Free website security scanners explained: what each one checks, and when free is enough

There is a strange economics to free website scanners: the tools are excellent, the price is zero, and yet most small business owners who run one come away with less confidence than they started with. The output is accurate. It is also written for someone else — a developer, a sysadmin, an email administrator — and it covers exactly 1 slice of your website's public surface while saying nothing about the other 5.

This guide covers the 6 categories of free scanner worth knowing, what each one can and cannot tell you, how to read the grades they hand out, and — honestly — when the free tools are all you need. If you want the short version comparing the free-tool route with our paid scan, that lives at Red Bridge Cyber vs free online scanners.

Know what each scanner actually covers

The free-scanner landscape makes sense the moment you stop organising it by vendor and start organising it by what gets checked. There are 6 slices, and most tools cover exactly 1.

Email DNS

MXToolbox is the workhorse here, with dmarcian as the DMARC specialist. Enter your domain and they read the DNS records that control your email: SPF (who may send as you), DKIM (the cryptographic signature on outgoing mail), DMARC (what receivers should do when those checks fail), plus blocklist status for your mail server. How to read it: green ticks mean the record exists and parses — the substance is in the detail rows, where soft-fail SPF and a p=none DMARC policy both pass the existence check while doing very little. Where it stops: it cannot tell you whether the records are right for your senders — whether your invoicing platform, booking system, and newsletter tool are each authorised and signing correctly.

SSL and TLS certificates

SSL Labs is the standard, with Hardenize as a broader alternative. Point it at your domain and it tests your HTTPS configuration end to end: certificate validity and chain, which TLS protocol versions your server accepts, and cipher quality. How to read it: the letter grade (covered in the worked example below). Where it stops: the certificate is 1 component of 1 category. An A+ here says nothing about your email, headers, or whether your site is serving malware.

HTTP security headers

Mozilla Observatory and securityheaders.com both grade the defensive headers your site sends with every response — Content-Security-Policy, HSTS, Referrer-Policy, Permissions-Policy and friends. These are the browser-level guard rails, and almost no hosting platform sets them by default. How to read it: expect a D or F on a first scan; that is the normal starting point, not a crisis. Each missing header is typically a 1-line fix at the hosting or CDN layer. Where it stops: headers are hardening, not detection — a clean A says attackers have fewer angles, not that nothing is wrong.

Page performance

Google PageSpeed Insights is the one your web developer already argues about, and WebPageTest is the deeper diagnostic. Both load your page the way a real browser does and report how long it takes to become usable. How to read it: look at the mobile score first, and at the field data (real-visitor measurements) above the lab score when it is available. Where it stops: it measures the page you give it, 1 page at a time, and a fast home page can hide a slow checkout.

Malware and blocklists

Sucuri SiteCheck fetches your public pages and checks them against known-malware signatures, spam-injection patterns, and the major blocklists, including Google Safe Browsing. How to read it: a blocklist flag is the one finding on this entire page that is always urgent — it means search engines are actively warning your customers away. Where it stops: it is a remote scan. It sees what a visitor sees, and nothing in your server's file system or database.

Domain, WHOIS and DNSSEC

For .au domains, the registry operator auDA runs the canonical WHOIS lookup, and DNSViz visualises your DNS delegation and DNSSEC status. How to read it: WHOIS confirms your registration details and expiry — domain expiry remains a stubbornly common way for a small business website to vanish overnight. DNSViz will almost certainly show DNSSEC as absent: 98% of Australian small business domains do not enable DNSSEC — the single most universal gap at this tier.^* Where it stops: DNS tooling assumes you know what the records should be.

How to read a scanner grade without a security background

The grades these tools produce look like school marks, which invites exactly the wrong reading — that an A means safe and an F means breached. Neither is true. A worked example with SSL Labs, because its grades are the most commonly misread:

Grade A or A+ means your HTTPS configuration is modern and correct. Customers see the padlock, browsers raise no warnings, and there is nothing to do. The difference between A and A+ is usually HSTS — a header that tells browsers to never try plain HTTP — and it is worth having, but the customer-visible difference is nil.

Grade A- means 1 minor configuration gap, most commonly that same missing HSTS header. Customer impact: none today. It is a "mention it at the next hosting review" finding.

Grade B usually means your server still accepts connections over TLS 1.0 or 1.1 — protocol versions deprecated by every major browser since 2020. Modern browsers will negotiate the newer version anyway, so most customers notice nothing. The risk sits with the long tail: outdated devices connect over a protocol with known weaknesses, and the grade will keep sliding as standards move. This is a real item for your host, with a real but unhurried timeline.

Grade F means a known vulnerability, a broken certificate chain, or an expired certificate — and customers are very likely seeing full-page browser warnings instead of your website. In customer-impact terms an F is not a security finding, it is a closed sign. It outranks everything else on this page.

The pattern generalises to Observatory and securityheaders.com: the letter tells you how much hardening is missing, not whether something bad has happened. Read grades as a to-do list sorted by urgency, never as a verdict.

Why 6 clean tabs can still miss the problem

Run all 6 categories of tool on a typical small business site and you get 6 browser tabs in 6 formats: a table of DNS findings, a letter grade with cipher details, a header checklist, a waterfall chart, a malware verdict, and a DNS delegation graph. What none of them can do is read each other's output.

That matters because real findings cluster around shared root causes. The site on old shared hosting shows up as a B on SSL Labs (old TLS versions), a slow time-to-first-byte on PageSpeed, and missing headers on Observatory — 3 findings, 3 tabs, 1 actual problem, which is the hosting. The business that moved email providers last year shows an SPF record on MXToolbox that still authorises the old provider, and a DKIM signature that quietly stopped matching. Each tab is correct in isolation. The diagnosis lives in the correlation, and the correlation engine is you, at 9pm, with 6 tabs open.

That integration job — running the checks across all 5 categories, correlating them, and writing the findings in plain English with a priority order — is the actual product difference between the free tools and a Red Bridge Cyber subscription. The checks themselves are not secret. The stitching is the work.

When the free tools are all you need

Honestly: often. The free route works well when most of these are true.

You know which slice you are debugging. "Customers say our emails go to spam" is an MXToolbox problem. "The site feels slow on phones" is a PageSpeed problem. A specific symptom maps to a specific tool, and the tool will do an excellent job.

Someone technical is doing the reading. If you have a developer, an IT-literate staff member, or a genuinely curious owner with an evening to spend, the outputs above are all learnable. The Australian Cyber Security Centre's small business hub pairs well here — it covers the surrounding hygiene (passwords, backups, updates) that no website scanner checks at all.

You need a one-off answer, not a watch. Free scanners are snapshots. If you are validating a fix or checking a single complaint, a snapshot is exactly right. The gap appears over time: certificates expire, DNS records drift after a provider change, and a header that was present last quarter silently disappears in a site rebuild. Nobody re-runs 6 free tools monthly.

Your question is visibility, not security. If what you actually want to know is why customers cannot find you on Google, start with our small business SEO checklist instead — different problem, different tools, same plain-English approach.

What we don't do

We have no commercial relationship with any tool named on this page — no affiliate links, no referral fees. (That holds site-wide; our partner & referral disclosures set out every commercial relationship we have.) MXToolbox, SSL Labs, PageSpeed Insights, Mozilla Observatory, securityheaders.com and Sucuri SiteCheck are linked because they are good at what they do, and because our own scan runs the same kinds of checks across all 5 categories and is honest about that overlap. We are also not a penetration test, a malware-removal service, or a managed security provider. If the free tools above solve your problem, use them. If you would rather have 1 plain-English view than 6 tabs, the comparison page sets out exactly what the subscription adds.