# Seven Security Layers In One Scan. Mega Security Analyzer One URL. Seven security layers scanned in parallel. TLS version and cipher, post-quantum hybrid KEX, HTTP security headers, CSP strictness, DNS email-auth, MITRE ATT&CK tactic mapping, CWE and OWASP pattern scan. 3-probe false-positive suppression. Author: J.A. Watte Published: April 21, 2026 Source: https://jwatte.com/blog/blog-tool-mega-security-analyzer/ --- _Part of the [security audit tool stack](/blog/blog-new-security-audit-tools-2026/). See the pillar post for the full catalog of sibling audits and where this one fits in the lineup._ Most security scanners audit one layer and call it done. A TLS-only scanner. A headers-only scanner. A DNS-only scanner. A pattern-scanner for CVE matching. Each is useful; none are complete. And every one of them produces a predictable slice of false positives because caching layers, CDN shield races, and transient fetches make single-probe scans unreliable. The [Mega Security Analyzer](/tools/mega-security-analyzer/) runs seven layers in one pass and applies 3-probe consensus on the flag-worthy findings so false positives from CDN-layer transients get filtered before they hit your list. ## The seven layers 1. **TLS layer.** Via a server-side probe that opens a real TLS connection to your server. Protocol version, cipher standard name, cert chain validation, cert expiry, OCSP stapling, chain authorization. 2. **Post-quantum key exchange.** Same probe, but a second handshake forces `X25519MLKEM768` or `X25519Kyber768Draft00` to see whether your server supports hybrid-KEX. If yes, HNDL-safe. If no, classical-only. 3. **HTTP security headers.** HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-Frame-Options, COOP, CORP. Each flagged individually with context. 4. **DNS email-auth layer.** DNS-over-HTTPS lookup for SPF, DMARC, DKIM, CAA, MX. Separate server-side probe because the browser can't query DNS directly. 5. **Weakness pattern scan.** Rendered HTML pattern-matched against 7 common CWE entries: XSS (CWE-79), CSRF-missing (CWE-352), info disclosure (CWE-200), hard-coded credentials (CWE-798), clickjacking (CWE-1021), cleartext-form (CWE-319), framework-version leak (CWE-16). Each flagged with OWASP Top 10 alignment. 6. **MITRE ATT&CK mapping.** Each critical finding is badged with the matching ATT&CK tactic and technique (TA0001 Initial Access + T1190 Exploit Public-Facing App, TA0009 Collection + T1557 Adversary-in-the-Middle, etc.). Click-through goes to the official MITRE reference. 7. **False-positive suppression via 3-probe consensus.** Every critical fail gets re-probed through a third server-side probe three times with 700ms spacing. If the finding appears in ≥ 2 probes, it's CONFIRMED. If 1 of 3, TRANSIENT (likely caching race). If 0 of 3, NOT_OBSERVED, and the original fail is downgraded to info with a cleared-revalidation badge. ## Why revalidation matters A site with Cloudflare fronting it serves different response headers from different edge nodes during a config rollout. A single-probe scanner sees the one node without HSTS and flags a critical fail. 15 minutes later every node has HSTS and the fail was a transient. Single-probe scanners ship that false positive to your inbox with a red ✗. A user who trusts the scanner wastes an afternoon chasing a ghost. 3-probe consensus with 700ms spacing catches about 85% of these transients in my testing. It's not magic; a genuinely-missing header still appears in all 3 probes. But a transient-only failure reduces to a TRANSIENT verdict, which is an accurate signal that shouldn't drive a fire-drill. ## The MITRE ATT&CK alignment Each finding is mapped to the relevant ATT&CK tactic so the fix can be discussed in the standard threat-model language. Missing HSTS badges under TA0009 Collection + T1557 Adversary-in-the-Middle. Missing clickjacking defenses badge under TA0001 Initial Access. Debug info in HTML badges under the CWE-200 info-disclosure entry. The badges are clickable and link to attack.mitre.org for the canonical reference. Why ATT&CK specifically: it's the framework most defender teams already speak. If the security finding gets handed off to a SOC or an MSSP, they'll re-tag everything to ATT&CK anyway. Doing it upstream saves a translation step. ## What the fix prompt produces For every finding, the emitted prompt asks Claude / ChatGPT to generate: - A reverse-proxy config snippet (nginx, Apache, Caddy, Traefik, Envoy) for the relevant fix. - A single-paste HTTP security header block for `_headers`, `vercel.json`, a Cloudflare Transform Rule, or `.htaccess`. - DNS zone records for SPF / DKIM / DMARC / CAA. - TLS terminator config for TLS 1.3 + hybrid X25519MLKEM768. - A verification command per fix (`curl -I`, `dig TXT`, `openssl s_client`) so you can confirm the fix took effect. - A 30-60-90 day hardening roadmap prioritized by severity. - Risk notes for any fix that could break legitimate functionality. ## The honest limits Seven layers is not all layers. What the tool doesn't do: - Authenticated vulnerability scanning. Needs credentials; out of scope. - Plugin / framework CVE matching. Requires a CVE database; use Patchstack, WPScan, or a dedicated tool. - SQL injection / input-validation testing. Active scanning needs explicit authorization and is legally distinct from passive reconnaissance. - Source-code review. Off the wire. The tool explicitly calls out what's out of scope in every fix prompt. ## Why this is published as free Because small sites that get breached don't recover, and a breach on a small site can cascade into the customers a larger business depends on. The tool ships with disclaimers and targeted at sites the owner has authorization to audit. Scanning a third party without authorization is a CFAA violation. Respect the legal line; use the tool on your own sites. ## Related reading - [PQC Analyzer](/tools/pqc-analyzer/), the post-quantum layer called out on its own - [Security Headers Audit](/tools/security-headers-audit/), the headers layer on its own - [DNS / Email Auth Audit](/tools/dns-email-audit/), the DNS layer on its own - [WordPress Security + Stability](/tools/wordpress-security-audit/), the WP-specific complement ## Fact-check notes and sources - MITRE ATT&CK Enterprise Matrix v15.1, https://attack.mitre.org/ - MITRE CWE Top 25 Most Dangerous Weaknesses, 2024 edition. - OWASP Top 10 2021, https://owasp.org/Top10/ - SANS Top 25 Most Dangerous Software Errors. - NIST FIPS 203 (ML-KEM) for the PQC key-agreement standard. - Cloudflare post-quantum blog, 2024, for deployment benchmark data. - IETF draft-kwiatkowski-tls-ecdhe-mlkem for the hybrid-KEX spec. _This post is informational, not security-consulting, legal, or compliance advice. The MITRE ATT&CK framework, CWE, CAPEC are trademarks of The MITRE Corporation. OWASP is a trademark of the OWASP Foundation. SANS is a trademark of the SANS Institute. All references are nominative fair use. Only scan sites you own or have explicit written authorization to test._ --- Canonical HTML: https://jwatte.com/blog/blog-tool-mega-security-analyzer/ RSS: https://jwatte.com/feed.xml JSON Feed: https://jwatte.com/feed.json Hero image: https://jwatte.com/images/blog-tool-mega-security-analyzer.webp