Troja
The horse is already inside the walls

Find the threats hiding in your code — in 30 seconds.

Troja runs 120+ security, SEO & AEO checks on any URL. One free scan reveals what's hiding inside your walls — you only pay if there's something to fix.

Free scan · no signup · results in ~30 seconds
Trusted by 4,000+ developers
scanning troja.dev
100+ checks
SQLi probes100%
XSS vectors96%
Secret sweep82%
BaaS audit55%
SSL / headers30%
avg scan27.4s

Use as an MCP server
Run scans from any AI agent you already use

Claude CodeCursorWindsurfVS CodeCodexAntigravityReplitCopilot
AI-Ready Fixes120+ Security ChecksSEO & AEO ScoresAccessibility (WCAG)Domain & Threat IntelCVE DetectionSubdomain WatchLive Monitoring
Why Troja

Security so simple, anyone can run it.

If you can copy and paste, you can secure your app — and get it found by Google and cited by AI.

AI-Ready Fixes

Every vulnerability comes with a drop-in fix prompt.

Paste it into Claude, Cursor, or any AI agent. The issue, the evidence, the exact code change — fix shipped code in minutes, not days.

CRITSQL injection · /api/user Copy

Fix: The id param is interpolated straight into the query — switch it to a parameterized statement so the driver escapes input.

// src/api/user.ts
- db.query(`SELECT * FROM users WHERE id=$${id}`)
+ db.query('SELECT * FROM users WHERE id=$1', [id])
Paste intoClaudeCursorWindsurf
Built for Speed

100+ checks in under 30 seconds.

No installs, no configs — point at a URL and start shipping fixes. The whole siege runs before your coffee's cold.

scanning troja.dev
100+ checks
SQLi probes100%
XSS vectors96%
Secret sweep82%
BaaS audit55%
SSL / headers30%
avg scan27.4s
Live Threat Detection

Catch what slips in after you ship.

Continuous monitoring catches newly exposed secrets, regressions, and supply-chain issues the moment they land in production.

Threat activity last 24h
3
Critical
11
High
47
Fixed
Unified Observability

One report for every way in.

SQLi, XSS, BaaS misconfigs, weak headers, SSL/TLS, and exposed keys — with severity, ownership, and deep links. One score, total clarity.

Unified report
troja.dev · 5 findings
82
  • HIGHExposed Supabase anon key
  • MEDMissing CSP header
  • LOWWeak TLS cipher suite
  • HIGHPermissive CORS
  • CRITDebug endpoint reachable
SEO & AEO

Visibility, built in.

Beyond security: 114 visibility checks grade your Google ranking signals and your AEO — whether ChatGPT, Claude, and Perplexity can crawl, parse, and cite your site.

92
SEO
87
AEO
Can AI engines cite you?
  • ChatGPT Search CITES YOU
  • Claude CITES YOU
  • Perplexity CITES YOU
  • Google AI Overviews BLOCKED
  • Copilot CITES YOU
The Arsenal

Built for every stage of shipping.

Seven instruments, one siege. Each finds a different way something gets inside your walls.

Security Scanner

The Gatekeeper

120+ security checks against any URL in under 30 seconds.

SEO & AEO Scanner

The Herald

Grade how Google ranks you — and how ChatGPT, Claude & Perplexity cite you.

AI Fixes

The Blacksmith

Paste battle-tested fix prompts into Cursor, Claude, or Windsurf.

Threat Detection

The Watchtower

Live detection for credential stuffing, scraping & prompt-injection probes.

Reports & Dashboards

The Scroll

Shareable PDFs and dashboards for stakeholders, clients, and teams.

MCP Server

The Oracle

Run scans from any AI agent over the Model Context Protocol.

Monitoring

The Sentry

Continuous scanning catches regressions and newly exposed keys.

The Foundation

A security foundation that compounds.

From the scanner to the fix loop, every layer of Troja is tuned so small teams can keep up with the surface area they ship — security, SEO, and AI answer-engine visibility in one place.

See every check

Agent-native output

Every finding ships with a copy-paste prompt engineered for Claude Code, Cursor, and Windsurf.

BaaS-aware

Understands Supabase, Firebase, and Clerk — no more guessing whether an exposed key actually matters.

First-party integrations

Export to GitHub Issues, Linear, and Slack. Trigger scans from CI or the MCP server.

Full-site crawling

Discovers subdomains, SPA routes, and background endpoints so nothing slips through the cracks.

The Defenders

They shipped blind. Then they ran a scan.

From indie makers to hosting providers — what people find inside their own walls.

