AI-Powered Attack Surface Intelligence

VeilScan finds your exposures. Then shows exactly how an attacker would use them.

Most scanners give you a list of vulnerabilities. VeilScan gives you an AI-simulated breach — step by step, grounded in your real infrastructure. Know what attackers see before they do.

Get started free View sample report
No credit card required Free forever Setup in 2 minutes
SCAN REPORT — acmecorp.com Complete
Risk Score
7.4/10
Business Impact
Critical
2
Verified
High
4
Verified
Subdomains
23
Discovered
Findings
Critical SQL Injection — user search endpoint api.acmecorp.com 9.1
Critical Exposed .env file with credentials app.acmecorp.com 8.8
High TLS 1.0 still enabled api.acmecorp.com 6.2
Med Missing DMARC record acmecorp.com 4.1
Info Open redirect on auth callback auth.acmecorp.com 2.3
Attack path detected
SQL Injectionapi.acmecorp.com
Exposed .envapp.acmecorp.com
Admin accessadmin.acmecorp.com
"Credentials from .env confirm admin login. Full database exposed — no auth required."
ISO 27001 mapped GDPR Article 32 SOC 2 ready PCI DSS aligned Cyber Essentials
50
Scanning pipeline nodes
4
AI reasoning models per scan
23 min
Average simulated breach timeline
0%
Critical false positive rate
The Problem

Why do security scanners give you lists, not answers?

Most tools produce hundreds of findings with no context, no proof, and no clear next step. Your team ends up triaging noise instead of fixing real risk.

Too many false positives

Automated scanners flag anything suspicious. Teams waste days chasing findings that aren't exploitable — and real risks get buried in the noise.

No context, no action

A CVE ID is not a decision. Without proof of exploitability and business context, findings sit in a spreadsheet — unread, unactioned, unresolved.

Blind spots between scans

Point-in-time assessments miss new deployments, forgotten subdomains, and supply chain exposure that appears between tests.

What You Get

Built different. Thinks different. Reports different.

01
AI Breach Simulation

See a step-by-step attack scenario built from your actual vulnerabilities — not generic templates. Each simulation is grounded in confirmed evidence from your own infrastructure.

02
Attack Path Chaining

Multiple findings combined into realistic multi-step intrusion paths. VeilScan maps how a SQL injection leads to a credential grab that leads to admin access — and how fast.

03
CEO-Ready Explanations

Every critical finding explained in plain English with business impact and fix guidance. No jargon. No CVE IDs without context. Written for the person who has to act on it.

04
Proof-Backed Findings

Every finding includes the curl command that reproduces it and the actual server response that proves it. If VeilScan can't show proof, it doesn't call it Critical — full stop.

The AI Engine

How VeilScan's AI works

Three stages. Fully automated. No analyst required.

Step 1

Scan

A 50-node pipeline maps your entire external attack surface — subdomains, ports, exposed services, secrets in JavaScript, cloud buckets, vulnerable endpoints, and more. No manual setup.

Step 2

Reason

AI correlates individual findings into real attack paths — not just a list. It asks: which vulnerabilities connect? Which ones a real attacker would chain together? What's the realistic blast radius?

Step 3

Simulate

The breach simulator shows exactly how an attacker would get in — step by step, with time estimates. Every scenario is grounded in confirmed evidence from your infrastructure, never speculation.

Process

What about up and running in minutes?

No agents. No credentials. No internal access required.

01 / ADD DOMAIN
Enter your domain

Paste the domain you want monitored. Takes 30 seconds — no configuration needed.

02 / VERIFY
Confirm ownership

Add a DNS TXT record once. We never scan a target without written authorisation from you.

03 / SCAN
Pipeline runs

Subdomain discovery, port scanning, vuln detection, and AI verification — fully automated.

04 / REPORT
Report delivered

Professional PDF to your inbox. Criticals trigger Slack alerts immediately — not two hours later.

Sample Output

What your report actually looks like?

Not a spreadsheet. A clear, actionable picture of your external risk — with proof attached to every finding.

Example finding Critical
SQL Injection — User Search Endpoint
api.acmecorp.com/users/search

The q parameter is injectable. An attacker can enumerate and extract the full user table without authentication.

