Level 2 · Automated
Vulnerability scan.
A professional scanner on your web or API with every finding reviewed and triaged by hand. Detects common vulnerabilities without the false-positive noise.
What's included
Catch the obvious, without false positives.
OWASP Top 10 coverage
Injections, broken access control, insecure configuration, components with known CVEs, etc.
Manual triage of every finding
We discard noise and false positives before sending anything. Your report only contains verified findings.
Report prioritized by severity
CVSS + your application context. You know exactly what to fix first and why.
Short results meeting
30 minutes. We walk you through the findings, answer technical questions and clarify the remediation steps.
What this level does NOT cover
- —Chained exploitation of vulnerabilities
- —Business-logic flaws (those belong to the pentest)
- —Fine-grained access control between custom roles
- —Complex authentication or authorization bypasses
If you need all that, what you want is the full manual pentest.
What you get
- Professional vulnerability scanner (OWASP Top 10)
- Manual triage: we discard noise and false positives
- Report prioritized by severity
- Short results meeting
When to choose it
- Periodic checkup of your application.
- Before an important release.
- When a client or audit asks you for evidence.
- To validate the baseline before investing in a pentest.
Quick questions
What people usually ask about this service.
How is it different from the pentest?+
The scan detects common vulnerabilities with a professional scanner, and we validate every finding by hand so there are no false positives. But we don't exploit vulnerability chains or look for business-logic flaws. That's what the manual pentest is for.
Does it affect production?+
The goal is not to impact the service. We agree the testing window and intrusion level with you. Tests that could affect availability are done only with your explicit permission or in staging if you prefer.
How many URLs/endpoints does the price cover?+
We define the fixed price after a scoping call. For a typical website or a medium-sized API, a single scan unit covers everything. If your application is larger we tell you before starting — we never bill surprises.
Shall we start with the scan?
We reply within 24h with a scope proposal and start date.