Deep TLS Security Audit

Exhaustive TLS audit — protocol support, cipher suites, certificate chain, and 20+ known vulnerability checks including Heartbleed, ROBOT, POODLE, BEAST, FREAK, LOGJAM, and DROWN.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does Deep TLS Security Audit check?

Powered by testssl.sh, it performs an exhaustive audit: all supported TLS/SSL protocol versions, every offered cipher suite, full certificate chain validation, and 20+ known vulnerability checks — Heartbleed, ROBOT, POODLE, BEAST, CRIME, BREACH, LUCKY13, Sweet32, Logjam, FREAK, and more. It produces a grade and a detailed report similar to SSL Labs.

What are the most critical TLS vulnerabilities to check for?

Heartbleed (CVE-2014-0160) — leaks server memory including private keys. POODLE — forces SSL 3.0 downgrade. ROBOT — RSA key exchange padding oracle. BEAST — CBC mode attack on TLS 1.0. Any of these being present on a production server is a critical finding requiring immediate remediation.

Why does this require authentication?

testssl.sh fires hundreds of TLS handshakes and probe requests per target. From a public form it would look indistinguishable from attack traffic, exhaust shared resources, and could violate the terms of service for third-party targets. Authentication ensures accountability and that scans are run against infrastructure the user controls.

How is this different from TLS Quick Scan and TLS Deep Scan?

TLS Quick Scan — fast protocol/cipher probe. TLS Deep Scan — chain validation, OCSP, SCTs, cipher matrix. Deep TLS Security Audit — exhaustive vulnerability scan including active exploit checks. Use the Quick Scan for routine checks, Deep Scan for audits, and this tool for comprehensive security assessments.