Vysiro is the agentless attack-surface monitor built for the AI era. Type your domain to detect, fix, and prove your security posture in under 60 seconds. Every scan runs 162 deterministic checks across 29 scoring categories - DMARC, SPF, DKIM, SSL/TLS, DNSSEC, MTA-STS, TLS-RPT, BIMI, CAA, DANE, security headers, IP reputation, threat intelligence, MCP and AI agent readiness - and returns a 0-1000 TrustScore with grade, per-finding evidence, copy-paste DNS fixes, and signed proof packs for SOC 2, PCI DSS, NIS2, CISA, NIST, GDPR, and EU AI Act compliance. Push one-click fixes via the Cloudflare API. Free forever tier. Paid plans from $29/month. REST API and MCP server for developers and AI agents.
Can hackers fake your email, break your site, or fool your customers?Find out - with the exact fix for every gap - in 60 seconds.
Accepts: example.com · www.example.com · https://example.com
Map your open DMARC, DNS, email, and AI-agent (MCP) exposure, get a 0-1000 TrustScore with the exact copy-paste fix for every gap, and a signed compliance pack for your auditor.
No signup. No agent to install. No tech skills needed - every risk explained in plain English, with the exact fix handed to you.
Vysiro scans your public, external attack surface - DNS, email authentication, TLS, and AI-agent (MCP) exposure - from the outside in. It never touches your internal network, endpoints, or source code.
You’re in good shape - one quick fix away from great.
Your emails can be read while traveling between mail servers - paste this record to close it:
_mta-sts.example.com TXT
"v=STSv1; id=2026"Under the hood: 162 security checks29 scoring categories9 compliance frameworks29 free tools
Other scanners hand you jargon. Vysiro tells you what it means.
Every finding below is a real Vysiro check - the right column is the exact wording the product uses. Prefer the raw detail? One toggle flips the whole product to Technical.
DMARC p=noneAnyone can send email pretending to be you
TLSA record missing (DANE)Attackers could impersonate your mail server
DNSSEC not enabledHackers could redirect your visitors to a fake site
MTA-STS policy absentYour emails can be read while traveling between mail servers
IP listed on DNSBLYour emails are more likely to land in spam
One scan replaces your entire tool stack
DMARC dashboards, SSL Labs, MxToolbox, dnstwist, MCP checkers - point tools you remember to run quarterly when you're lucky. Vysiro folds them into a single 60-second scan with a 0-1000 score and a copy-paste fix.
DMARC report parsing + policy monitoring
Typical point tools
EasyDMARC, Dmarcian
In Vysiro
Reads your DMARC record, scores policy strength, parses aggregate XML reports inline.
DMARC category (T-class), DMARC RUA tool
DNS records + blacklist lookup
Typical point tools
MxToolbox
In Vysiro
Full DNS resolution across 5 DoH resolvers, RBL cross-check on every MX host.
DNS + IP Reputation categories
TLS / SSL grade
Typical point tools
SSL Labs
In Vysiro
Cipher + protocol grading on every scan, no separate report to run.
SSL/TLS category
Security headers grade
Typical point tools
SecurityHeaders.com
In Vysiro
CSP, HSTS, X-Frame-Options, Referrer-Policy scored in the same call.
Security Headers category
SPF record validation + flattening
Typical point tools
autospf
In Vysiro
Lookup count, mechanism order, recommended flattening surfaced as a Fix It issue.
SPF category + SPF Flattener tool
DNSSEC verification
Typical point tools
Verisign DNSSEC Debugger
In Vysiro
DNSSEC chain validated end-to-end on each scan.
DNSSEC category
BIMI record + VMC readiness
Typical point tools
BIMI Group inspector
In Vysiro
BIMI presence, logo URL, VMC link checked alongside DMARC enforcement.
BIMI category
MTA-STS + TLS-RPT compliance
Typical point tools
Hardenize, aykira
In Vysiro
Policy file fetched, version parsed, TLS-RPT endpoint validated.
MTA-STS + TLS-RPT categories
Certificate Transparency log search
Typical point tools
crt.sh, Cert Spotter
In Vysiro
CT log tail on every scan; subdomain inventory surfaces orphan certs.
Certificate Lifecycle category + CT Log tool
Typosquatting / lookalike detection
Typical point tools
dnstwist
In Vysiro
Generates and resolves common permutations to flag live impersonators.
