What does SecurityScore.me monitor?

Work email addresses and related exposure from verified public breach data (Have I Been Pwned). Paid plans add scheduled re-checks, alerts, and dashboard visibility for multiple addresses.

Do you store our passwords?

No. Breach checks do not require passwords. We store the minimum needed to run checks, monitoring, and billing.

How does billing work?

Optional paid plans are billed through Stripe. You can start with a free one-time check and upgrade when you need monitoring.

Human security exposure monitoring

Breach monitoring for teams without a security department.

Monitor email breach exposure. Without a security team. Run a free email check or monitor accounts continuously with alerts and remediation steps.

Start monitoring workspace Compare plans & limits

Checks run

500+

Monitored users

150+

HIBP-verified breach intelligenceNo passwords storedFree one-time check

Optional

One-time email breach check

Free lookup for a single work email. For ongoing breach monitoring, create an account.

What you get

Everything a lean team needs

Breach monitoring that fits a lean team: verified Have I Been Pwned data, scheduled re-checks on paid plans, and a dashboard you can run without a GRC project.

Daily re-checks (paid)

Automated daily monitoring against new and updated breaches

Email alerts

Instant notifications when a monitored address appears in a breach

Incidents & checklist

Structured remediation steps for every breach found

Domain watchlist

Monitor your domain for mentions across breach databases

The problem

Work-email breach monitoring stalls before it becomes a process

Public breach dumps are indexed fast; internal follow-up rarely keeps pace. These are the failure modes we hear from ops-led teams.

Late discovery, noisy escalation

Leadership reads the headline before IT has a sourced answer. One-off email breach checks and screenshots in Slack do not scale.

No single queue or owner

Spreadsheets and forwarded threads fragment who was checked, when, and what changed. Security exposure stays fuzzy.

Remediation dies after the alert

Without a checklist and audit trail, “reset password” requests stall. Data breach monitoring needs a closed loop, not a PDF.

The system

Detect exposure, understand change, then act. No enterprise GRC rollout required.

Capabilities group into three layers. See the full matrix on features & limits.

Detect

Continuous matching and coverage for the identities you own.

Dashboard & exposure history
One structured view of what matched, when it mattered, and how exposure changed over time.
Scheduled re-checks
Background monitoring on paid plans so new HIBP breaches surface without manual runs.
Small team & roster workflows
Scale from a single address to monitored rosters, including bulk import on Business where supported.
Domain watchlist
Domain-oriented signals alongside email-driven exposure where your plan includes them.

Understand

Turn raw breach rows into signal your team can prioritize.

Alerts & incidents
Email notifications when monitored addresses hit new breaches; track incidents to resolution.
Context on each match
Plain-language summaries so responders know what leaked and why it matters for that account.

Act

Close the loop with tasks people actually complete.

Security checklist
MFA, password resets, and hygiene steps tied to real exposure, not generic policy slides.
Operational handoff
Exportable clarity for whoever owns remediation: fewer tickets stuck at “what now?”.

How it works

From breach signal to closed remediation

Four steps your team can repeat every time new breach data lands.

01
Connect identities
Add the work emails you are responsible for. Business tier supports roster import and grouping.
02
Match against breach data
Server-side checks against Have I Been Pwned’s catalog (800+ breaches). No password is required for public lookups.
03
Prioritize & notify
Surface what is new versus recurring and who must act. Paid plans include email alerts on new matches.
04
Remediate with clarity
Checklist-driven steps cover password resets, MFA, and containment. Breach monitoring turns into completed work.

Outcomes

What changes once breach monitoring is operational

Faster, sourced answers when employee accounts appear in new breaches
Less time reconciling ad-hoc “have we checked this?” conversations
Central visibility for whoever owns hygiene, without a full GRC implementation
Fewer tickets stuck at “what now?” because next steps are explicit

SecurityScore.me does not replace your IdP or EDR. It complements them by closing the loop on human-scale security exposure. That is account risk that policy alone rarely removes.

One operational view for monitored identities and breach history
Alerts when HIBP publishes breaches relevant to addresses you watch
Guidance your ops lead can forward without translating a vendor PDF

Security architecture

How the app is built, not generic “bank-grade” claims

SecurityScore.me is a Next.js application: Supabase (PostgreSQL) for application data, Stripe for subscriptions, and Have I Been Pwned for breach intelligence. Public breach checks run through Next.js API routes with reCAPTCHA, not as a wide-open client-side integration.

PostgreSQL + Row Level Security

Tenant-scoped tables use Supabase RLS so authenticated users read and write only their own rows where policies apply.

AuthN: NextAuth.js + Supabase Auth

Dashboard access uses signed sessions (JWT). Public email breach checks never collect account passwords.

HIBP via server routes

Breach lookups are executed from Next.js API routes to HIBP; API keys and rate limits stay off the browser.

Stripe Checkout & Customer Portal

Card data is handled by Stripe’s hosted flows. We store subscription state needed for entitlements, not PAN data.

Edge hardening headers

Global CSP, HSTS, X-Frame-Options, COOP/CORP, and related headers are set in next.config. That cuts common web attack surface.

Data minimization

We retain what running checks, alerts, and billing requires. See our security and privacy pages for details.

Security overview Privacy policy Terms

Who it's for

Teams that own cybersecurity outcomes without a dedicated SOC

Small business

Founders and office managers who need a defensible answer to “are we in that breach?” without ITSM overhead.

Startup

Engineering-led orgs that want data breach monitoring before hiring full-time security headcount.

Modern team / ops

Whoever runs IT operations and needs a repeatable workflow when breach news breaks.

MSP-friendly

Multiple monitored addresses, grouped visibility, and alert routing on higher tiers for light managed service models.

Pricing

Put continuous breach monitoring on the books at the right tier

One-time check covers a single email breach check. Paid tiers add scheduled re-checks, alerts, and roster scale. See live limits on the pricing page.

One-time check Personal monitoring €3.99 Small team €9.99 Teams €29

Open full pricing & feature comparison

Ship a defensible breach response, starting today

Create an account for the dashboard and ongoing monitoring, or run the free one-time check in the hero. No card required to start the free path.

Get the dashboard Book a conversation