I do not write code all day—Cursor does most of the heavy lifting. Troja gave me a clear list of the issues that actually mattered and prompts I could paste straight back into Cursor. It made the security side feel manageable instead of intimidating.
LB
Leon Brandt
Founder · Launchgrain
We were preparing a client project for handoff and ran a final Troja scan. It gave us a much cleaner process for identifying technical risks, prioritizing fixes, and documenting what had been resolved before launch.
AN
Amelia Novak
Agency Director · Northmint Studio
I originally scanned the site for security. The SEO and AI-visibility results were an unexpected bonus. Having the technical risks and visibility checks together makes the report much more useful for a founder.
MC
Maya Chen
Founder · Signalora
I built the first version of my product in Replit over a weekend. Troja gave me a fast reality check before I shared the link publicly. That is now part of my launch routine.
FA
Felix Arendt
Indie Maker · TinyPilotly
AI coding tools make it possible to ship incredibly fast, but it is easy to lose track of what is happening under the hood. Troja gives me a simple checkpoint before I push a new version live.
IL
Isabelle Laurent
Founder · Draftwise
The scan was straightforward: enter the URL, review the results, paste the suggested fixes into my coding agent, and scan again. It is exactly the kind of workflow I need as a solo founder.
TK
Tom Keller
Solo Founder · Briefdrop
The Briefing

Questions before the siege.

Troja scans your website with 120+ security checks — exposed API keys, SQL injection, XSS, misconfigured headers, weak SSL/TLS, BaaS misconfigurations, and more. It also grades your visibility: 68 SEO checks and 46 AEO checks that show how Google ranks you and how AI answer engines cite you. You get a report in 30 seconds with remediation guidance for each issue.

AEO is the practice of making your site readable, quotable, and trustworthy to AI answer engines — ChatGPT, Claude, Perplexity, Google AI Overviews, and Copilot. Where SEO earns you a ranking on a results page, AEO earns you the citation inside the AI's answer. Troja runs 46 AEO checks, including a per-engine access matrix, so you can see exactly which assistants can see you.

The SEO scan runs 68 checks across indexability (robots, canonicals, sitemaps), on-page metadata, structured data, content quality, internal linking, and Core Web Vitals. The AEO scan runs 46 checks across AI crawler access, content extractability, readability, structured data depth, and trust signals — plus an engine-by-engine matrix. Every failed check ships with a fix prompt.

Not at all. Every issue comes with a fix prompt and prioritized guidance, so you can work through the fixes without security expertise. If you can copy and paste, you can secure your app.

Each vulnerability in your report includes a ready-to-use remediation prompt with the issue, severity, evidence, and recommended code-level changes. Paste it into Claude, Cursor, or any AI agent and ship the fix in minutes.

Far more than a typical scanner. Troja grades accessibility (WCAG: labels, alt text, heading order, contrast, zoom), domain & DNS health (TLS, DNSSEC, domain age, nameservers), email authentication (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT), and performance. On paid plans it adds domain threat-intel (malware blocklists + IP reputation), known-CVE dependency scanning, subdomain-takeover detection, broken-link auditing, and real Google PageSpeed Core Web Vitals.

Yes — on Citadel and above. Connect read-only tokens for GitHub, Supabase, Stripe, Vercel, Railway, Resend or Google PageSpeed and Troja deep-scans your real source, database policies, payments, hosting, email auth and Core Web Vitals — catching leaked secrets and misconfigurations a black-box URL scan can never see.

Scanning is free — point Troja at any URL and see your scores and issue counts in ~30 seconds. Paid plans start at $19/mo (Garrison), which unlocks every AI fix prompt plus the accessibility, email-auth and GEO depth. Citadel ($49) adds connected deep scans, domain threat-intel, CVE/dependency scanning, subdomain-takeover detection and Google PageSpeed data. Empire ($99) adds full-site crawling and live AI-engine testing. Annual billing saves 30%.

From the Watchtower

Built with Troja.

All posts
ComparisonJun 9, 2026·7 min

Troja vs. checkvibe: the closest scanner comparison (2026)

checkvibe pioneered security + SEO + AEO scanning with AI fix prompts and a 7-engine matrix. Troja matches it and adds connected deep-stack scans. The honest comparison.

Read
ComparisonJun 9, 2026·6 min

Troja vs. Fixnx: which AI website scanner should you use?

Fixnx runs 100+ AI-powered security, SEO and speed checks with credit-pack pricing. Troja adds AEO, connected deep-stack scans and per-finding AI fixes. Compared.

Read
ComparisonJun 9, 2026·6 min

Troja vs. CyScan.io: recon tool vs. fix-it scanner

CyScan.io is a free attack-surface recon scanner — endpoints, subdomains, fuzzing, screenshots. Troja is a fix-and-ship scanner with AI fixes, AEO and deep-stack scans.

Read

Know what's inside your gates today.

One free scan. Thirty seconds. The difference between shipping confident and shipping blind.

Free scan · no signup · results in ~30 seconds
Troja — Know what's inside your gates.