Brand Integrity category
IP reputation / blacklist scoring
Typical point tools
Spamhaus, Barracuda RBL
In Vysiro
Multi-RBL lookup with graduated scoring (1, 2-3, 4+ list hits).
IP Reputation category
Subdomain takeover scanning
Typical point tools
nuclei takeover templates
In Vysiro
8 dedicated takeover checks covering S3, Heroku, GitHub Pages, etc.
Subdomain Takeover block (TAKEOVER_001-008)
Expiry Guard: cert, chain, DNSSEC + VMC expiry monitoring
Typical point tools
TrackSSL, UptimeRobot SSL, StatusCake
In Vysiro
One daily monitor watches every silent-expiry failure mode: leaf certificate, intermediate CA chain, DNSSEC RRSIG signatures, and the BIMI VMC behind your verified logo. Alerts at 30 / 14 / 7 days before each notAfter, with an auto-renew-aware downgrade so ACME certs do not spam.
Certificate Lifecycle + DNSSEC + BIMI categories, via expiry-guard.ts + /api/cron/cert-expiry
Uptime / availability monitoring + downtime alerts
Typical point tools
UptimeRobot, StatusCake, Better Stack
In Vysiro
Periodic HTTPS check, status-change alerts via email / webhook. Edge availability and resolver health rolled into the same monitor.
Edge Hosting + DNS Resilience + /api/cron/uptime
WHOIS + domain-expiry monitoring + alerts
Typical point tools
WhoisJSON, whois.com, Uptime.com
In Vysiro
Daily RDAP / WHOIS check with 30 / 14 / 7 / 1 day expiry alerts. Catches the disaster nobody ever monitors until it happens.
Domain Hygiene category + /api/cron/whois-expiry
DNS change monitoring + drift alerts
Typical point tools
DNS Spy, Domain Monitor
In Vysiro
Scheduled re-scan diffs DNS records (A / MX / NS / TXT) and fires drift alerts. CT-log tail catches new cert issuance within ~60 seconds.
Scheduled re-scan + /api/cron/dns-drift
MCP / llms.txt exposure
Typical point tools
(none - greenfield)
In Vysiro
llms.txt audit + MCP endpoint discovery + auth-header probe ship today; deeper MCP coverage staged in the registry.
Agent Readiness category (live); MCP block (MCP_001-025) staged in the registry
Detect. Fix. Prove. In under 60 seconds.
The only platform that completes the full loop: scan 162 checks, push one-click fixes via Cloudflare, generate compliance evidence for SOC 2, PCI DSS, and NIS2.
Get your TrustScore
Comprehensive analysis across 29 categories, 162 checks
The only platform thatdetects, fixes, and proves
162 security checks across 29 categories. One TrustScore. One-click fixes. Compliance evidence for SOC 2, PCI DSS, and NIS2.
Scan in Under 60 Seconds
One scan checks 29 security categories across email, web, DNS, and compliance. No setup, no agents, no configuration.
See Every Weakness
TrustScore 0-1000 gives you one number to track. Drill into any category to see what is wrong, which RFC it violates, and how it compares to benchmarks.
One-Click Push Fix
Vysiro generates the exact DNS record for each issue. Copy-paste into Route 53 or Google Cloud DNS. Or connect Cloudflare and Push Fix deploys the record in one click.
How Vysiro compares to other tools
Email Security
DMARC, SPF, DKIM, BIMI - complete email authentication and anti-spoofing in one scan.
Learn more →Domain Trust Score
A deterministic TrustScore 0-1000 across 29 categories - DNS, TLS, and infrastructure - with a copy-paste fix for every gap.
Learn more →Building AI agents? Vysiro also scores MCP-server exposure and machine-to-machine trust.
AI Agent SafetySee how attacks happen - and how Vysiro catches them
Real attack patterns. Real-time detection.
