Meet Cactus. The free scanner
that shows you what attackers see.

Enter a domain. In minutes, Cactus maps your external attack surface, checks for common web exposures, and hands you a high-level security overview you can act on. No signup. No credit card. No obligation.
CyberLink Cactus scan shows 37 assets, 11 findings including vulnerabilities and email security risk, medium risk level.

A high-level security
 snapshot. In minutes.

Cactus is built by our offensive security team for organizations who want a fast and honest read on where their web assets stand.

Black magnifying glass icon on a rounded white square with light blue background.

Attack Surface Discovery

Subdomain enumeration, DNS records, live hosts, exposed services and stale assets, all mapped from a single root domain.

Icon of an ID card with a ribbon badge on a rounded square background.

TLS & Certificate Health

Expiry, chain issues, weak ciphers, self-signed leaf certs and misconfigured SANs across every live host it finds.

Icon of a pencil drawing a horizontal line on a rounded square background.

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, graded and explained.

Black envelope icon on a white rounded square background.

Email Auth Posture

SPF, DKIM and DMARC records: is your domain spoofable? Cactus tells you, in plain English, with a copy-pasteable fix.

Black fingerprint icon on a white rounded square background with light blue gradient.

Tech Fingerprint & Known CVEs

Identify web stacks (nginx, Apache, Express, WordPress, Cloudflare, etc.) and flag known, publicly-disclosed CVEs against detected versions.

Icon of a document with a bar chart inside, on a square background with rounded corners.

Shareable Report

Get a clean, shareable report with severity ranked findings. Take it to your dev team or the board.

What Cactus actually checks

No black boxes. Here's the checklist Cactus runs against your domain on every scan.

Sub-domain Enumeration
DNS record audit
TLS / SSL health
HTTP security headers
Email auth (SPF / DKIM / DMARC)
Exposed admin / auth endpoints
Tech fingerprinting + CVEs
Cookie & CORS hygiene

Three steps. About two minutes.

Cactus is browser-based. Nothing to install, nothing to configure.

Enter your domain

Type your root domain. Cactus handles the rest — subdomains, DNS, certs, headers, email auth, exposed endpoints.

Cactus scans

Purely passive + low-noise active checks. No brute-force, no exploit payloads. Safe to run on production.

Get your report

A severity rated summary. Hand it to your developers, your board or come talk to us for a deeper penetration test.

Frequently Asked Questions

Common questions about Cactus. If yours isn't here, email us at info@cyberlinx.com.au

Is Cactus really free?
Is Cactus really free?
Is it safe to run on production?
Is it safe to run on production?
Can I scan a domain I don't own?
Can I scan a domain I don't own?
Does it replace a penetration test?
Does it replace a penetration test?
Do you keep my scan data?
Do you keep my scan data?
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?