysiro Detects & Alerts
Detection Active

Vysiro detects shadow MCP servers, llms.txt leakage, missing AI crawler policy, weak MCP auth (NSA May 2026 guidance, Qualys QID 48288)

Scan coverage

29 security categories. One score.

Click any category to explore

1000TrustScoreA+
Mail Security6 checks
Web Security4 checks
Domain Security4 checks
Agent Security2 checks
Platform

Everything you need to secure every domain

From scanning to fixing to proving compliance - all automated.

162 Security Checks

DMARC, SPF, DKIM, MTA-STS, DANE, BIMI, ARC, SSL/TLS, DNSSEC, CAA, TLS-RPT, security headers, IP reputation, AI agent surface, and more - all checked in under 60 seconds.

AI Swarm Intelligence

A multi-stage AI pipeline - detection, adversarial simulation, executive reporting, forensics - cross-validates findings and generates ready-to-use fixes.

AgentShield

Zero-Standing Privilege for AI agents. Time-limited, scope-restricted tokens with full audit trails.

Post-Quantum Ready

ML-DSA and ML-KEM readiness assessment for DKIM signing and TLS key exchange. Future-proof your domain security.

Compliance Mapping

Auto-map findings to SOC 2, PCI DSS, NIS2, CISA BOD, NIST, and GDPR. Generate audit-ready proof packs.

AI-Powered Remediation

AI generates provider-specific DNS records you can copy-paste into Cloudflare, Route 53, Google Cloud DNS, or DigitalOcean. Every fix is formally verified safe against your existing config - deterministic constraint checks, no LLM - before you apply it.

Built for security-conscious teams

Run by one scan or one thousand

1,000+

Domains per workspace

162

Security Checks per Scan

11

Protocols Analyzed

29

Scoring Categories

Real use cases

How Teams Use Vysiro

Portfolio Dashboard

MSP managing 50+ client domains

Portfolio-wide TrustScore monitoring with one dashboard. Spot misconfigurations across all clients in seconds, not hours.

Compliance Proof Packs

Startup preparing for SOC 2 audit

Compliance mapping across 9 frameworks with exportable proof packs. Auditors get SHA-256 verified evidence.

AI Auto-Fix Engine

IT team hardening email security

Guided DMARC rollout from p=none to p=reject with AI-generated DNS records. Copy-paste into any provider.

Founding 500: First 500 users get Growth with unlimited fixes for 30 days.Claim your spot
Pricing

Simple, transparent pricing

Free scans forever. Fixes included in every plan. Scale as you grow.

MonthlyAnnual Save 20%

Free

$0/mo

3 AI fixes/mo

  • 1 domain
  • Unlimited scans
  • 162 security checks (29 categories)
  • DMARC, SPF, DKIM, SSL, DNSSEC analysis
  • Full TrustScore breakdown (0-1000)
  • AI Chat - 25 questions/mo
  • 3 AI fixes/mo with preview
  • Shareable scan report
  • 100 API calls/mo
  • 30-day history
Get Started Free

Starter

$29/mo

15 AI fixes/mo

  • 5 domains (CT-log alerts on)
  • Everything in Free, plus:
  • One-click Push Fix via Cloudflare
  • Daily monitoring + CT-log change detection
  • Expiry Guard: cert, chain, DNSSEC + VMC expiry alerts
  • Email + webhook alerts
  • AI Chat - 100 questions/mo
  • 15 AI fixes/mo
  • 17 correlation rules
  • Subdomain takeover detection
  • Compliance summary (9 frameworks)
  • PQC readiness score
  • 5,000 API calls/mo
  • 30-day history
Start for $29/mo

MSP Partner

Custom

Custom - for MSPs & agencies

Unlimited fixes

  • Manage your clients' domains
  • Everything in Growth, plus:
  • Up to 50 client perimeters
  • Multi-tenant client management
  • White-label reports + branded PDFs
  • Per-client TrustScore + exports
  • Partner margin / wholesale pricing
  • Dedicated partner manager
  • Unlimited fixes + API calls
Become a Partner
Coming soon

Enterprise

Custom

Custom - for large orgs

Unlimited fixes

  • Secure your own org at scale
  • Everything in Growth, plus:
  • Volume internal domains
  • Custom SLA + security review
  • Security questionnaire support
  • Procurement, MSA & DPA support
  • Dedicated CSM + priority engineering
  • SSO/SAML + SIEM export (on the roadmap)
  • Unlimited fixes + API calls
Join the waitlist

Fixes included in every plan - you only pay for what works. Every fix is formally verified safe against your existing config before execution.

Free scanner SOC 2 (In Progress) 99.9% uptime

What you replace with $29/mo

Vysiro covers the full Detect → Fix → Prove loop in one scan. Each tool below does only one piece - and none touch the AI-agent surface.

To match Vysiro, you’d juggle…CoversMonthlyAuto-fixUnified scoreAI / MCP
PowerDMARC / EasyDMARCEmail auth only$8-72×××
MxToolbox monitoringDNS / email diagnostics~$129×××
SSL Labs + SecurityHeadersTLS + headersFree (manual)×××
Attaxion / entry EASMAsset discovery~$129×××
MCP / AI-agent exposureAI-agent surfaceCan’t buy it---
Vysiro StarterAll of the above · 162 checks$29✓ 0-1000

Cyber insurance: an 800+ TrustScore plus your exportable, SHA-256-signed compliance proof pack gives you documented evidence of your security posture to bring to a premium negotiation.

Competitor pricing is indicative - public list prices as of July 2026; see each vendor’s site. MCP / AI-agent exposure has no direct commercial equivalent today. Vysiro Starter is $29/mo (billed annually, $348/yr).

FAQ

Frequently Asked Questions

Everything you need to know about Vysiro

A Domain Trust Score is a 0-1000 numerical rating that measures a domain's security across 29 categories including DMARC, SPF, DKIM, SSL/TLS, DNSSEC, MTA-STS, BIMI, CAA, IP reputation, threat intelligence, and more. Higher scores indicate stronger security. Vysiro generates this score in seconds by scanning 162 security checks.

Use Vysiro's free DMARC checker at vysiro.com/tools/dmarc-checker. Enter your domain and get instant analysis of your DMARC policy, reporting configuration, and alignment settings. No signup required.

Yes. The portfolio dashboard lets MSPs manage multiple client domains, generate white-label reports, and embed trust badges on client sites.

We recommend weekly scans. Paid plans include automated scheduled scans (daily on Starter, priority monitoring on Growth) with alerts for any score drops.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) prevents email spoofing by telling mail servers how to handle unauthenticated messages. Without DMARC, attackers can send emails that appear to come from your domain, enabling phishing and business email compromise.

A typical Vysiro scan completes in under 60 seconds. It queries multiple DNS resolvers in parallel using DNS-over-HTTPS, checks SSL/TLS certificates, security headers, and runs 162 checks across 11 protocols simultaneously.

Stop Monitoring.
Start Fixing.

Scan in under 60 seconds. See what single-purpose tools miss. One-click Push Fix on Cloudflare. From $29/mo.

60 sec results
SOC 2 (In Progress)
API-first
PQC ready