Attacker sends fake CEO email
No DMARC = email delivers
Employee sends $50K
Vysiro detects missing DMARC p=reject, SPF misalignment, no DKIM
Attacker sends fake CEO email
No DMARC = email delivers
Employee sends $50K
Vysiro detects missing DMARC p=reject, SPF misalignment, no DKIM
Attacker compromises DNS
Visitors redirected to fake site
Credentials stolen
Vysiro detects DNSSEC disabled, no CAA records, nameserver changes
Attacker compromises DNS
Visitors redirected to fake site
Credentials stolen
Vysiro detects DNSSEC disabled, no CAA records, nameserver changes
Attacker forces weak cipher
Intercepts encrypted traffic
Reads sensitive data
Vysiro detects weak TLS, missing HSTS, no security headers
Attacker forces weak cipher
Intercepts encrypted traffic
Reads sensitive data
Vysiro detects weak TLS, missing HSTS, no security headers
Attacker registers vysir0.com
Sends phishing emails
Victims click malicious links
Vysiro detects lookalike domains, checks BIMI verification
Attacker registers vysir0.com
Sends phishing emails
Victims click malicious links
Vysiro detects lookalike domains, checks BIMI verification
PCI DSS 4.0 deadline passes
No DMARC configured
Audit fails, fines issued
Vysiro maps compliance in real-time with deadline tracking
PCI DSS 4.0 deadline passes
No DMARC configured
Audit fails, fines issued
Vysiro maps compliance in real-time with deadline tracking
Attacker intercepts mail relay
No MTA-STS forces plaintext fallback
Sensitive emails read in transit
Vysiro detects missing MTA-STS, DANE records, and TLS reporting
Attacker intercepts mail relay
No MTA-STS forces plaintext fallback
Sensitive emails read in transit
Vysiro detects missing MTA-STS, DANE records, and TLS reporting
Attacker discovers unauthed /mcp endpoint
llms.txt leaks internal paths and tokens
AI agent exfiltrates data via tool calls
Vysiro detects shadow MCP servers, llms.txt leakage, missing AI crawler policy, weak MCP auth (NSA May 2026 guidance, Qualys QID 48288)
Attacker discovers unauthed /mcp endpoint
llms.txt leaks internal paths and tokens
AI agent exfiltrates data via tool calls
Vysiro detects shadow MCP servers, llms.txt leakage, missing AI crawler policy, weak MCP auth (NSA May 2026 guidance, Qualys QID 48288)
29 security categories. One score.
Click any category to explore
Everything you need to secure every domain
From scanning to fixing to proving compliance - all automated.
162 Security Checks
DMARC, SPF, DKIM, MTA-STS, DANE, BIMI, ARC, SSL/TLS, DNSSEC, CAA, TLS-RPT, security headers, IP reputation, AI agent surface, and more - all checked in under 60 seconds.
AI Swarm Intelligence
A multi-stage AI pipeline - detection, adversarial simulation, executive reporting, forensics - cross-validates findings and generates ready-to-use fixes.
AgentShield
Zero-Standing Privilege for AI agents. Time-limited, scope-restricted tokens with full audit trails.
Post-Quantum Ready
ML-DSA and ML-KEM readiness assessment for DKIM signing and TLS key exchange. Future-proof your domain security.
Compliance Mapping
Auto-map findings to SOC 2, PCI DSS, NIS2, CISA BOD, NIST, and GDPR. Generate audit-ready proof packs.
AI-Powered Remediation
AI generates provider-specific DNS records you can copy-paste into Cloudflare, Route 53, Google Cloud DNS, or DigitalOcean. Every fix is formally verified safe against your existing config - deterministic constraint checks, no LLM - before you apply it.
Run by one scan or one thousand
Domains per workspace
Security Checks per Scan
Protocols Analyzed
Scoring Categories
How Teams Use Vysiro
MSP managing 50+ client domains
Portfolio-wide TrustScore monitoring with one dashboard. Spot misconfigurations across all clients in seconds, not hours.
Startup preparing for SOC 2 audit
Compliance mapping across 9 frameworks with exportable proof packs. Auditors get SHA-256 verified evidence.
IT team hardening email security
Guided DMARC rollout from p=none to p=reject with AI-generated DNS records. Copy-paste into any provider.
Simple, transparent pricing
Free scans forever. Fixes included in every plan. Scale as you grow.
