Watch & Care — from £39/month

Your business online, looked after

We watch the news, your website, and your domain — so the stuff that quietly kills small businesses never quietly kills yours.

30+ automated checks every week No long contracts Enterprise-grade monitoring at small-business prices
Get started See what's watched

Every card below has a short title and a problem you may not realise you have. Tap any headline to expand what we do, or "For the curious" for the technical detail.

🌐 Your website, watched

Catches what you'd never notice yourself, before it costs you customers.

Multi-region uptime

Most uptime monitors will email you at 3am about a one-second blip on your broadband

What we do

We watch your website from three different countries every minute. You only hear from us when at least two of them agree something's actually wrong — so no false alarms from a flaky internet connection, and no missing the times your site genuinely is down.

For the curious

Geographically distributed monitoring probes hit your public endpoints every 60 seconds, with a 2-of-3 quorum rule that suppresses false positives single-location monitors can't. Same multi-region availability pattern enterprise SaaS providers use.

Domain anti-hijacking

Your domain is the legal title to your online business — and it can be silently hijacked

What we do

Most domain hijacks go undetected for weeks. The change happens at your registrar, not on your website, so nothing visible breaks until your traffic is already going somewhere else. We keep a regular eye on every setting your domain depends on, so unexpected changes get flagged to you quickly — usually within hours, not months.

For the curious

Continuous polling of every authoritative DNS record on your domain — addresses, mail routing, verification records, name servers, aliases. Each snapshot is diffed against the previous one with full change history retained. Equivalent to registrar-monitoring services that some banks pay several hundred pounds a month for.

Defacement watch

Hackers can quietly inject spam links, credit-card skimmers, or replacement homepages — and most owners don't visit their own site daily

What we do

Every morning we take a photograph of your homepage and key pages and compare it to yesterday's. If anything's changed in a way it shouldn't — a casino link, a defaced banner, a layout broken by a theme update — you'll see it the same day, with the screenshot to show exactly what changed.

For the curious

Browser-rendered screenshot capture (the same way Google sees your site), compared pixel-by-pixel against the previous day. A second-stage signature scan catches the specific markers attackers use to claim a defacement. Verified visually before any alert fires, to suppress noise from legitimate changes.

SSL & encryption hygiene

The padlock in your customer's browser depends on settings that quietly drift — and 1 in 8 small business sites are running broken or weakened encryption right now

What we do

Every Sunday night we grade your site's encryption setup with the same test the big banks use. If anything's slipped — an expiring certificate, a weakened protocol, a missing safety header — you'll have a clear picture by Monday morning, along with exactly what needs doing and who's best placed to do it.

For the curious

Weekly comprehensive scan of your TLS configuration: certificate chain, cipher suites, protocol versions, HSTS posture, OCSP stapling. Graded against the same A–F benchmark used by enterprise penetration testers and required by Cyber Essentials Plus assessors.

Third-party dependency watch

Your modern website depends on a dozen invisible services — any one of which can silently break your customer's checkout

What we do

Payment processors, fonts, contact forms, booking widgets, analytics scripts — if your site uses them, we watch them. The moment one of them changes unexpectedly (broken, slow, or quietly swapped out for malicious code), you'll know. Catches the silent disasters: a payment-script outage in Europe, a third-party widget compromised, a font CDN going dark.

For the curious

Nightly browser-rendered scan captures every external script, font, and widget your site loads. A checksum is taken, a 14-day baseline is learned, and any unauthorised change triggers an alert. The subresource-integrity discipline OWASP recommends for production e-commerce sites.

Page-speed monitoring

Every extra second of load time loses 7% of sales — and small business websites get heavier over time without anyone noticing

What we do

We measure how fast your site actually loads, every week, on a real mobile connection. If it starts dragging — usually because of a heavy image upload or a plugin update — you'll see exactly what changed and why. "Your homepage went from 2.1 seconds to 3.8 seconds last week, and here's the culprit."

