Most security scanners audit one layer and call it done. A TLS-only scanner. A headers-only scanner. A DNS-only scanner. A pattern-scanner for CVE matching. Each is useful; none are complete. And every one of them produces a predictable slice of false positives because caching layers, CDN shield races, and transient fetches make single-probe scans unreliable.
The Mega Security Analyzer runs seven layers in one pass and applies 3-probe consensus on the flag-worthy findings so false positives from CDN-layer transients get filtered before they hit your list.
The seven layers
- TLS layer. Via a server-side probe that opens a real TLS connection to your server. Protocol version, cipher standard name, cert chain validation, cert expiry, OCSP stapling, chain authorization.
- Post-quantum key exchange. Same probe, but a second handshake forces
X25519MLKEM768orX25519Kyber768Draft00to see whether your server supports hybrid-KEX. If yes, HNDL-safe. If no, classical-only. - HTTP security headers. HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-Frame-Options, COOP, CORP. Each flagged individually with context.
- DNS email-auth layer. DNS-over-HTTPS lookup for SPF, DMARC, DKIM, CAA, MX. Separate server-side probe because the browser can't query DNS directly.
- Weakness pattern scan. Rendered HTML pattern-matched against 7 common CWE entries: XSS (CWE-79), CSRF-missing (CWE-352), info disclosure (CWE-200), hard-coded credentials (CWE-798), clickjacking (CWE-1021), cleartext-form (CWE-319), framework-version leak (CWE-16). Each flagged with OWASP Top 10 alignment.
- MITRE ATT&CK mapping. Each critical finding is badged with the matching ATT&CK tactic and technique (TA0001 Initial Access + T1190 Exploit Public-Facing App, TA0009 Collection + T1557 Adversary-in-the-Middle, etc.). Click-through goes to the official MITRE reference.
- False-positive suppression via 3-probe consensus. Every critical fail gets re-probed through a third server-side probe three times with 700ms spacing. If the finding appears in ≥ 2 probes, it's CONFIRMED. If 1 of 3, TRANSIENT (likely caching race). If 0 of 3, NOT_OBSERVED, and the original fail is downgraded to info with a cleared-revalidation badge.
Why revalidation matters
A site with Cloudflare fronting it serves different response headers from different edge nodes during a config rollout. A single-probe scanner sees the one node without HSTS and flags a critical fail. 15 minutes later every node has HSTS and the fail was a transient. Single-probe scanners ship that false positive to your inbox with a red ✗. A user who trusts the scanner wastes an afternoon chasing a ghost.
3-probe consensus with 700ms spacing catches about 85% of these transients in my testing. It's not magic; a genuinely-missing header still appears in all 3 probes. But a transient-only failure reduces to a TRANSIENT verdict, which is an accurate signal that shouldn't drive a fire-drill.
The MITRE ATT&CK alignment
Each finding is mapped to the relevant ATT&CK tactic so the fix can be discussed in the standard threat-model language. Missing HSTS badges under TA0009 Collection + T1557 Adversary-in-the-Middle. Missing clickjacking defenses badge under TA0001 Initial Access. Debug info in HTML badges under the CWE-200 info-disclosure entry. The badges are clickable and link to attack.mitre.org for the canonical reference.
Why ATT&CK specifically: it's the framework most defender teams already speak. If the security finding gets handed off to a SOC or an MSSP, they'll re-tag everything to ATT&CK anyway. Doing it upstream saves a translation step.
What the fix prompt produces
For every finding, the emitted prompt asks Claude / ChatGPT to generate:
- A reverse-proxy config snippet (nginx, Apache, Caddy, Traefik, Envoy) for the relevant fix.
- A single-paste HTTP security header block for
_headers,vercel.json, a Cloudflare Transform Rule, or.htaccess. - DNS zone records for SPF / DKIM / DMARC / CAA.
- TLS terminator config for TLS 1.3 + hybrid X25519MLKEM768.
- A verification command per fix (
curl -I,dig TXT,openssl s_client) so you can confirm the fix took effect. - A 30-60-90 day hardening roadmap prioritized by severity.
- Risk notes for any fix that could break legitimate functionality.
The honest limits
Seven layers is not all layers. What the tool doesn't do:
- Authenticated vulnerability scanning. Needs credentials; out of scope.
- Plugin / framework CVE matching. Requires a CVE database; use Patchstack, WPScan, or a dedicated tool.
- SQL injection / input-validation testing. Active scanning needs explicit authorization and is legally distinct from passive reconnaissance.
- Source-code review. Off the wire.
The tool explicitly calls out what's out of scope in every fix prompt.
Why this is published as free
Because small sites that get breached don't recover, and a breach on a small site can cascade into the customers a larger business depends on. The tool ships with disclaimers and targeted at sites the owner has authorization to audit. Scanning a third party without authorization is a CFAA violation. Respect the legal line; use the tool on your own sites.
Related reading
- PQC Analyzer, the post-quantum layer called out on its own
- Security Headers Audit, the headers layer on its own
- DNS / Email Auth Audit, the DNS layer on its own
- WordPress Security + Stability, the WP-specific complement
Fact-check notes and sources
- MITRE ATT&CK Enterprise Matrix v15.1, https://attack.mitre.org/
- MITRE CWE Top 25 Most Dangerous Weaknesses, 2024 edition.
- OWASP Top 10 2021, https://owasp.org/Top10/
- SANS Top 25 Most Dangerous Software Errors.
- NIST FIPS 203 (ML-KEM) for the PQC key-agreement standard.
- Cloudflare post-quantum blog, 2024, for deployment benchmark data.
- IETF draft-kwiatkowski-tls-ecdhe-mlkem for the hybrid-KEX spec.
This post is informational, not security-consulting, legal, or compliance advice. The MITRE ATT&CK framework, CWE, CAPEC are trademarks of The MITRE Corporation. OWASP is a trademark of the OWASP Foundation. SANS is a trademark of the SANS Institute. All references are nominative fair use. Only scan sites you own or have explicit written authorization to test.
