tinscan.com

What It Is

TinScan positions itself as a “Security, made simple” web security scanning tool, offering free risk checks for websites. It provides public basic scans, deeper scans after domain ownership verification, and attack simulations that run only with explicit authorization. Its core value is helping website owners identify configuration issues in areas such as headers, DNS, TLS, and cookies, while providing a security score via SecuGrade.

Core Capabilities and Compliance Perspective

Based on the description, TinScan includes 70 basic checks that can be run on public websites with no usage limit. Its 62 deep checks require proof of domain ownership, which can be completed through a DNS TXT record, uploading a file to the server, or using an existing PIN verification. It also offers 18 attack tests, requiring user consent, with examples including SQL injection and XSS. Results can be viewed against standards such as OWASP Top 10, OWASP WSTG, Best Practice, Email Auth, PCI DSS, GDPR, NIST 800-53, and ISO 27001. However, this appears to be a mapping of checks to frameworks rather than evidence that the platform itself holds those certifications.

Pricing and Ease of Use

The pricing information is very straightforward: basic checks are free and unlimited, deep checks are free for verified owners, and attack tests are free per domain and do not require a password. Deployment is fully online, with no agent installation required. The ownership verification design is reasonably cautious: it helps prevent others from casually running active scans against third-party sites, while also allowing site administrators to reuse a PIN for repeat checks.

Pros and Cons

Its advantages are a low barrier to entry, free access, coverage of common web security configuration issues, a security score, and embeddable badges. It is well suited as a quick pre-launch or routine health-check tool. The downsides are also clear: the description does not mention an API, webhooks, CI/CD integration, team management, alerts, SLA, or human support; the depth and boundaries of its attack simulations are also not clearly defined. The page also notes that high-risk websites should consult security professionals, so TinScan should not be considered a replacement for full penetration testing or enterprise-grade vulnerability management.

Who It’s For and Access from China

TinScan is better suited for individual webmasters, developers, small and midsize website operators, and security consultants conducting initial screening. The provided information does not mention access from mainland China, payment methods, or localization support, so these remain unknown. If you need China-specific compliance, Chinese-language support, MLPS-related deliverables, or local payment options, you may also want to evaluate website security testing, WAF, and vulnerability scanning services from domestic cloud providers, or use it alongside tools such as OWASP ZAP, Burp Suite, and Nuclei.