For the curious

Weekly performance audit on your homepage and top traffic pages against the Core Web Vitals benchmark Google uses to rank you. Tracks load time, layout stability, and interactivity as a trend, not a snapshot.

Broken-link sweep

The average small business website develops six broken links a year — and Google penalises every one of them

What we do

Once a month we crawl every page on your site and check every link. You get a tidy list of what's broken and where to find it — no more "I tried to click through and the page was dead" complaints from customers you didn't realise you'd lost.

For the curious

Monthly polite, robots-aware site crawl checks every internal and external link. Categorised by severity (a broken contact-form link matters more than a defunct external citation), rendered to a one-page PDF report.

Quiet-failure detector

When something on your site breaks — even a page you never visit — most owners don't find out until a customer complains, weeks later

What we do

We watch the pattern of errors visitors hit on your site. If pages start failing — even ones you haven't touched recently — we spot the unusual spike and let you know quickly. Catches the silent disasters: a deploy that broke /contact, a CMS that 500'd, an image library that went dark.

For the curious

External synthetic traffic-pattern analysis with a rolling 30-day baseline learned per site. Threshold tuning suppresses normal bot noise. Catches the silent regressions traditional uptime monitors miss entirely.

Post-incident report

When something does go wrong, you want to know what happened — not be hit with technical jargon at 11pm

What we do

Whenever any of our watchers fires a real alert, you get a one-page report the next morning: what happened, when, what we did about it, and what (if anything) you need to know. No jargon, no upsells, no theatrics.

For the curious

Every alert generates a one-page PDF report auto-delivered the next morning. Same incident-report discipline used by enterprise on-call rotations.

5-region uptime quorum

Three checks from three countries beat one check from one country — especially when the one country is yours

What we do

The base tier already runs three regions. Care+ adds two more (Asia and US East), giving you 5-region uptime quorum — the same monitoring footprint enterprise SaaS providers use for their own production systems.

For the curious

Two additional probe locations on different network backbones. 3-of-5 quorum alerting suppresses transient regional issues more aggressively than the base tier's 2-of-3.

Real-visitor performance

Lab speed tests don't measure what your actual visitors experience — only your visitors can do that

What we do

A tiny piece of code on your site quietly records how fast your real visitors experience your pages. We catch the moment performance starts dragging in the real world, not in a lab. Crucial when Google's ranking algorithm uses this exact data.

For the curious

Lightweight performance-data beacon, defensively coded to fail silent. IP-truncated at ingestion, aggregated server-side in 15-minute buckets, no per-session retention beyond 24 hours. Fully compliant with the cookie regulations that apply to small businesses.

Contact form heartbeat

Your contact form is your business's front door — and it can break silently for weeks before you notice

What we do

We submit a tagged test enquiry through your contact form every hour and confirm it lands in your inbox. If your form ever silently breaks — usually after a plugin update or a hosting change — we know within the hour.

For the curious

Hourly browser-automated form submission with a marked probe entry. Tested against the standard form plugins (Contact Form 7, WPForms, Gravity Forms, HubSpot) where the selector reliability holds. Probe entries auto-tagged so you can filter them out of your real lead view.

📧 Your email, defended

The invisible plumbing that decides whether your customers' messages reach you — and whether yours reach them.

DMARC translated

Every domain that sends email gets weekly reports back about who's been impersonating it — and almost no small business reads them

What we do

Spam-protection standards mean your domain receives reports every week showing who tried to send mail pretending to be you. They're written in cryptic XML by Google, Microsoft, and others. We translate them into a plain-English Monday-morning summary. "Last week, 14 send attempts used your domain. 12 were your real mail. 2 were impersonators in Brazil — both blocked by the receiving servers."

For the curious

Aggregate DMARC report ingestion via a dedicated reporting alias on your domain. Parsing infrastructure normalises reports from every major mail provider into one weekly digest. Industry-standard methodology used by enterprise DMARC services.

