FAQ

Common questions about what ThreatSpot does, and how to use it alongside other security efforts.

ThreatSpot focuses on issues that are easy to overlook but have real security impact: TLS and certificate configuration, HTTP to HTTPS behavior, security headers, CSP, cookie flags, and WordPress-specific hardening checks. It is not a full network or application penetration test, but it covers many of the issues attackers look for first.

No. ThreatSpot is designed to complement, not replace, deeper security assessments. It gives you continuous visibility into common misconfigurations and web-facing issues between larger audits, and it helps you remediate problems that professional testers are likely to flag anyway.

For high-value sites, weekly or even daily scanning is ideal, especially if you deploy changes frequently. For more static sites, monthly scanning is often enough. ThreatSpots scheduled scans (on paid plans) let you automate this so you only need to pay attention when grades change.

Yes. ThreatSpot only performs read-only checks from the outside, similar to how a browser would interact with your site. It does not run invasive exploits or change any data. That said, you should always have permission to scan client sites, and follow your organizations policies.

You can get value from ThreatSpot even if youre not a security specialist. Grades and guided breakdowns are written for semi-technical users, and you can always share reports with a developer, hosting provider, or security partner to implement the recommendations.

FAQ

What does this scanner check?

Does this replace a full security audit or penetration test?

How often should I scan my site?

Is it safe to scan client or production websites?

How technical do I need to be to use ThreatSpot?