Frequently asked questions

Vuln Pro Scan tests across 15 security domains: information gathering and attack surface mapping, configuration and deployment issues, authentication weaknesses, authorization and access control (including IDOR), session management and CSRF, core web vulnerabilities (SQL injection, XSS, open redirect), sensitive data exposure, security headers and browser protections, TLS and transport security, API security, client-side security, business logic flaws, host and configuration scanning, compliance mapping, and validation mode. Coverage varies by scan mode — see the Coverage page for a full breakdown.

A public scan tests the application surface reachable without credentials — covering security headers, TLS, injection points on public forms, and surface-level misconfiguration. An authenticated scan logs into the application using credentials you provide and tests protected areas, unlocking coverage for authorization flaws, IDOR, session weaknesses, authenticated API endpoints, and business logic issues that are invisible to an anonymous scanner.

VulnProScan runs dynamic application security testing (DAST) against the URL you provide — crawling links, forms, and API endpoints, then exercising discovered attack surface across 12 OWASP-aligned categories. Public scans cover external exposure; authenticated scans go deeper into protected application areas.

Vuln Pro Scan tests for SQL injection (including error-based, blind, and time-based variants), reflected and stored cross-site scripting (XSS), DOM-based XSS through dangerous sinks, open redirect vulnerabilities, path traversal, and command injection patterns. All discovered parameters and form inputs are exercised during active testing.

Yes. Security header checks include Content-Security-Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options (clickjacking protection), Referrer-Policy, and Permissions-Policy. TLS checks cover deprecated protocol support (TLS 1.0/1.1), weak cipher suites, mixed HTTP/HTTPS content, and HSTS preload configuration.

API testing covers unauthenticated endpoints returning sensitive data, GraphQL introspection enabled in production, verbose API error responses that leak internal details, missing rate limiting on API routes, and CORS misconfigurations that allow arbitrary origins.

Findings are organized by severity (Critical, High, Medium, Low, Informational), security category, asset/host, endpoint, scan mode (authenticated or public scan), and status (Open, In Review, Resolved). The dashboard shows trend data across scan runs and a categorized findings table with remediation context for each issue.

Use a full URL including the scheme, for example https://app.example.com. Avoid wildcards; scope is the host and path you submit. Staging environments are ideal for first runs before scanning production.

Runtime depends on application size, number of discovered endpoints, authentication flows, and backend latency. Small apps may finish in a few minutes; larger properties can take longer. The UI shows elapsed time and partial summaries when scans approach time limits.

Reports include severity classification, affected endpoint, security category, evidence of the finding, scan mode context (authenticated vs public), and remediation guidance. Full reports on paid plans include the complete finding list with endpoint-level evidence; trial scans show a masked summary.

Enterprise customers work with VulnProScan on data processing agreements, subprocessors, and evidence packs. VulnProScan outputs support control testing for vulnerability management controls but are not a substitute for a full compliance audit.

Repository analysis, secret detection, and dependency risk scoring are on the roadmap for Pro and Enterprise. Dynamic application scanning remains the core product on all tiers.

Starter is billed monthly. Pro supports additional seats, higher limits, and authenticated scanning capacity. Enterprise is contracted annually with optional professional services.

Automated scanners can flag behavior that is benign in context. Use severity filters, retest after fixes, and tune scope. Enterprise adds workflow states so AppSec can mark accepted risk with rationale.

Trial runs the same scan, but the product only shows a coarse “how much was found” message and a single anonymized sample line—no full titles, URLs, per-severity counts, or full finding list. That keeps the trial useful without giving away the entire report. Membership unlocks full reports on every scan; a one-time purchase unlocks the complete output for that scan after checkout.

After a scan, high-value findings can open a guided wizard: OWASP-aligned templates (e.g. injection, XSS, misconfiguration) with ordered steps—triage, implement controls, validate. When no template matches your exact signal, the flow can enrich steps with AI-assisted guidance (where enabled). You can mark items fixed, run a targeted rescan to confirm the issue is gone, and keep audit-friendly status history in the dashboard on supported plans.

AI Autofix is available on Business and Enterprise plans. When you open a finding in the Remediation Suite, an "AI Autofix" button generates a step-by-step fix plan tailored to that specific vulnerability — including ordered remediation steps, a corrected code snippet where applicable, and links to the relevant OWASP and CWE references. The plan is produced by an AI model guided by security engineering rules and is reviewed by your team before any code changes are made. Autofix covers all vulnerability categories detected by VulnProScan: injection, XSS, authorization flaws, CSRF, TLS misconfiguration, and more.