Inbox reachability test

Your customers' emails go through dozens of filters — one misconfiguration sends real enquiries to spam silently

What we do

We send a test message to your domain on a regular schedule and verify it gets accepted by your mail server. If your inbox starts silently rejecting or losing legitimate mail — usually after a provider update — we catch the problem quickly, before you wonder why nobody's getting in touch.

For the curious

External SMTP probe with delivery-status notification observation. Tests transport-layer acceptance without touching the recipient mailbox — we never read your mail, we just verify the door is open.

Blacklist surveillance

Your business can end up on a global spam blacklist by accident — and most owners never realise until customers stop replying

What we do

We check your domain and sending IP every hour against the major global spam blacklists. The moment one of them flags you — usually because of an accidental misconfiguration or a shared hosting IP getting in trouble — we know quickly and start the delisting process.

For the curious

Hourly lookups against the major reputation databases used by Microsoft, Google, and enterprise mail filters worldwide. Domain and sending-IP correlation, with a tight alert window.

Email signing health

Without proper email signing, modern mail providers downgrade your messages — they may land in spam even when they're legitimate

What we do

Email signing is invisible to humans but critical to mail providers. We check yours every month for key age, strength, and that all your real senders are covered. When something needs rotating or strengthening, you'll know — in plain English, not jargon.

For the curious

Monthly DKIM selector audit checking key age, bit-strength against current cryptographic guidance, and coverage gaps against your DMARC report senders. Same hygiene routine enterprise mail teams run quarterly.

Auto-setup records

When you set up your email on a new phone or laptop, it should "just work" — most small business domains miss the records that make that happen

What we do

If your team has ever spent 20 minutes typing IMAP server names into Outlook, your domain is missing autodiscovery records. We check yours every week and tell you exactly which records to add — or add them for you, if you've asked us to manage your DNS.

For the curious

Weekly verification of the autoconfig, autodiscover, and service-record patterns Outlook, Apple Mail, and other major clients use to self-provision. Quick hygiene check, low-noise.

Modern mail protections

Modern mail protection standards exist that most small business domains don't have — and switching them on is mostly free

What we do

DNSSEC, DANE, MTA-STS, TLS-RPT — these are the modern standards that mail providers like Google and Microsoft now look for when deciding how to treat your messages. We check what your domain has and what it's missing, and tell you exactly what your registrar needs to switch on.

For the curious

Audit of DNSSEC validation chain, DANE TLSA records where supported, MTA-STS policy presence, and TLS-RPT receiver configuration. The modern complement to DMARC that enterprise mail services use to harden delivery and detect downgrade attacks.

Postmaster reputation

Gmail and Outlook quietly judge your sending reputation every day — they'll tell us, if you let us ask

What we do

The big mail providers each grade your domain's reputation behind the scenes — spam rate, sender reliability, encryption use. We summarise their grades as a single trend line. If your reputation slides, you'll see it before customers stop receiving your mail.

For the curious

Read-only access to the postmaster reputation dashboards Google and Microsoft expose for verified domain owners. Daily aggregation into a single weekly reputation summary.

DMARC policy coach

The journey from "Google ignores us" to "Google trusts us" has measurable steps — most small businesses never take them

What we do

Once your email reports show your domain is stable, we coach you through tightening your anti-impersonation protection — from monitoring-only, to quarantining, to full rejection. With each step you become harder to impersonate. We tell you when you're ready and what to add.

For the curious

Progression coaching from p=none to p=quarantine to p=reject as your DMARC reports show clean delivery history. We surface the exact DNS edit each step needs.

🔎 Being found on Google

The signals that decide whether your customers can find you — or your competitors.

