Not another AI gimmick.
You've seen them. Someone wires up a single API call to GPT, slaps a logo on it, and ships an "AI website auditor" in a weekend. The output reads like a horoscope: vague praise, generic platitudes. Hit refresh and the scores change. SiteAudit isn't that.
01 / Independent passes
Three reviews, not one prompt
A typical AI auditor sends one prompt to one model and pastes the response into a template. SiteAudit runs three separate analysis passes, each grounded in different evidence and scored against different reference standards.
The visual review evaluates what a human eye sees in a real screenshot. The code review reads the actual served HTML, CSS, and JavaScript. The performance review takes real measurements from a real browser. None of these passes know each other's scores.
02 / Deterministic fingerprinting
Build Origin is detected, not guessed
Before any AI runs, a dedicated classifier identifies what built the site: WordPress, Shopify, Wix, Squarespace, Webflow, Duda, Magento, custom code. It matches dozens of fingerprints: DOM signatures, HTTP header patterns, theme file paths, JavaScript globals, platform-specific markup quirks.
It's deterministic pattern matching, not inference. The same site gets the same classification every time, with cited evidence. The same way a malware scanner identifies a known signature.
03 / Performance is measured
Real Chromium, not someone else's API
This is where most AI tools quietly fail. A "Google Core Web Vitals" API call returns lab data from Google's own crawl, which may be days or weeks stale, sampled from a different geography, telling you nothing about the page state a real visitor sees right now.
SiteAudit doesn't ask Google. It launches a real Chromium browser through Playwright, navigates to your URL, and instruments the entire page load: every network request, every paint event, every script execution, every layout shift, every byte.
04 / Hostile-input architecture
The browser is treated as untrusted
A weekend AI tool slaps a URL into a fetch and trusts whatever comes back. That's how you get auditors that can be tricked into scanning internal admin panels or cloud metadata endpoints. SiteAudit ships with multi-layer SSRF protection: pre-DNS validation, request interception, post-redirect re-validation.
When the audit completes, the results aren't trusted from the browser either. The server holds the authoritative audit record. Most AI-tool clones happily accept whatever JSON the browser POSTs back.
05 / Reproducibility
Same input, same score, every run
Run SiteAudit twice on the same unchanged page and you get the same scores within measurement noise. That sounds obvious until you compare it to single-prompt AI tools where the same input produces wildly different reports.
SiteAudit's scores are reproducible because the measurements are deterministic and the AI is only describing what the measurements say, not inventing scores out of thin air.
06 / Citation chain
Every finding has a source
When the report flags a contrast issue, it traces to WCAG 2.2 SC 1.4.3. A missing <title> traces to HTML Living Standard § 4.2.2. A CLS score above 0.1 traces to the published Core Web Vitals thresholds. Schema.org markup is validated against schema.org's own published types.
You can look every finding up yourself. Not because we want to be defensible in court, but because that's how an auditor should be built: every claim grounded in a public, citable specification.