Proof (reproducible)
curl "https://api.acmecorp.com/users/search?q=' OR '1'='1"
Verified ISO 27001 A.12.6 GDPR Art.32
Example attack path High risk
Step 1
SQL Injection
api.acmecorp.com
Step 2
Exposed .env
app.acmecorp.com
Step 3
Admin access
admin.acmecorp.com
What this means

An attacker uses the SQL injection to extract database credentials. The exposed .env file confirms the admin password. With both, they log into the admin panel — full control, no authentication required.

Business consequence: Full customer database exposed. GDPR breach notification required within 72 hours.

What customers say

What about feedback from early users and teams who take risk seriously?

"

What stood out to me was how clearly everything was explained. Even without a deep technical background, I could understand the risks and communicate them internally. That’s rare for security tools.

AA
Aayush Adhikari
CMO, Apulza
"

As a non-technical founder, security reports usually go over my head. VeilScan changed that. The Business Impact Score and attack path made it very clear what needed urgent attention and why it mattered to the business.

AE
Arif Esa
Founder, Cabex FX / MoneyIN Global
"

The proof-backed findings are what make VeilScan different. Instead of vague alerts, we get reproducible evidence. It removes guesswork and makes security decisions much easier.

EU
Early Access User
SaaS Engineering Team
Pricing

What about simple, transparent pricing?

Every plan includes proof-backed findings and compliance mapping. Core and Pro unlock fuller attack-path visibility and recurring monitoring depth.

Free
$ 0
forever
Try the scanner on one domain with no commitment.
1 domain
1 lifetime scan
Medium & Low findings
Critical & High findings
PDF report
Attack paths
Try for free
Starter
$ 49
per month
For small teams getting started with external security.
1 domain monitored
1 manual scan / month
1 active verified domain scanned monthly
Proof-backed findings
Compliance mapping
PDF report + portal access
Attack paths
Slack alerts
Get started
Most popular
Core
$ 149
per month
For security-focused engineering teams who need depth.
Up to 5 active verified domains
5 manual scans / month
Each active verified domain scanned weekly
Proof-backed findings
Compliance mapping
PDF report + portal access
Attack paths
Slack alerts on criticals
Delta reports
Start with Core →
Pro
$ 299
per month
For growing SaaS teams monitoring multiple public assets.
Up to 20 active verified domains
25 manual scans / month
Each active verified domain scanned daily
Proof-backed findings
Compliance mapping
PDF report + portal access
Attack paths + Slack alerts
Delta reports
Compliance export (CSV / JSON)
Start with Pro

All plans require a signed Rules of Engagement document. Manual onboarding for first 20 customers.

How we validate

What about every finding has proof attached?

We don't guess. We don't surface noise. Every finding meets a documented proof standard before it reaches your report.

Proof-backed Critical findings
Every Critical finding includes a reproducible curl command and the actual server response confirming the vulnerability. No proof — no Critical.
Conservative validation
Unverified signals are automatically downgraded to Informational — never reported at face value. We'd rather under-report than send you false alarms that waste your team's time.
Attack paths, not vulnerability lists
Exploit paths are generated only when multiple verified findings can be chained together from an external, unauthenticated position. Every hop is independently confirmed. No speculation.
AI clearly labelled
AI assists with business impact scoring and remediation context — never with finding detection. Every AI-assisted section in your report is clearly identified. Scan results are tool-generated, not AI-generated.
Get Started

What about your first scan. In under two hours?

Add your domain, verify ownership, and let VeilScan do the rest. No agents, no credentials, no internal access required. VeilScan runs a full external attack surface scan, including subdomains, open ports, API exposure, and secret leaks, and returns a verified, proof-backed report directly to your inbox.

Start scanning I already have an account
No hidden scan fees Cancel any time Data stays in London (eu-west-2)

What about about VeilScan?

VeilScan is a proof-based external vulnerability scanning platform built by CodeCrypse IT Solutions LTD, a UK-registered security software company. Veil Scan automates the work of an external penetration tester by continuously mapping your internet-facing attack surface, verifying exploitability with real evidence, and chaining findings into actionable attack paths. Unlike traditional vulnerability scanners that surface noise, VeilScan only reports what it can prove, delivering a professional security report directly to your inbox in under two hours.