Keyword ranking digest

SEO agencies charge £500 a month and send you a PDF you can't action — meanwhile your ranking quietly slides

What we do

Every Monday you get a one-page summary showing where you rank on Google for the searches that actually bring you work, with clear arrows showing what moved up or down. We track up to five keywords for you at the base tier — the ones that actually matter to your trade and area.

For the curious

Weekly search-position sampling against the keywords agreed at onboarding. Trended over rolling 4-week windows so you see real signal, not daily noise. Only alerts mid-week when a tracked keyword drops more than five positions AND off page one.

Competitor watch

The competitor you've never heard of is already outranking you — and you won't know until your phone stops ringing

What we do

Every month we tell you which businesses have started outranking you for your most important searches — useful context for understanding why your phone might be ringing less, and what they're doing differently.

For the curious

Cross-referenced against your tracked keyword set: which domains hold the positions above and below you, and which are new entrants in the top ten over the past 30 days. Zero extra cost on top of the search-position tracking.

Core Web Vitals tracking

Google penalises slow websites in search rankings — and small business sites get slower as plugins and images pile up

What we do

We test your top pages every week on a real mobile connection and warn you before slowness starts costing you ranking — including what's causing it. "Your homepage Largest Contentful Paint went from 1.8 to 3.2 seconds. The cause was a 6MB image uploaded on Tuesday."

For the curious

Weekly audit against Google's Core Web Vitals: Largest Contentful Paint, Cumulative Layout Shift, Interaction-to-Next-Paint. Mobile-emulated network conditions because that's where the ranking impact lives.

Local citation audit (NAP)

If your phone number's wrong on Yell, your address outdated on Apple Maps, or your name spelled differently on Facebook — Google notices, and your local ranking suffers

What we do

Every three months we check the 30 directories that actually matter for UK local SEO — Yell, Thomson Local, Bing Places, Apple Maps, Facebook, FreeIndex, Checkatrade, TrustATrader, and the rest — and send you a fix-list of every inconsistency.

For the curious

Quarterly automated review of your business listing data across the directories Google's local algorithm cross-references for citation consistency. Same Name-Address-Phone audit that local SEO agencies charge several hundred pounds per scan for.

Rich-results validator

The little extras Google shows next to your search results — star ratings, prices, opening hours — depend on hidden code that breaks easily

What we do

Those rich results in Google search aren't accidents — they come from structured data on your site. If your developer or your CMS quietly breaks them after an update, we catch it. You stop appearing with extra context, your click-through rate quietly drops — we let you know what broke and how to fix it.

For the curious

Weekly validation of every structured-data block on your homepage and service pages against Google's Rich Results testing methodology. Catches schema breaks the same week they happen.

Robots / sitemap drift alarm

One wrong line in a settings file and Google stops indexing your entire site — and this happens more often than you'd think during hosting updates

What we do

Two small files control whether Google can index your website at all. We check them every day and instantly alert you if anything changes that shouldn't — like a developer accidentally telling Google to ignore your entire site, or your sitemap quietly losing pages.

For the curious

Daily diff of your robots.txt and sitemap.xml against the previous day's snapshot. Specific alarms for high-stakes changes: "Disallow: /" appearing, sitemap shrinking more than 20%, "noindex" tags appearing on previously-indexed URLs.

Google Index Watchdog

Pages can disappear from Google's index for technical reasons no human ever sees — usually after a CMS update

What we do

We watch your top 25 pages every day to confirm Google still has them indexed. If a page drops out, you know within 24 hours, with the technical reason in plain English.

For the curious

Read-only delegated access to your Search Console account lets us query the official index inspection API daily. Same data Google's own dashboards show, surfaced as alerts instead of a tab you'd need to remember to check.

Search Console alerts

Google occasionally sends warning emails about your site that get filtered to a folder you never read — until your traffic collapses

What we do

We watch your Search Console account daily for manual actions, security warnings, mobile usability issues, and indexing errors. Anything serious lands in your inbox the same day, translated out of Google-speak.