Free
3 AI fixes/mo
- 1 domain
- Unlimited scans
- 162 security checks (29 categories)
- DMARC, SPF, DKIM, SSL, DNSSEC analysis
- Full TrustScore breakdown (0-1000)
- AI Chat - 25 questions/mo
- 3 AI fixes/mo with preview
- Shareable scan report
- 100 API calls/mo
- 30-day history
Starter
15 AI fixes/mo
- 5 domains (CT-log alerts on)
- Everything in Free, plus:
- One-click Push Fix via Cloudflare
- Daily monitoring + CT-log change detection
- Expiry Guard: cert, chain, DNSSEC + VMC expiry alerts
- Email + webhook alerts
- AI Chat - 100 questions/mo
- 15 AI fixes/mo
- 17 correlation rules
- Subdomain takeover detection
- Compliance summary (9 frameworks)
- PQC readiness score
- 5,000 API calls/mo
- 30-day history
Growth
100 AI fixes/mo
Founding 500: Unlimited fixes for first 30 days
- 25 domains
- Everything in Starter, plus:
- Hourly posture & drift monitoring + KEV-weighted alerts
- AI Chat - Unlimited
- 100 AI fixes/mo
- Compliance evidence packs (PDF download)
- AgentShield API - 10K calls/mo
- Industry benchmarks
- Team collaboration (5 users)
- Unlimited history
MSP Partner
Custom - for MSPs & agencies
Unlimited fixes
- Manage your clients' domains
- Everything in Growth, plus:
- Up to 50 client perimeters
- Multi-tenant client management
- White-label reports + branded PDFs
- Per-client TrustScore + exports
- Partner margin / wholesale pricing
- Dedicated partner manager
- Unlimited fixes + API calls
Enterprise
Custom - for large orgs
Unlimited fixes
- Secure your own org at scale
- Everything in Growth, plus:
- Volume internal domains
- Custom SLA + security review
- Security questionnaire support
- Procurement, MSA & DPA support
- Dedicated CSM + priority engineering
- SSO/SAML + SIEM export (on the roadmap)
- Unlimited fixes + API calls
Fixes included in every plan - you only pay for what works. Every fix is formally verified safe against your existing config before execution.
What you replace with $29/mo
Vysiro covers the full Detect → Fix → Prove loop in one scan. Each tool below does only one piece - and none touch the AI-agent surface.
| To match Vysiro, you’d juggle… | Covers | Monthly | Auto-fix | Unified score | AI / MCP |
|---|---|---|---|---|---|
| PowerDMARC / EasyDMARC | Email auth only | $8-72 | × | × | × |
| MxToolbox monitoring | DNS / email diagnostics | ~$129 | × | × | × |
| SSL Labs + SecurityHeaders | TLS + headers | Free (manual) | × | × | × |
| Attaxion / entry EASM | Asset discovery | ~$129 | × | × | × |
| MCP / AI-agent exposure | AI-agent surface | Can’t buy it | - | - | - |
| Vysiro Starter | All of the above · 162 checks | $29 | ✓ | ✓ 0-1000 | ✓ |
Cyber insurance: an 800+ TrustScore plus your exportable, SHA-256-signed compliance proof pack gives you documented evidence of your security posture to bring to a premium negotiation.
Competitor pricing is indicative - public list prices as of July 2026; see each vendor’s site. MCP / AI-agent exposure has no direct commercial equivalent today. Vysiro Starter is $29/mo (billed annually, $348/yr).
Frequently Asked Questions
Everything you need to know about Vysiro
A Domain Trust Score is a 0-1000 numerical rating that measures a domain's security across 29 categories including DMARC, SPF, DKIM, SSL/TLS, DNSSEC, MTA-STS, BIMI, CAA, IP reputation, threat intelligence, and more. Higher scores indicate stronger security. Vysiro generates this score in seconds by scanning 162 security checks.
Use Vysiro's free DMARC checker at vysiro.com/tools/dmarc-checker. Enter your domain and get instant analysis of your DMARC policy, reporting configuration, and alignment settings. No signup required.
Yes. The portfolio dashboard lets MSPs manage multiple client domains, generate white-label reports, and embed trust badges on client sites.
We recommend weekly scans. Paid plans include automated scheduled scans (daily on Starter, priority monitoring on Growth) with alerts for any score drops.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) prevents email spoofing by telling mail servers how to handle unauthenticated messages. Without DMARC, attackers can send emails that appear to come from your domain, enabling phishing and business email compromise.
A typical Vysiro scan completes in under 60 seconds. It queries multiple DNS resolvers in parallel using DNS-over-HTTPS, checks SSL/TLS certificates, security headers, and runs 162 checks across 11 protocols simultaneously.
Stop Monitoring.
Start Fixing.
Scan in under 60 seconds. See what single-purpose tools miss. One-click Push Fix on Cloudflare. From $29/mo.