How do I verify a domain in VeilScan?

Add a DNS TXT record with the token shown in your dashboard to your domain's DNS settings, or upload a verification file to a specific path on your web server. Once verified, VeilScan confirms ownership and the domain is eligible for scanning.

What is the Rules of Engagement document?

A signed legal document confirming you are an authorised representative of the organisation and have permission to scan the specified domains. It is required before any scan runs. VeilScan provides a template and you sign it digitally through the dashboard. The signing event is timestamped and recorded.

How do I connect Slack alerts?

In your dashboard under Settings, add an Incoming Webhook URL from your Slack workspace. VeilScan sends a notification immediately when a new Critical or High finding is detected during any scan. You can test the integration from the settings page.

Documentation

VeilScan Documentation

Q: How do scheduled scans work?

On paid plans, VeilScan automatically rescans your verified domains on a weekly or monthly schedule depending on your plan tier. Each rescan runs the full pipeline and produces a delta report highlighting new and fixed findings since the last scan. You can also trigger manual scans on demand within your monthly quota.

Getting started, configuration, and integration guides

Quick Answer: VeilScan takes five steps to set up: create an account, add your domain, verify domain ownership with a DNS TXT record, sign the Rules of Engagement document, and your first scan starts automatically. Most scans deliver results within two hours. No agents or internal network access are required.

How do I set up VeilScan for the first time?

Create an account — visit veilscan.net/register and sign up with your email address. A verification code is sent to confirm your address. No credit card is required for the free plan.
Add your domain — in your dashboard, click “Add Domain” and enter the root domain you want to scan (e.g. yourcompany.com). Do not include https:// or a trailing slash.
Verify domain ownership — VeilScan requires proof that you control the domain before scanning. See the domain verification section below for the two available methods.
Sign the Rules of Engagement — a short legal document confirming you authorise VeilScan to scan your domain. This is required by law and must be signed before any scan runs. VeilScan provides the document in your dashboard and the signing is digital and timestamped.
Your first scan starts automatically — once your domain is verified and the RoE is signed, VeilScan queues your first scan. Results appear in your dashboard within 90 to 120 minutes. You receive an email notification when the scan completes.

How does domain verification work?

Domain verification proves you control the domain you want to scan. VeilScan offers two methods:

Method 1: DNS TXT record (recommended)

In your dashboard, go to your domain and click Verify. A unique TXT record value is shown.
Add a TXT record to your domain's DNS settings with the name @ (or your domain root) and the VeilScan token as the value.
DNS propagation typically takes 5–30 minutes. Click Check Verification in your dashboard when ready.

Method 2: File upload

Download the verification file shown in your dashboard.
Upload it to the path shown (e.g. https://yourcompany.com/.well-known/veilscan-verify.txt).
Click Check Verification in your dashboard.

Once verified, the domain is permanently verified for your account. Re-verification is not required for subsequent scans.

How do I read my scan report?

Your scan report dashboard contains the following sections:

Business Impact Score — a 0–10 score summarising the overall risk of your attack surface. Scores above 7.0 indicate findings that pose a real risk of business harm. The score is calculated by weighting technical severity, asset criticality, data exposure risk, and compliance impact.
Finding count by severity — Critical, High, Medium, Low, and Informational counts. On the free plan, Critical and High counts are shown but the findings are locked. On paid plans, all findings are visible with full proof evidence.
Finding list — each finding shows: the affected asset (subdomain, URL, or service), the vulnerability type, the severity, the proof evidence or evidence description, remediation guidance, and the compliance controls affected.
Attack paths — where multiple findings chain together, VeilScan shows the full attack path with a step-by-step narrative.
Compliance mapping table — visible in the PDF export, this table maps each finding to the specific controls it affects across ISO 27001, SOC 2, GDPR, PCI DSS, and Cyber Essentials.

How do scheduled scans work?

Paid plans include automatic scheduled scans:

Starter — monthly scans of 1 domain
Core — monthly scans of up to 5 domains
Pro — weekly scans of up to 20 domains

Each scheduled scan runs the full pipeline and produces a delta report. The delta report highlights new findings (not present in the previous scan) and fixed findings (present in the previous scan but no longer detected). This makes it easy to track your security improvement over time.

You can also trigger manual on-demand scans from your dashboard. Manual scan quotas vary by plan. The free plan includes 1 lifetime manual scan; paid plans include monthly manual scan quotas.

How do I connect Slack for alerts?

Slack alerts are available on Starter, Core, and Pro plans.

In your Slack workspace, go to Apps → Incoming Webhooks and create a new webhook for the channel where you want alerts.
Copy the webhook URL.
In your VeilScan dashboard, go to Settings → Slack Integration and paste the webhook URL.
Click Test Integration to send a test message and confirm the connection.

VeilScan sends a Slack alert immediately when a new Critical or High finding is detected during any scan — before the full report is available. This means your team knows about serious new exposures within minutes.

What are the most common questions?

Can I add domains from multiple organisations to one account?

Domain verification requires you to prove ownership of each domain. If you manage security for multiple organisations, you would need separate accounts for each organisation, as each domain must be verified by the account holder who has DNS access to it.

How do I download my PDF report?

In your dashboard, go to Reports and click Download PDF next to any completed scan. PDF export requires a paid plan. The PDF includes your Business Impact Score, all verified findings with proof evidence, attack path analysis, and compliance mapping table. The PDF is signed with a verification token that third parties can use to confirm its authenticity at veilscan.net/verify/[token].

What happens if a scan fails?

If a scan fails due to a technical error, it is marked as failed in your dashboard and you can retry it. Failed scans do not count against your manual scan quota. If you experience repeated failures for a specific domain, contact support@veilscan.net with your scan ID and we will investigate.

How do I cancel my subscription?

Go to Dashboard → Billing and click Cancel Subscription. Your access continues until the end of the current billing period. After cancellation, your account reverts to the free plan and historical scan data is retained in read-only mode.

Ready to get started? Setup takes five minutes. Your first scan results appear within two hours. Create your free account → · Contact support

Next step: Run a free external scan or compare paid plans when you are ready to monitor continuously. Start a free scan → · View pricing