For the curious

Daily polling of every notification category Search Console surfaces. Severity-graded, plain-English alerts for the messages that actually need your attention.

Google Business watchdog

A new 1-star Google review can sit there for days before you spot it — and Google's algorithm will quietly suggest "permanently closed" edits no one approved

What we do

We watch your Google Business listing every morning. New reviews, especially under 4 stars, get flagged the same day. "Suggested edits" Google has accepted without telling you — opening hours changed, photos removed, listing flagged as closed — surfaced for you to action.

For the curious

Read-only delegated access to your Google Business Profile lets us pull review activity and listing changes via the official API. Daily delta detection, alert-grade tuning, no inspection of review content beyond star rating and timestamp.

🔐 Your security, monitored

The threats that quietly grow in the background — spotted before they become headlines.

Zero-day vulnerability alerts

When a flaw is found in WordPress, the average small business is exposed for three months before anyone tells them

What we do

Every popular website tool — WordPress, Wix, Shopify plugins, contact form widgets — gets new security flaws announced every few weeks. We watch the security news every single day, we know exactly which tools your site uses, and the moment one of them gets a warning that matters, you get an email in plain English: what's affected, how worried to be, what to do next.

For the curious

Nightly fingerprinting of the software stack running on your site, cross-referenced against the global vulnerability databases (the same feeds enterprise security operations centres watch). When something matters, we know within minutes — not months.

Exposure scan

The most common way small business websites get hacked is leaving the admin door wide open after a recent change

What we do

We check every week for the silly mistakes that get small businesses hacked: exposed admin panels, leftover config files, backup files in public folders, default passwords still in place. The kind of thing a junior developer leaves behind without realising. You get a plain-English fix-list, not a 500-line vulnerability scan report.

For the curious

Curated weekly external probe checking the highest-signal exposure patterns — the ones that actually lead to compromise. Runs under written authorisation per customer so it's clearly distinct from unauthorised scanning.

Malware sniffing

The most dangerous hacks don't change your website's appearance — they hide credit-card skimmers, blackhat redirects, or invisible spam links inside

What we do

We routinely scan your site for the invisible bad-stuff hackers plant: card-stealing scripts, redirects to dodgy sites, blackhat SEO injections, hidden iframes. If we find anything, you hear about it fast — before it ends up affecting your customers or your reputation.

For the curious

Weekly content scan against a curated set of attack signatures — the patterns enterprise security firms use to detect e-commerce skimmers, formjacking, and cryptocurrency miners hidden in legitimate-looking JavaScript.

Breach radar

When a company you don't even know gets hacked, your team's passwords might be in the leak — and you'd be the last to find out

What we do

If anyone using a company email address ends up in a data breach somewhere on the internet, we'll tell you who, where, and exactly what to do. Plain-English alert, sent only when something actually matches your domain.

For the curious

Continuous lookup of your domain against the major global breach intelligence indices — the same datasets enterprise security teams use to detect credential exposure. Alert-only, no persistent dashboard, 30-day retention then purged.

Credential leak detection

Developers occasionally publish your passwords or API keys on the internet by accident — sometimes years after they stopped working with you

What we do

If anyone — including a developer you've used in the past — accidentally publishes your settings or credentials on a public code-sharing site, we catch it within 24 hours and let you know. We tell you what to rotate; we don't make accusations.

For the curious

Daily search of public code repositories and paste sites for mentions of your domain combined with credential-shaped patterns. Fact-only reporting — we flag the URL, you decide what to rotate.

Dark-web monitoring

Stolen credentials end up for sale in dark corners of the internet — long before the breach gets news coverage

What we do

We monitor the underground feeds where compromised data ends up for mentions of your domain. If your business appears, you'll know within a week — with enough context to take action without panic.

For the curious

Weekly aggregated search of the legitimate threat-intelligence feeds enterprise security teams subscribe to. Domain-only matching — we don't surface personal staff information without explicit per-employee consent.

