Frequently Asked Questions About VeilScan

Is VeilScan a penetration test?

No. VeilScan is an automated external attack surface monitoring tool, not a penetration test. A penetration test is a time-boxed, manual assessment conducted by a human security professional. It produces a point-in-time report and typically covers both external and internal systems depending on scope.

VeilScan is continuous, automated, and external-only. It scans only what is visible from the public internet. The two are complementary — VeilScan covers the 11 months between annual pentests and surfaces regressions that a point-in-time test would miss. See VeilScan vs manual penetration testing for a full comparison.

What does VeilScan actually scan?

VeilScan scans everything visible from the public internet associated with your verified domains:

• Subdomains (via DNS brute-force, CT logs, Wayback Machine, BGP recon)
• Open ports and exposed services
• TLS/SSL certificate validity, cipher suites, HSTS configuration
• Email security records: SPF, DKIM, DMARC
• Cloud storage assets: S3 buckets, exposed object storage
• Admin panel and login page exposure
• Sensitive file disclosure: .env files, backups, configuration files
• Web application vulnerabilities: SQL injection, XSS, SSRF, CORS, CSRF, host header injection
• Subdomain takeover vulnerabilities (dangling CNAME records)
• JavaScript secret exposure (API keys, tokens in client-side code)
• Shadow AI endpoint detection

How does VeilScan verify its findings?

VeilScan uses a proof-based model. Before a finding reaches your report at Critical or High severity, the scan pipeline must produce concrete evidence of exploitability:

• Critical findings require a reproducible proof of impact — a captured HTTP response demonstrating data exposure, a confirmed SQL injection trigger, a verified subdomain takeover, or equivalent artifact.
• High findings require confirmed evidence — a verified service fingerprint, a confirmed configuration weakness, or a validated exploit signal.
• Unverified findings are automatically downgraded to Medium or lower, or filtered out entirely.

See What Is Proof-Based Vulnerability Scanning? for a full explanation.

Who should use VeilScan?

VeilScan is designed for:

• SaaS founders and CTOs at companies with 5–200 employees who need security visibility without hiring a security team
• Fintech startups needing documented security evidence for compliance audits or investor due diligence
• SMBs in South Asia and the UK without dedicated AppSec resources
• Companies preparing for ISO 27001 or SOC 2 certification
• Engineering teams wanting continuous monitoring between annual penetration tests

See all use cases for more.

How long does a VeilScan scan take?

Most scans complete within 90 to 120 minutes. Domains with many subdomains or complex infrastructure may take slightly longer. You receive an email notification when results are ready. On paid plans, a Slack alert is sent immediately when a new Critical or High finding is detected.

Does VeilScan support compliance frameworks?

Yes. VeilScan maps findings to applicable controls in:

• ISO 27001:2022 (Annex A controls including A.8.8, A.8.9, A.8.20)
• SOC 2 Type II (CC6, CC7, CC9)
• GDPR Article 32 (appropriate technical measures)
• PCI DSS v4.0 (Requirements 6 and 11)
• Cyber Essentials (secure configuration, patch management, access control)

Each PDF report includes a compliance table suitable for audit submission. See Compliance Mapping for details.

Is VeilScan safe to run on production systems?

Yes. VeilScan performs non-destructive, read-only external reconnaissance. It never conducts denial-of-service testing, attempts to access internal systems, modifies data, or exfiltrates anything. All scanning operates within the bounds of a signed Rules of Engagement document. VeilScan is designed to be run continuously and safely against production domains. If you have specific concerns, contact hello@veilscan.net.

What happens after a scan completes?

You receive an email notification with a summary. Your dashboard shows the full report including your Business Impact Score, all verified findings with proof evidence, attack path analysis, compliance mapping, and remediation guidance. On paid plans you can download a signed PDF. Subsequent scans produce delta reports showing new findings and findings that have been fixed since the last scan.

How is VeilScan different from running Nmap myself?

Nmap tells you what ports are open. VeilScan tells you what is exploitable, what it means for your business, and what to do about it. VeilScan runs the full pipeline: subdomain enumeration, service fingerprinting, vulnerability detection, proof verification, attack path analysis, Business Impact Scoring, compliance mapping, and report generation. It delivers output a CTO or board can read without security expertise.

Does VeilScan store my scan data?

Yes. Scan results are stored securely in AWS eu-west-2 (London). Data does not leave the United Kingdom. VeilScan never shares scan data with third parties. If you delete your account, all data is permanently removed. See the Privacy Policy for full details.

Can VeilScan scan internal networks?

No. VeilScan is an external-only scanner. It scans only what is visible from the public internet. It cannot scan private IP ranges, VPN-protected infrastructure, or internal services. For internal scanning, a dedicated internal vulnerability scanner or a manual penetration test engagement is required.

What is the free scan and what does it include?

The free plan includes one lifetime scan of one domain. It shows Medium and Low severity findings. Critical and High findings are detected but hidden until you upgrade to a paid plan. The free scan covers the full subdomain enumeration, port scanning, TLS and email checks, cloud misconfiguration signals, admin panel detection, and a preview Business Impact Score. No credit card required. See the free scan page for full details.