Troja vs. checkvibe, OffURL, Fixnx, SiteShield, CyScan, Dr URLs

Short version: Troja and checkvibe are the two full scanners that grade security, SEO and AI-visibility (AEO) and hand you copy-paste AI fix prompts. Fixnx is a fast security + SEO + speed scanner with AI guidance but no AEO. CyScan.io is a free attack-surface / URL recon tool — great for mapping, not for shipping fixes. Dr URLs is a broad website-health checker (SEO, security, performance, accessibility) with monitoring, but no AEO and no AI fix prompts. OffURL is a no-signup, pay-per-report security audit (150+ checks incl. CVE lookup, threat-intel feeds and WCAG) for vibe-coders. SiteShield is an agency-grade platform that also grades GEO and ESG signals and tests four AI engines. Troja's edge is going past the public page: it deep-scans your real stack — GitHub, Supabase, Stripe, Vercel, Railway and Resend — and runs active, authenticated tests.

If you ship with AI coding tools, the question isn't just "is my site secure?" — it's "can attackers see in, can Google rank me, and can ChatGPT cite me?" Here's how all six tools stack up.

How we compared

We tested each tool's public product and pricing pages as of June 2026 and mapped them to the jobs a builder actually needs: find issues, understand them, and ship fixes — across security, SEO and AI visibility. Everything below is sourced from each vendor's own site (linked in each section).

Feature comparison at a glance

Legend: ✅ yes · ⚠️ partial / different scope · ❌ no.

Troja vs. checkvibe: the closest call

checkvibe shares Troja's DNA — security + SEO + AEO with paste-ready AI fix prompts — and it does it well: 100+ security checks, 68 SEO checks, 46 AEO checks, a seven-engine citation matrix (ChatGPT, Claude, Perplexity, Google AI, Copilot, Meta AI and Mistral), PDF export, an MCP server and daily monitoring on its Pro plan. Pricing starts at £17/mo (checkvibe.dev/pricing).

Where Troja pulls ahead is depth past the public page. Connect read-only tokens and Troja deep-scans your actual GitHub source, Supabase RLS policies, Stripe webhook config, Vercel/Railway settings and Resend email authentication — surfacing leaked secrets, permissive database policies and misconfigurations a black-box URL scan can't reach. Troja also treats domain health and performance as first-class scored families and runs active (authenticated) DAST.

Pick checkvibe if the broad seven-engine AEO matrix is your priority. Pick Troja if you want it to scan the stack behind the page and fix it from your editor. See the full Troja vs. checkvibe breakdown.

Troja vs. OffURL

OffURL is the most feature-dense pure-security scanner here, aimed squarely at vibe-coders: 150+ checks across 16+ categories, no signup, in ~30 seconds. It covers application security (XSS, SQLi, SSRF, SSTI, LFI/RFI, CORS), active pen-tests, CVE lookup via the NVD API, subdomain-takeover detection, threat-intel feeds (URLhaus, PhishTank, Feodo), a full email-auth suite (SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT), WCAG accessibility and domain intelligence (WHOIS, domain age, Archive.org). Pricing is pay-per-report: the first is free, then $1.99.

Versus Troja: OffURL has no AEO, no connected/deep-stack scanning (external-only — it never sees your GitHub source or Supabase RLS), and no monitoring, MCP or API. Its AI fix is one paste-ready template; Troja writes a prompt per finding and streams them into your editor. See the full Troja vs. OffURL breakdown.

Pick OffURL for a deep, cheap, one-off external security audit. Pick Troja when you also need AI-visibility, your real backend scanned, and an ongoing fix loop.

What is Fixnx, and how does it compare to Troja?

Fixnx is an AI-powered scanner that bundles security, SEO and performance into one fast report — 100+ checks in seconds covering OWASP-style signals (SQLi, XSS, IDOR, SSL/TLS), exposed files, headers, cookies and API-endpoint discovery, plus AI-written remediation guidance unlocked after a Google sign-in. Pricing is a credit-pack model: 2 free scans, then $4.99 for 20.

Two gaps versus Troja: no AEO (Fixnx won't tell you whether ChatGPT can cite you) and no connected or deep-stack scanning — it only sees your site from the outside.

