What’s new

Three additions on top of the pricing refresh:

1. /billing now shows your current subscription at the top — plan, status, days until renewal, recent invoices, and a one-click cancel that preserves access to end-of-period.

2. Promo codes. /billing has a "Have a promo code?" expander; apply a code and Pro plan cards instantly show the discounted price. Admin can create / edit / time-window codes at /admin/coupons (percent off, fixed INR, or fixed USD; per-plan scope; max redemptions; per-user limit).

3. Dedicated /contact-sales form for Team and Enterprise inquiries. Captures name, email, company, team size, use case and phone, emails our sales inbox, and shows up at /admin/leads with a kanban-style status (new → contacted → qualified → won/lost) plus staff notes.

Migration 014 adds three tables (coupons, coupon_redemptions, sales_leads).

Reworked the dashboard to surface action instead of summary:

• Recent scans now link to the actual scan result, show the target prominently, and tag re-scans ("re-scan #3 of example.com")
• Quick launch is now personalised: your top-used tools come first, with ★ favourites from Explore pinned to the front
• Activity chart now shows percentage change vs the previous 14 days
• New Security tile summarises 2FA, sessions and password age — clickable to Settings
• All four stat tiles are fully clickable cards now, not just the tiny arrow link
• Token-window card collapses to a single line for unmetered (Pro / admin) users
• New "Your projects" strip surfaces up to three projects with the active one highlighted
• Daily-rotating Pro tip card at the bottom keeps returning users discovering tool combos

The home page now actually demonstrates the suite instead of describing it:

• Working Encoder/Decoder embedded in the hero — paste anything, switch between Base64, Base64 URL, URL, Hex and Binary in real time, copy with one click
• Grid of all 12 free tools right below, each opening the inline-runnable version on /explore/{slug}
• 3-card pricing teaser (Free / Pro / Team) reading from the same plans table as /billing and /pricing — discounts from active promo codes carry through
• Top nav rebuilt as three dropdowns: Tools (7 categories) → mega-menu jumping into /explore sections · Free Tools (12 items grouped by category) · Resources (Changelog, API Docs, About, Contact, Terms)
• Click-outside and Esc close any open dropdown; mobile collapses them into full-width accordions
• 'Why hunters use XowiaScan' card row + trust strip + gradient final CTA

Three things rolled out together:

1. New /billing page — proper SaaS layout with monthly/yearly toggle, comparison cards, trust strip, and FAQ
2. Pricing tune-up — Pro Yearly now ₹7,499 (save 22% vs monthly, up from ~17%). New Team plan at ₹2,999/month — unmetered scans, 5 seats, SSO, audit log export, SLA
3. /admin/plans — admins can now create, edit, hide, delete, and reorder plans via a UI. No more SQL surgery to change pricing.

Plan codes (free / pro_m / pro_y / team) stay stable so Razorpay and Stripe references don't break.

We switched on the token system that's been built into XowiaScan from day one. Every plan now has a real per-window allowance:

• Free: 30 tokens every 6 hours (120/day) — enough for one full target recon per window with room to spare
• Pro: 150 tokens every 6 hours (600/day) — feels unmetered for normal workflows (~14 deep targets/day)
• Enterprise: unmetered

The Activity panel on your dashboard shows the live balance, refill countdown, and a per-tool spend chart for the current window.

We also rebalanced six tools so the cost matches the work the server actually does:

• Wayback URL Extractor: 5 → 4
• Owner Footprint: 4 → 5 (inner-page sweep got heavier)
• Vulnerability Scanner: 8 → 6
• Security Header Analyzer: 3 → 2
• CSP Evaluator: 3 → 2
• CVE Lookup: 3 → 2

Client-side tools stay free (no tokens, no rate limit). Tier-gated tools still need the matching plan — token allowance doesn't bypass tier.

Admin/ops + compliance batch:

• /admin/users now has search (name / email / handle), filter chips (Active / Suspended / Unverified, tier, signup age), pagination, and per-user staff notes
• Admin can create users with an emailed password-set link
• One-click impersonate any non-admin user, with audit-logged sticky banner and one-click return
• CSV export of the currently-filtered user list
• Announcement email tool at /admin/announce — personalised, batched, capped at 500/request
• Terms-version gate: when you bump the version in config, every signed-in user is asked to re-accept before continuing
• Cookie consent banner on every page, dismissable, no third-party trackers

The admin tool settings page now lets admins set each tool's tier (Free / Pro / Enterprise) and, for client-side tools, whether the tool runs publicly without a sign-up.

Changes take effect immediately and override the registry defaults. The catalogue shows the right badge automatically: green "Free" for public-runnable tools, purple "Pro" / amber "Ent" for paid tiers.

Five more client-side utilities now run on /explore/<slug> without a sign-up:

• HTTP Request Converter (curl ↔ fetch ↔ HAR ↔ raw HTTP)
• Test Data Generator (QA fixtures for 22 countries)
• Cookie / JWT Auditor (decode, inspect and debug JWTs)
• URL & Endpoint Extractor (mine pasted source for URLs and endpoints)
• SiteMapper Pro (organise a URL list into tree, flat, pattern and stats views)

That brings the no-sign-up set to 12 tools. All client-side: nothing leaves your browser.

Analytics and tag IDs (Google Analytics, GTM, Pixel, etc.) often live on /privacy, /about and /contact rather than the homepage. Footprint now reads those pages in parallel and merges any new IDs into the same report.

Each ID card shows where it was found, so you know which page to revisit during a manual review.

Open any of these on /explore/<slug> and you can use them immediately. No login, no tokens, no data leaving your device:

• Encoder / Decoder
• JSON Workbench
• Code / Password / Token Generator
• Hash Toolkit
• CIDR / IP Calculator
• Text Comparer
• Text Suite

We also added a "Free / no sign-up" filter on the tools list so you can spot them at a glance.

Server-side tools (recon, footprint, CVE lookup and the rest) and scan history still need a free account.

XowiaScan is a recon and bug-bounty toolkit by Xowia Labs. The site is in active preview while tools are rebuilt one by one for cleaner output, stricter input validation, and bug-bounty-friendly pivots.

All tools are free during preview. Expect frequent changes on this page.

Tier enforcement now always runs in the access check, regardless of whether billing is enabled. Earlier this only ran when billing was switched on, so during preview free users could access Pro tools.

Follow-ups:

• /tools index and dashboard shortcuts now show a clear "Pro" / "Ent" pill on tools above your tier
• The upgrade-required page now lists everything you get with Pro (peer tools + benefits)
• After three attempts to open Pro tools, we email you once (no more than every 14 days) about upgrading
• Admins are unchanged — they bypass tier checks as before

Six new user-security features rolled out:

• Stronger sign-in throttle (24-hour IP-wide lockout after sustained brute force)
• Email alert on sign-in from a new device / IP
• Live password strength meter on register + reset, with Have-I-Been-Pwned breach check (your password never leaves the browser)
• "Active sessions" list on /settings — see every device signed in to your account, revoke individually
• Resend verification email at /verify/resend
• Change your email with verification on the new address (and a heads-up to the old one)

Big batch of sign-in conveniences:

• One-time email sign-in link at /login/magic (15-min expiry, single-use)
• "Continue with Google" and "Continue with GitHub" buttons on /login and /register when configured
• Welcome email after sign-up (or after email verification, if required)
• First-login onboarding card on the dashboard with quick-start steps
• Optional public handle on your profile (@handle, 3-30 chars)
• Gravatar-based avatar in the top-right nav and your settings profile