GLASS·WATCHoutside-in · nothing installed

Client-side security scanner

See what’s really running on any website.

Point Glasswatch at a URL — yours or a vendor’s — and see every script, third-party destination, tracker, cookie, and security header it loads, with a transparent A–F risk grade. Nothing to install.

try

Scripts & originsThird-party mapTrackersSecurity headersVulnerable librariesTech stack

§ 01

Everyone else makes you install their script. We don’t.

Tag-based tools only see the sites you control. Glasswatch looks at any page from the outside — the way a real visitor’s browser does.

The old way

Install-a-tag (everyone else)

You add their script to your own site
Only works on sites you control
Can't see your vendors' payment pages

The Glasswatch way

Outside-in (Glasswatch)

Point at any URL — nothing to install
Scan your site and your vendors' sites
See it the way a real visitor's browser does

See where the data goes

loading graph…

your sitethird partytracker

Every script on a page reaches out to somewhere. Glasswatch maps each destination, flags the trackers in amber, and shows the request chain a visitor’s browser actually follows. (illustrative — run a scan for your real map)

§ 02

PCI DSS 4.0 made client-side monitoring mandatory.

If your checkout takes a card, two requirements now apply to the scripts running in your customers’ browsers. A firewall can’t see them — they execute client-side. This is the demand that isn’t optional.

6.4.3Script inventory & authorization

Every script on a page that takes card payments must be inventoried, justified, and authorized.

11.6.1Payment-page tamper detection

Payment-page scripts and security headers must be monitored for tampering and changes — at least every 7 days. Active since 31 March 2025.

Run a scan and Glasswatch maps every finding to 6.4.3 and 11.6.1 — so the gap is named in the language your QSA uses.

§ 03

One engine. From a free scan to continuous evidence.

The free scan is the entry point. The same outside-in pipeline powers monitoring, authorization workflows, and QSA-ready exports.

01Free

Scan

Point-in-time outside-in risk report with an A–F grade.

02Paid

Script Inventory & Authorization

Inventory every payment-page script with an approve/deny workflow (PCI 6.4.3).

03Paid

Continuous Monitoring & Tamper Detection

Re-scan on a cadence, diff, and alert on changes (PCI 11.6.1).

04Paid

Risk Intelligence

Third-party map, where requests go, known-vuln libraries, header grading over time.

05Paid

Vendor Assessment

Scan and continuously monitor any vendor's site — no install, no permission needed.

06Paid

Compliance Pack

One-click PCI 6.4.3 / 11.6.1 evidence export, QSA-ready.

§ 04

A scan is a photo. Monitoring is the tripwire.

The paid product re-scans on a cadence, diffs every capture, and alerts the moment a payment page changes — exactly what PCI 11.6.1 demands.

your-store.com · checkoutre-scan → diff → alert

MonAbaseline captured
TueAno change
WedAno change
ThuCnew script: pay-skim.js
FriBscript removed · resolved

Grade trend over a week: a silent third-party change drops the grade on Thursday, fires an alert, and is logged as evidence once resolved.

§ 05

Start free. Scale when compliance forces your hand.

The point-in-time scan is free, forever. Continuous monitoring, authorization, and evidence export are where the recurring value lives.

Scan

Point-in-time, one site

$0/ forever

Run a scan

Outside-in scan
A–F risk grade
Full client-side inventory
Shareable report

Compliance Starter

PCI 6.4.3 / 11.6.1 for one brand

Book a demo

1–3 sites
Continuous monitoring
Script inventory + authorization
Tamper alerts
PCI evidence export

Business

For a security team

Book a demo

Multi-site
Real-time monitoring
Slack / SIEM / Jira
Data-flow map
Vendor-assessment add-on

Enterprise

TPRM & scale

Book a demo

Continuous vendor monitoring
SSO + SLA
API at scale
Audit support

Outside-in · nothing installed

See what’s running on your checkout — in about a minute.

Run a free scan now, or book a walkthrough of continuous monitoring and PCI evidence export.

Run a scan →Book a demo