Yes, on Pro and Enterprise you can connect Slack (incoming webhook) and Jira Cloud (API token + project key) so high-severity findings create tickets or channel posts—with deduplication so the same vulnerability hash does not spam your backlog. Configure credentials in product settings; use per-scan toggles where available. Other trackers can be added via webhook or API on Enterprise engagements.

Host and configuration scanning checks the security posture of your servers and operating system settings — not just what's running on top of them. It examines exposed services, OS hardening settings, user account configuration, file permissions, and other system-level factors that create attack surface. Think of it as security coverage for the layer underneath your web application and containers.

For external host scans, the scanner tests what is visible from outside the system — exposed services, open ports, and externally observable configuration. For in-depth OS-level configuration checks (hardening settings, user accounts, file permissions), authenticated access is required, provided through the internal scanner connector deployed inside your network.

The internal scanner connector is a lightweight component you deploy on a server inside your network. It runs authorized scans against internal hosts you've approved and sends results to your VulnProScan dashboard over an outbound-only HTTPS connection. You need the connector if you want to scan internal assets — hosts, services, or configurations — that are not publicly reachable from the internet. For external-facing assets only, no connector is required.

No. The internal scanner connector is only required for scanning assets that are not publicly reachable from the internet. Web application scans, API scans, container registry scans, and public-facing host scans do not require the connector. The connector is needed when you want to scan internal hosts, internal services, or configurations on systems inside your network perimeter.

Validation Mode runs a controlled, scoped verification workflow against a specific finding you've selected. It attempts to reproduce the finding under defined conditions and produce evidence — a proof-of-concept output, a response demonstrating the vulnerability, or a reproducible test case — that confirms the finding represents an actual, exploitable condition in your environment. The result is either a confirmed finding with attached evidence or a flag for manual review rather than automatic escalation.

No. Validation Mode is a targeted, controlled, and safety-limited verification workflow for individual scanner findings. It operates strictly within your authorized scan scope, does not attempt lateral movement, does not establish persistence, and does not explore impact chains beyond the specific finding. A penetration test is a broader engagement — typically human-led, covering attack path analysis, chaining vulnerabilities, and impact demonstration — often conducted under a separate statement of work. Validation Mode is designed to reduce false-positive triage overhead, not to replicate the depth of a full penetration test.

They serve different purposes. Rescans confirm that a finding has been remediated — you fix the issue and run a rescan to verify the fix resolved it. Validation Mode confirms whether a finding is real and exploitable before remediation, reducing the risk of escalating false positives to developers. A typical workflow: a scan identifies a critical finding → Validation Mode confirms exploitability → the finding is escalated with evidence → a developer remediates → a rescan confirms resolution.

Compliance mapping links individual scan findings to specific controls in recognized security frameworks — such as a CIS Benchmark check, a NIST SP 800-53 control, a PCI DSS requirement, or an ISO 27001-aligned control area. When a finding has a compliance mapping, you can see which framework controls are affected, making it easier to cross-reference your scan results with compliance program requirements during audit preparation or remediation tracking.

No. VulnProScan is a security testing and vulnerability management tool. It generates findings and compliance-mapped reports that can support vulnerability management control testing — which is a component of many compliance frameworks. But a formal compliance audit or certification assessment requires work that goes beyond automated scanning: scoping, control evaluation across non-technical domains, evidence collection across your entire control environment, and assessment by a qualified auditor or certification body. VulnProScan helps you prepare and document your security posture — it does not certify compliance.

Yes, but with coordination. VulnProScan scans only assets you explicitly authorize and configure — nothing runs automatically against systems outside your defined scope. Active scanning generates load and can trigger alerts or rate-limiting in production environments. We recommend staging environments for initial scans, then applying appropriate scheduling and concurrency settings for production. For host and configuration scans with the internal connector, consult with your infrastructure team before scanning production hosts.

Authorization is enforced at the platform level. You configure scan targets and scope explicitly; VulnProScan does not scan assets outside what you've registered and authorized. For web applications, scope is limited to the host and path you configure. For container and Kubernetes scans, scope is limited to the registries and clusters you've connected. For internal scanner deployments, scope is defined in the connector configuration and managed through your dashboard. No scan type operates outside your defined scope.

Yes. Pro, Business, and Enterprise members can generate a personal API key from Settings → API Key and use it to trigger scans, retrieve findings, and integrate VulnProScan into CI/CD pipelines or custom tooling. API access is not available on the Starter plan. Members can find a full code tutorial — including curl, JavaScript, and Python examples — in the Help & FAQ section of their dashboard.