📊 Knowing what's going on

The bits that turn 30+ silent monitors into intelligence you can actually use.

Sunday Sanity Check

You spent the week running your business — you don't want to also spend Sunday night logging into five dashboards

What we do

Every Sunday at 8pm you get a 200-word email summarising your week: visitors, enquiries, anything we caught and dealt with, anything worth knowing about. Plus two things worth doing on Monday. Read it on the sofa, finish your tea, get on with your weekend.

For the curious

Weekly aggregation across the data we already monitor — uptime, traffic, security events, search signals — condensed into a single human-readable narrative. Generated from pre-aggregated metrics; no personal data leaves our infrastructure.

Local event radar

The right networking event for your trade in Worthing is happening next Thursday — you'll find out two weeks late, from someone else

What we do

Once a week we filter local events — markets, expos, council briefings, business breakfasts — for ones that actually matter to your trade, in your area. Three suggestions, one wildcard, no fluff.

For the curious

Weekly aggregation of public event listings across local authority sites, business networks, and regional press, filtered by trade and geo-radius. Light-touch local discovery, no scraping of paid or login-required data.

Monthly SEO health email

SEO reports from agencies are 12 pages long, full of jargon, and impossible to action — yours doesn't need to be

What we do

On the first of every month, you get a one-page report that shows whether your website is winning or losing in Google — traffic delta, ranking delta, page-speed delta, what improved, what didn't — without the agency jargon.

For the curious

Aggregates the search, performance, and competitor signals already gathered into a single one-page PDF. Same first-of-month reporting cadence enterprise marketing teams use; about 90% shorter.

Visitor narrative

"Your homepage got 47 visitors this week" tells you nothing — you need to know what they actually did

What we do

Every Monday you get a plain-English paragraph about how visitors behaved on your site last week: how many almost contacted you but didn't, what they searched for to find you, which page lost them. Not "session duration: 2.4min" — actual sentences.

For the curious

Aggregated visitor-behaviour data turned into a narrative summary, then sense-checked before sending. Privacy-friendly, cookieless analytics reformatted as something a sole trader can actually act on.

Inbox triage brief

The "did I miss an enquiry today?" question is the one that keeps sole traders up at night

What we do

If you give us read access (subjects and senders only — never message bodies) to a forwarded copy of your main inbox, we'll send you a 6am brief: "Three enquiries overnight. One looks like a real lead, one is a brochure-grabber, one is spam. Here's who to reply to first."

For the curious

Metadata-only inbox classification. You set up a Gmail/Outlook rule that forwards subject line + sender domain + timestamp to a dedicated alias. We never see message content. Same approach used by enterprise inbox-management tools.

Quarterly executive PDF

Your accountant gives you a quarterly summary — your IT shouldn't be less transparent

What we do

Every three months you get a one-page PDF executive report: uptime, security posture, search performance, what changed, what's coming. Useful for the back of the filing cabinet, for the bank, or just for proving to yourself that everything's where it should be.

For the curious

Quarterly report aggregates the most informative signals across the previous 90 days into a sober one-page executive summary. Designed for printing.

What we promise: best-effort monitoring with sensible, honest alerts. We don't sell you SLAs we can't keep or scare you into upgrading. If something genuinely matters, you'll know about it. If something doesn't, you won't be bothered.

Also included, always

  • Domain, hosting, and DNS management across any provider
  • One content change to your website every month
  • Hosting provider liaison and troubleshooting on your behalf
  • One-page report the morning after any real incident
CARE+

What Watch & Care+ unlocks

Twelve extra automated monitors, all marked CARE+ throughout this page. They need read-only access to systems like Google Search Console, your Google Business listing, or your contact form. Tap any to jump to what each one does.

🌐 Your website

📧 Your email

🔎 Google visibility

🔐 Security

📊 Knowing what's going on

WhatsApp