Meet Cactus. The free scanner that shows you what attackers see.

A high-level security snapshot. In minutes.
Cactus is built by our offensive security team for organizations who want a fast and honest read on where their web assets stand.
Attack Surface Discovery
Subdomain enumeration, DNS records, live hosts, exposed services and stale assets, all mapped from a single root domain.
TLS & Certificate Health
Expiry, chain issues, weak ciphers, self-signed leaf certs and misconfigured SANs across every live host it finds.
Security Headers
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, graded and explained.
Email Auth Posture
SPF, DKIM and DMARC records: is your domain spoofable? Cactus tells you, in plain English, with a copy-pasteable fix.
Tech Fingerprint & Known CVEs
Identify web stacks (nginx, Apache, Express, WordPress, Cloudflare, etc.) and flag known, publicly-disclosed CVEs against detected versions.
Shareable Report
Get a clean, shareable report with severity ranked findings. Take it to your dev team or the board.
What Cactus actually checks
No black boxes. Here's the checklist Cactus runs against your domain on every scan.
Passive sources: crt.sh, DNS, certificate transparency, common wordlists.
A, AAAA, CNAME, MX, TXT, NS — plus wildcard and dangling-CNAME detection.
Expiry, chain trust, weak ciphers, TLS 1.0/1.1 fallback, HSTS preload status.
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
Is your domain spoofable for phishing? Cactus tells you, with a remediation snippet.
/admin, /wp-admin, /phpmyadmin, basic-auth over HTTP, unprotected .git and .env.
Detect stacks and flag publicly known CVEs against identified versions.
Missing HttpOnly / Secure / SameSite, over-permissive CORS, wildcard origins.
Three steps. About two minutes.
Cactus is browser-based. Nothing to install, nothing to configure.
Enter your domain
Type your root domain. Cactus handles the rest — subdomains, DNS, certs, headers, email auth, exposed endpoints.
Cactus scans
Purely passive + low-noise active checks. No brute-force, no exploit payloads. Safe to run on production.
Get your report
A severity rated summary. Hand it to your developers, your board or come talk to us for a deeper penetration test.
Frequently Asked Questions
Common questions about Cactus. If yours isn't here, email us at info@cyberlinx.com.au
Yes. Cactus is genuinely free — no signup, no credit card, no "free trial". We built it as a community tool to help defenders and founders get a fast read on their external posture.
Yes. Cactus is genuinely free — no signup, no credit card, no "free trial". We built it as a community tool to help defenders and founders get a fast read on their external posture.
Yes. Cactus is mostly passive (DNS, certificate transparency, public fingerprinting) plus a small amount of low-noise active checks (HEAD / GET on a handful of endpoints). It does not fuzz, brute-force or send exploit payloads.
Yes. Cactus is mostly passive (DNS, certificate transparency, public fingerprinting) plus a small amount of low-noise active checks (HEAD / GET on a handful of endpoints). It does not fuzz, brute-force or send exploit payloads.
Cactus only performs checks that any authorised visitor to a public site can already do (DNS lookups, certificate inspection, header reads). We still ask you to scan only assets you own or have permission to assess — it's the right thing to do.
Cactus only performs checks that any authorised visitor to a public site can already do (DNS lookups, certificate inspection, header reads). We still ask you to scan only assets you own or have permission to assess — it's the right thing to do.
No, and we'll say so openly. Cactus gives you a high-level snapshot of your external posture. A real pentest digs into authentication, authorisation, business logic and chained exploitation. If Cactus surfaces enough to worry you, talk to us.
No, and we'll say so openly. Cactus gives you a high-level snapshot of your external posture. A real pentest digs into authentication, authorisation, business logic and chained exploitation. If Cactus surfaces enough to worry you, talk to us.
Scan results are retained only for the duration needed to render and share your report. No scan data is sold, shared, or used for marketing. See our privacy policy for specifics.
Scan results are retained only for the duration needed to render and share your report. No scan data is sold, shared, or used for marketing. See our privacy policy for specifics.



