What makes VeilScan different from other vulnerability scanners?

VeilScan uses a proof-based approach: every Critical and High finding must include reproducible exploit evidence before it reaches your report. Other scanners surface potential vulnerabilities based on version signatures or theoretical conditions without confirming exploitability. VeilScan also adds attack path analysis chaining findings into breach narratives and a Business Impact Score that translates technical severity into business risk language.

Does VeilScan require any agent or internal network access?

No. VeilScan is a purely external scanner. It only scans what is visible from the public internet. No agents, credentials, VPN access, or internal network connectivity are required.

Does VeilScan monitor continuously or just run one-off scans?

Both. The free plan includes one lifetime scan. Paid plans include scheduled rescans on a weekly or monthly cadence depending on your plan. Delta reports highlight new and fixed findings between each scan so you can track your security posture over time.

Product

VeilScan Features: What Gets Scanned and How

Quick Answer: VeilScan scans your external attack surface for verified vulnerabilities using a proof-based pipeline. Core features include subdomain enumeration, open port scanning, TLS and email security checks, cloud misconfiguration detection, proof-validated findings, attack path analysis, Business Impact Scoring, compliance mapping, and board-ready PDF reports.

What are proof-based findings and why do they matter?

Most vulnerability scanners report everything that might be vulnerable — based on software version numbers, banner strings, or theoretical conditions. The result is thousands of findings, most of which require a security expert to triage and most of which are either unexploitable or irrelevant to your environment.

VeilScan operates differently. Every finding at Critical or High severity must pass a proof standard before it enters your report. A Critical finding requires a reproducible artifact demonstrating real impact: a captured response showing data exposure, a confirmed exploit trigger, a verified DNS takeover. Findings that cannot be proven are automatically downgraded. What reaches your dashboard is a shorter, verified list that a non-security engineer can understand and act on immediately.

See: Proof-Based Findings — full feature detail

What does VeilScan actually scan?

VeilScan scans everything visible from the public internet associated with your domain:

Subdomains — enumerated using DNS brute-forcing, certificate transparency logs, Wayback Machine data, BGP recon, and passive sources. Typically discovers 3–5× more subdomains than a manual inventory.
Open ports and services — port scanning across common service ranges to identify unexpected SSH, RDP, database, or admin service exposure.
TLS/SSL configuration — certificate validity and expiry, cipher suite strength, protocol version support, HSTS header presence and correctness.
Email security — SPF record completeness, DKIM key validity, DMARC policy enforcement level. Missing or misconfigured records enable email spoofing against your domain.
Cloud assets — publicly accessible S3 buckets, exposed object storage, cloud misconfiguration signals.
Admin panels — management interfaces, login pages, and admin dashboards accessible from the public internet.
Sensitive file exposure — .env files, backup.zip, config.php, database dumps, and similar sensitive files accidentally published.
Web application vulnerabilities — SQL injection, XSS, SSRF, CORS misconfiguration, CSRF gaps, clickjacking, host header injection.
Subdomain takeover — DNS records pointing to unclaimed external services (GitHub Pages, Heroku, S3, Fastly, etc.).
JavaScript secret exposure — API keys, tokens, and secrets accidentally included in client-side JavaScript.

See: Asset Discovery feature · TLS and Email Security feature · Cloud Misconfiguration Detection · What is EASM?

How does attack path analysis work?

An individual vulnerability tells you about one issue. An attack path tells you what an attacker can actually do with it.

Where VeilScan finds multiple related verified findings, it constructs an attack path narrative: a step-by-step chain showing how an attacker could move from initial external access to a meaningful impact (credential exposure, data breach, lateral movement). Each path includes the individual findings involved, the chain sequence, and the estimated business impact at the end.

This context makes it easier for a CTO or founder to understand which findings deserve immediate action vs. which can wait for the next sprint.

See: Attack Path Analysis feature · What Is Attack Path Analysis?

What reporting and compliance evidence does VeilScan produce?

VeilScan produces a signed, timestamped PDF report containing:

Executive summary — plain-language risk overview designed for founders and boards, not just engineers
Business Impact Score — a 0–10 risk score per finding and per scan, translating technical severity into business risk language
Finding list — all verified findings with proof evidence, severity, affected asset, and remediation guidance
Attack path diagrams — visual chains showing how findings connect into breach scenarios
Compliance mapping table — each finding mapped to the applicable controls in ISO 27001:2022, SOC 2 Type II, GDPR Article 32, PCI DSS v4.0, and Cyber Essentials

Reports include a verification token. Share the token with auditors, customers, or investors who can verify the report was generated by VeilScan without accessing your full account.

See: PDF Reports feature · Compliance Mapping feature · Business Impact Score feature

How does continuous monitoring work?

Paid plans include scheduled scans that run automatically on a weekly or monthly cadence. Each scheduled scan runs the full pipeline and produces a delta report highlighting:

New findings discovered since the previous scan
Findings that have been fixed and are no longer present
Overdue findings that have not been remediated within the expected window
Changes in the overall Business Impact Score over time

When a new Critical or High finding is detected, VeilScan sends a Slack alert immediately — before the next scheduled report. This means your team knows about serious new exposures within minutes, not days.

See: Continuous Monitoring feature · Slack Alerts feature

What are the most common questions?

Does VeilScan require a security team to interpret the results?

No. VeilScan is specifically designed for teams without a dedicated AppSec function. Every finding includes plain-language description, remediation guidance, and business context. The Business Impact Score tells you how serious each finding is in terms your CTO or board can understand. Proof evidence tells you exactly what is exposed and how, without requiring security expertise to interpret.

How often does VeilScan scan my domains?

The free plan includes one lifetime scan. The Starter plan includes one domain with monthly monitoring. Core and Pro plans include weekly monitoring across multiple domains. Manual on-demand scans are also available on all paid plans within monthly quota limits.

Can VeilScan scan multiple domains?

Yes. The Core plan supports up to 5 domains and the Pro plan up to 20 domains. Each domain is independently monitored. You can scan different domains on different schedules within the same account.

What is the difference between VeilScan and a penetration test?

A penetration test is a time-boxed, manual assessment conducted by a human security professional. It produces a point-in-time report. VeilScan is continuous, automated, and external-only. The two are complementary: VeilScan covers the 11 months between annual pentests and surfaces regressions a pentest would miss because it runs continuously. See: VeilScan vs manual penetration testing.

See VeilScan in action on your own domain. The free plan includes one full external scan with no credit card required. Start your free scan → · View all plans