VulnProScan stores scan configuration, finding data (including evidence artifacts from Validation Mode), remediation status history, and report exports for your account. For web and API scans, this includes request/response data captured during active testing. For host and configuration scans, it includes the configuration state data returned by the scanner. Data is retained according to your plan's history window. Enterprise customers can request a data processing agreement (DPA) and review subprocessor documentation for due diligence purposes.

Vulnerability management is the continuous process of identifying, evaluating, prioritizing, and remediating security vulnerabilities in your applications, infrastructure, and dependencies. It is important because vulnerabilities are a primary attack vector — unpatched or undetected security flaws create exploitable weaknesses that attackers can leverage for unauthorized access, data breaches, and system compromise. An effective vulnerability management program reduces your organization's attack surface by systematically closing gaps before they are exploited. VulnProScan automates the discovery and reporting phases of this cycle, enabling teams to focus on prioritization and remediation.

Infrastructure-as-code (IaC) scanning analyzes the templates, configuration files, and code used to provision cloud and on-premises infrastructure — such as Terraform, CloudFormation, Kubernetes manifests, Docker files, Ansible playbooks, and other declarative infrastructure definitions. IaC scanning is important because configuration misconfigurations are a leading cause of cloud security incidents. By scanning IaC files before infrastructure is deployed, teams can identify and fix security issues like open S3 buckets, overpermissive IAM policies, unencrypted databases, missing security groups, and hardcoded secrets — preventing misconfigured infrastructure from reaching production. VulnProScan includes IaC scanning for Terraform, CloudFormation, Kubernetes, Docker, and other formats across the Pro, Business, and Enterprise plans.

SAST stands for Static Application Security Testing — a technique that analyzes application source code without executing it to find security vulnerabilities like injection flaws, XSS, insecure deserialization, hardcoded secrets, insecure cryptography, and other code-level issues. SAST is used during development and before deployment to catch vulnerabilities early, when they are cheapest to fix. It is typically run as part of continuous integration (CI) pipelines to scan code before commits are merged or releases are built. VulnProScan includes SAST scanning powered by industry-standard engines like Semgrep, with support for Java, JavaScript, Python, Go, C#, and other languages, available on the Pro, Business, and Enterprise plans.

DAST stands for Dynamic Application Security Testing — a technique that tests running applications by sending requests and analyzing responses to find vulnerabilities from an attacker's perspective. Unlike SAST, which analyzes code, DAST tests the actual application behavior, making it effective at finding business logic flaws, runtime vulnerabilities, and authentication/authorization issues. DAST typically catches vulnerabilities that emerge from how components interact, whereas SAST catches code-level issues. A comprehensive AppSec program uses both: SAST during development (early and cheap), DAST during testing and deployment (to verify real-world security posture). VulnProScan includes DAST as its core offering on all plans, with support for web applications and APIs.

SCA (Software Composition Analysis) and dependency scanning both analyze your application's dependencies (third-party libraries, frameworks, packages) to identify known vulnerabilities. The terms are often used interchangeably, though SCA may additionally track licensing risks and component inventory. Dependency scanning is critical because modern applications depend on hundreds or thousands of open-source components, many of which contain known vulnerabilities. By scanning dependencies, you can identify and patch vulnerable versions before they are exploited. VulnProScan includes dependency and component analysis on Pro and Enterprise plans, with support for npm, PyPI, Maven, NuGet, Ruby Gems, and other package managers.

API security testing focuses on the unique attack surface of application programming interfaces (APIs) — which differ from traditional web applications in scope, complexity, and authentication mechanisms. APIs often lack browser-based protections (same-origin policy, CSRF tokens), operate with token-based authentication (OAuth, JWT), and expose business logic directly. Common API vulnerabilities include unauthenticated endpoints returning sensitive data, broken object-level authorization (BOLA/IDOR), excessive data exposure, unsafe direct object references, and lack of rate limiting. APIs need dedicated scanning because generic web application scanners may miss these API-specific patterns. VulnProScan includes dedicated API testing on all plans, with support for REST, GraphQL, and SOAP APIs.

Kubernetes security scanning analyzes Kubernetes cluster configurations, pod security policies, RBAC settings, network policies, and container image vulnerabilities to identify misconfigurations and runtime security risks. Kubernetes is complex, with many moving parts (API server, kubelet, scheduler, etcd, ingress, RBAC, network policies, persistent volumes), and misconfigurations are common — such as overly permissive RBAC rules, missing pod security policies, disabled audit logging, exposed API servers, or vulnerable container images. Kubernetes scanning checks for compliance with CIS Kubernetes Benchmarks, identifies containers running as root, detects privilege escalations, and finds exposed secrets in configurations. VulnProScan includes Kubernetes scanning on Pro, Business, and Enterprise plans.

