Benteng Is Now a Full Web Security Platform. Scan Any Site, Study Real CVEs, Watch What's Being Exploited Right Now.

Benteng began as a small kit: a header grader, a JWT inspector, a CSP builder. Useful, but a kit. This update turns it into a platform you can actually learn and defend with, and it is still free with no account.
What
Three things landed at once.
A full site scan. Type any URL and Benteng runs a passive external scan: the TLS certificate and protocol, all the security headers, a real CORS preflight, cookie flags, DNS records for SPF, DMARC and CAA, a security.txt check, and a probe for exposed files like a reachable .git/config or .env. It returns one grade from A+ to F with the exact fix for every finding, grouped by section.
A case-study library. Every entry is a real, disclosed vulnerability mapped to OWASP Top 10:2025 and its CWE class, with the incident, the vulnerable code, the fix, and a link to the Benteng tool that catches that class. It covers the classes doing the most damage right now: deserialization (GoAnywhere), SSRF and XXE (Apache Tika), SQL injection (BeyondTrust into the US Treasury), supply chain (xz-utils), AI infra (Langflow), prompt injection, fail-open error handling, IDOR, hardcoded secrets, CORS, path traversal, and MCP tool poisoning.
A live exploited-CVE feed. It pulls the CISA Known Exploited Vulnerabilities catalog, the authoritative list of what is under active attack, buckets each entry by class, flags the ones tied to ransomware, and links back to the study case that shows the fix.
Why
Most free scanners give you a grade and stop. Most learning sites teach theory detached from what is actually being exploited. The gap is the loop between them: see a weakness, understand the class behind it, and know it is the same class attackers are weaponizing this week.
OWASP refreshed the Top 10 in January 2026 for the first time since 2021. Two new categories showed up, Software Supply Chain Failures and Mishandling of Exceptional Conditions, and SSRF folded into Broken Access Control. Roughly a third of new CVEs are now exploited on or before the day they are disclosed. A static reference written to the 2021 list does not reflect that world. Benteng is built to the 2025 list and wired to a live feed so it stays current on its own.
Who
For the blue team, scan your own surface and get copy-paste fixes. For anyone learning appsec, the case studies are a primer that reads as one story per class, not a checklist. For the curious, the live feed is a running window into what is actually being attacked. Everything is defensive and educational. The vulnerable snippets are minimal teaching examples, not working exploits.
When and where
Live now at palugadahub.com/sec. The scanner is on the main tool. The library is at /sec/case. The live feed is at /sec/cve.
How
The scan is passive by design. It reads only what a normal browser already receives: a TLS handshake, DNS lookups, response headers, a preflight, and a few well-known public paths. It never sends an exploit. Every server-side fetch is SSRF-guarded, so it refuses private, loopback, and cloud-metadata addresses, and it is rate limited so it cannot be turned into a scanning proxy. The in-browser tools upload nothing.
The live feed caches the CISA catalog hourly, so it is always current without hammering the source, and the class bucketing plus the case links are Benteng's own layer on top of the raw data.
Takeaway
Benteng is now a place to do the whole loop: scan a site, read the class behind each finding, and see that class in the wild on the live feed. Point it at something you own and start with the grade. Then follow one finding into its case study. That is the fastest way to turn a letter grade into an actual fix.
Building an AI agent?
I'm packaging how I ship them into one kit. Early access:
AI Agent Starter Kit →