How Cactus works

Our approach

Every tool follows the same principles:

• No verdict is ever 100%. Automated analysis can spot warning signs, but it can't certify that something is safe. Our link score is capped at 95% for exactly this reason - "no warning signs found" is not the same as "guaranteed safe."
• Plain language. We explain why something looks risky, not just give you a number.
• Privacy first. We send the minimum to third parties, and several tools run entirely on your device or in memory. The Privacy page lists the specifics.
• Public signals only. We read public data - DNS, certificate logs, threat lists. We don't hack, scan ports, or log into anything.

Link checker

The link checker combines on-the-spot inspection of the address with a few trusted live lookups:

• The address itself. We check for HTTPS, raw IP addresses, link shorteners, look-alike and impersonated brand names (like paypa1.com), punycode and mixed-script homographs, suspicious endings, throwaway free-hosting subdomains, too many subdomains, and trusted names hidden in the wrong place (paypal.com.evil.com).
• Where it really leads. We follow redirects to the final destination - refusing any that point at private or internal addresses - and check that page too.
• Known-threat lists. We check the address against Google Web Risk, Google's database of known-malicious URLs.
• Domain age. We look up the domain's registration date via rdap.org. A brand-new domain is a common scam signal.
• Certificate. We inspect the site's TLS certificate for expiry, a hostname mismatch, or self-signing.
• The score. Each signal nudges a score that starts at 100 (capped at 95): 85+ low risk, 65-84 low concern, 40-64 suspicious, 15-39 high risk, below 15 very high risk.

Scam-text and email checkers

These look for the patterns scammers rely on: urgency and threats, requests to verify an account or share a code, money / prize / refund bait, delivery and brand impersonation, and risky links (shorteners, raw IP addresses, unusual domains). Each detected signal is weighted into a low, medium, or high rating and explained in plain language. The analysis runs in memory on our server and your message is never stored.

Password-breach checker

Your password is hashed in your browser, and only the first five characters of that hash are sent to the Have I Been Pwned range service (a technique called k-anonymity). The match happens in your browser - your password, and its full hash, never reach us.

Email authentication and DNS hygiene

We read a domain's public DNS records - SPF, DKIM, and DMARC - and grade how well they stop spoofing, then also report DNSSEC, CAA, MTA-STS, and TLS-RPT. This reflects the domain's published policy at that moment; it can't judge whether any individual message is genuine.

The other checkers

• SSL/TLS checker - reads the live certificate (issuer, expiry, TLS version, HSTS) and grades it.
• Security headers - fetches the page and grades its HTTP security headers (HSTS, Content-Security-Policy, and more).
• Look-alike domains - generates common typo and homoglyph variants of a domain and checks which are live in DNS.
• Certificate Transparency - searches the public CT logs (via crt.sh) for a domain's certificates and subdomains.
• QR checker - decodes the code on our server, then runs the link it contains through the link checker.

Where our data comes from

Cactus relies on these public services: Google Web Risk (known-bad URLs), Have I Been Pwned (breached passwords, via k-anonymity), rdap.org (domain registration dates), crt.sh (Certificate Transparency), and public DNS. Exactly what each tool sends to a third party is listed on the Privacy page.

Limits and honesty

Automated checks can be wrong both ways: a brand-new but legitimate site can look risky, and a clever scam can look clean. Treat Cactus as a knowledgeable second opinion, not a guarantee. When something matters, confirm it through an official channel you find yourself - not a link or number from the message.