An SBOM (Software Bill of Materials) is a detailed inventory of all software components, libraries, and dependencies used in an application — including versions, licenses, and known vulnerabilities. Think of it as an ingredient list for software, similar to nutrition labels on food. SBOMs are important for supply chain security: they enable you to quickly identify which applications are affected when a new vulnerability is discovered in a dependency, support compliance and licensing audits, and help manage software supply chain risk. Many organizations now require SBOMs from vendors for procurement. VulnProScan can generate SBOMs in CYCLONEDX and SPDX formats on Business and Enterprise plans, making it easy to share component inventory and vulnerability data with partners and auditors.

Container security covers the entire container lifecycle — from image build to runtime. Container images (the blueprints for running containers) often contain vulnerable dependencies, outdated base OS layers, hardcoded secrets, and misconfigurations that propagate when containers are deployed. Scanning container images before deployment catches vulnerabilities early, preventing compromised containers from reaching production. Container scanning typically checks for known vulnerabilities in dependencies, OS packages, and base images; detects hardcoded secrets; and identifies configuration issues. VulnProScan includes container image scanning on all plans, with support for Docker Hub, ECR, GCR, and other registries.

SOC 2 is a compliance framework developed by the American Institute of CPAs (AICPA) that certifies how organizations manage security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 is commonly required by SaaS vendors when working with enterprise customers. The compliance framework includes a requirement for vulnerability management controls — regular vulnerability scanning, timely remediation, and evidence of monitoring. VulnProScan helps organizations meet this requirement by providing documented scan results, finding remediation workflows, and audit-ready reports. Customers pursuing SOC 2 certification use VulnProScan scan reports as evidence of vulnerability management control testing.

ISO 27001 is an international standard for information security management systems (ISMS), specifying controls for protecting information assets. The standard requires organizations to maintain a vulnerability management program: regular vulnerability assessments, prompt remediation, and monitoring for new vulnerabilities in systems and software. Vulnerability scanning and remediation are core controls in ISO 27001 compliance. VulnProScan provides documented evidence of vulnerability identification and remediation activities, supporting compliance demonstrations during audits. Organizations pursuing ISO 27001 certification use VulnProScan reports to document their vulnerability management control implementations.

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that regulates how healthcare organizations and their business associates handle protected health information (PHI). HIPAA Security Rule requires covered entities to implement administrative, physical, and technical safeguards, including a requirement to conduct regular vulnerability assessments and penetration testing to identify security risks. Organizations must document vulnerabilities, remediate identified risks, and maintain audit trails of scanning and remediation activities. VulnProScan helps healthcare organizations meet HIPAA security requirements by automating vulnerability discovery, tracking remediation progress, and generating compliance-aligned reports for audit documentation.

PCI DSS is a set of security standards required by credit card brands for organizations that handle payment card data. PCI DSS compliance is mandatory for merchants, payment processors, and any organization that stores, processes, or transmits credit card information. The standard explicitly requires vulnerability scanning: quarterly vulnerability scans, annual penetration testing, prompt remediation of vulnerabilities, and maintenance of an up-to-date inventory of systems and applications. Non-compliance results in fines and potential loss of payment processing ability. VulnProScan helps organizations meet PCI DSS requirements by automating vulnerability scanning, tracking remediation, and generating compliance documentation.

NIST SP 800-53 is a catalog of security and privacy controls published by the U.S. National Institute of Standards and Technology, widely adopted by U.S. federal agencies, government contractors, and regulated organizations. The standard includes specific vulnerability management controls: scanning for vulnerabilities, analyzing scans regularly, remediating high-risk findings, and monitoring for newly disclosed vulnerabilities. Organizations working with government agencies (FedRAMP, DoD, etc.) must demonstrate compliance with NIST 800-53 through documented vulnerability assessments and remediation workflows. VulnProScan helps government contractors and regulated organizations demonstrate NIST 800-53 compliance with scan reports and remediation evidence.

GDPR (General Data Protection Regulation) is a comprehensive data protection law in the European Union and European Economic Area that regulates how organizations collect, process, and store personal data. While GDPR is primarily focused on data protection and privacy, it includes a requirement to implement technical and organizational measures to protect personal data, including security assessments and vulnerability management. Organizations must conduct regular security reviews and remediate identified vulnerabilities to meet GDPR's security requirements. VulnProScan helps GDPR-regulated organizations document their vulnerability management practices and maintain evidence of security controls for data protection.

FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government program that standardizes the process of granting security authorization for cloud services used by federal agencies. To achieve FedRAMP certification, cloud service providers must implement NIST 800-53 controls, including regular vulnerability scanning, penetration testing, and documented remediation of findings. FedRAMP requires continuous monitoring — including quarterly vulnerability scans and prompt remediation of findings — to maintain authorization. VulnProScan helps cloud service providers meet FedRAMP requirements by enabling continuous vulnerability scanning, documented remediation workflows, and audit-ready evidence of security controls.

Small businesses and SMBs are increasingly targeted by attackers because they often have fewer security resources than large enterprises, making them easier targets. SMBs that handle customer data, process payments, or operate critical infrastructure face significant risk from undetected vulnerabilities. Vulnerability scanning is critical for SMBs because it automates the discovery of security issues that could otherwise be exploited, provides compliance documentation for customer requirements (SOC 2, PCI DSS, etc.), reduces the likelihood of costly breaches, and enables small security teams to focus remediation efforts on the most impactful findings. VulnProScan is designed with SMBs in mind — providing enterprise-grade vulnerability management at affordable pricing with simple configuration.

SMBs with small or nonexistent security teams can implement effective vulnerability management by automating scanning and leveraging tools that simplify workflows. VulnProScan automates the discovery phase (scanning), prioritizes findings by severity and exploitability, provides guided remediation steps and AI-assisted fixes, and integrates with development tools (Slack, Jira) to streamline communication. By automating routine scanning and prioritization, SMB developers and engineers can focus on remediation rather than manual vulnerability discovery. Scheduled scans, CI/CD integration, and API access enable SMBs to operate vulnerability management continuously without dedicated security staff.

SMBs typically need to maintain compliance based on their industry and customers: e-commerce businesses need PCI DSS (if processing payments); SaaS companies need SOC 2 (if serving enterprise customers); healthcare businesses need HIPAA; government contractors need FedRAMP or NIST 800-53. All of these frameworks require vulnerability assessment and management. Vulnerability scanning provides documented evidence of these controls during audits. Rather than conducting expensive penetration tests or manual security audits, SMBs can use continuous vulnerability scanning as an efficient, affordable way to demonstrate compliance with customer requirements and regulatory frameworks.

The OWASP Top 10 is a list of the ten most critical web application security risks, published by the Open Web Application Security Project (OWASP). The list includes injection flaws, broken authentication, sensitive data exposure, XML external entities (XXE), broken access control, security misconfiguration, XSS, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. These risks are common because they represent fundamental security mistakes in application design and implementation. Vulnerability scanners help address the OWASP Top 10 by automatically testing applications for instances of these risks. VulnProScan is explicitly designed to detect all OWASP Top 10 vulnerabilities across web applications, APIs, and infrastructure.

A zero-day vulnerability is a security flaw that is unknown to the vendor and for which no patch or mitigation exists — attackers can exploit it without defenders having a defense. Zero-days are rare and difficult to detect with automated scanning because scanners rely on known signatures and patterns. However, automated vulnerability scanners are highly effective at detecting known vulnerabilities — the vast majority of real-world breaches involve known, already-patched vulnerabilities that organizations failed to apply. By running regular vulnerability scans, applying patches promptly, and using defense-in-depth strategies (firewalls, intrusion detection, monitoring), organizations protect against the majority of attacks. VulnProScan focuses on detecting known, remediable vulnerabilities to reduce your attack surface.

A supply chain attack is an attack that targets a third-party component or service used by an organization, compromising that component to gain access to many downstream users. Examples include compromised npm packages, malicious Docker images, vulnerable dependencies in widely-used libraries, and trojanized open-source software. Because modern applications depend on hundreds of components, a single compromised dependency can affect thousands of organizations. Dependency and component scanning analyzes your application's dependencies to identify known vulnerabilities, enabling you to update or replace vulnerable components before they are exploited. VulnProScan includes dependency scanning to help detect and remediate vulnerable components in your supply chain.

These terms are related but distinct. A vulnerability is a specific security flaw in a system — a defect that could allow unauthorized access or impact. A weakness (also called a susceptibility) is a broader category of security issues, such as "improper input validation" or "insufficient authentication" — weaknesses can manifest as multiple vulnerabilities. Risk is the potential impact if a vulnerability is exploited — it combines the likelihood of exploitation with the severity of impact. Vulnerability scanning identifies vulnerabilities (specific flaws), which are instances of underlying weaknesses. Risk assessment then evaluates which vulnerabilities pose the greatest risk to your organization, enabling prioritization of remediation efforts. VulnProScan helps by identifying vulnerabilities and mapping them to risk categories (Critical, High, Medium, Low) based on severity and exploitability.