Pick Fixnx for a quick external security + SEO + speed snapshot. Pick Troja when AI-visibility and your real backend matter, or when you want fixes streamed straight into Cursor or Claude Code. See the full Troja vs. Fixnx breakdown.

Troja vs. CyScan.io

CyScan.io is a free "cyber URL scanner," and it's excellent at its job: endpoint discovery, passive-DNS subdomain enumeration (via crt.sh, CertSpotter and HackerTarget), directory fuzzing, redirect-chain analysis, tech-stack detection and multi-device screenshots. It's a recon / attack-surface tool for security researchers — by its own description it isn't a full-stack vulnerability scanner.

That means no SEO or AEO scoring, no prioritised remediation, no AI fix prompts and no monitoring. It maps; it doesn't fix.

Pick CyScan.io to map an attack surface for free. Pick Troja when you need ranked findings plus AI fixes you can actually ship. See the full Troja vs. CyScan.io breakdown.

Troja vs. Dr URLs

Dr URLs is a website-health checker: 200+ checks across SEO, security, performance and — uniquely in this list — accessibility, with a 0–100 health score, link intelligence (backlinks and toxic links), recurring scans and before/after trend tracking. It's currently free during beta and is a strong all-round site-quality tool; its accessibility coverage is something Troja doesn't focus on.

But it has no AEO (no AI-answer-engine visibility), no copy-paste AI fix prompts (it gives manual fix instructions), and no connected deep-stack scanning or active tests.

Pick Dr URLs for broad site health plus accessibility and link monitoring. Pick Troja for AI-native security and AEO you can fix from your editor. See the full Troja vs. Dr URLs breakdown.

Troja vs. SiteShield

SiteShield is an agency-grade "Digital Intelligence Platform" pitched at agencies, universities, businesses, the public sector and nonprofits — the broadest scope here. Alongside security, performance and technical SEO it grades accessibility (AODA/WCAG), analytics/consent signals, AEO, GEO (entity clarity, topical authority, trust proof) and ESG signals, tests across four AI engines (Perplexity, ChatGPT, Gemini, Claude) and connects Google Search Console + PageSpeed. A free snapshot scans your homepage; the paid report crawls the full site with a PDF, a verified badge and a "request a remediation quote" path.

Versus Troja: SiteShield is report-and-consult, not fix-and-ship — no copy-paste AI fix prompts (you request a quote), no connected deep-stack scanning of your source or database, and no MCP/API. See the full Troja vs. SiteShield breakdown.

Pick SiteShield if you're an agency or institution wanting a broad, presentable audit (GEO + ESG + accessibility). Pick Troja if you're a builder who wants to find it, understand it and fix it yourself.

What only Troja does across all six

• Connected deep-stack scans. With read-only tokens, Troja scans your actual GitHub source, Supabase RLS policies, Stripe webhooks, Vercel/Railway config and Resend email auth. None of the other five can see past the public page — this is the real differentiator.
• An editor-native fix loop. A specific AI fix prompt per finding, an MCP server + API (shared only with checkvibe), verify-fix re-tests, scan-to-scan diffs and a branded executive scorecard.
• Full white-label client reports — your logo, name and colour on the report a client opens (SiteShield offers a verified badge; checkvibe doesn't white-label at all).
• Actionable AEO/GEO — per-bot snippet grading, an llms.txt generator and content-gap rewrite prompts. SiteShield reports AEO/GEO; Troja turns each gap into a prompt you paste into Cursor.

Which scanner should you choose?

• You want AI-answer-engine visibility, AI fix prompts and your real backend scanned → Troja.
• You want the most battle-tested seven-engine AEO matrix specifically → checkvibe.
• You want a deep, cheap, one-off external security audit (CVE + threat-intel + accessibility) → OffURL.
• You want a fast external security + SEO + speed snapshot → Fixnx.
• You're an agency/institution wanting a broad, presentable audit with GEO + ESG → SiteShield.
• You want free attack-surface and subdomain recon → CyScan.io.
• You want broad site-health plus accessibility and link monitoring → Dr URLs.

There's no single "best" scanner — there's the best one for the job in front of you. But if you're shipping AI-built apps and you care about being secure, ranked and citable by AI, Troja is the only one that scans all three layers and the stack underneath.