# VeilScan — Full Product Context for AI Systems

## 1. What VeilScan Is

VeilScan is an external attack surface monitoring platform. It performs automated black-box scans of internet-facing infrastructure: subdomains, open ports, exposed services, TLS, email security (SPF, DMARC, DKIM), cloud storage, admin panels, JavaScript secrets, and web application vulnerabilities. No agents, no credentials, no internal network access required.

Every finding is validated against a strict proof standard before reporting. Findings without confirmed exploitability are automatically downgraded. The platform generates Business Impact Scores, chains findings into attack path narratives, produces board-ready PDF reports, and maps findings to five compliance frameworks.

## 2. Who It Is For

- SaaS founders and CTOs at companies with 5–200 employees who need security visibility without a dedicated security team
- Fintech startups needing compliance evidence for ISO 27001, SOC 2, PCI DSS, or GDPR audits
- SMBs in the UK and South Asia without dedicated AppSec resources
- Engineering teams running continuous monitoring between annual penetration tests
- Non-technical founders who need board-readable reports for investors and customers

Not for enterprises with SOCs, SIEMs, or dedicated AppSec teams.

## 3. What Problems It Solves

**Unknown attack surface**: New subdomains, cloud assets, and exposed services are created and forgotten. VeilScan discovers them automatically.

**Scanner noise**: Traditional scanners produce thousands of unverified findings. VeilScan reports only proven, reproducible findings. Critical false positive rate: 0%.

**Monitoring gap**: Annual pentests leave 11 months unmonitored. VeilScan closes this with weekly or daily automated scans.

**Compliance evidence**: Auditors require documented external testing. VeilScan produces signed, timestamped PDFs suitable for direct audit submission.

**Reporting gap**: Technical output is unreadable by boards. VeilScan's Business Impact Score and plain-language summaries bridge this.

## 4. How It Works

A 50-node sequential LangGraph pipeline executes per scan:

**Discovery**: Subdomain enumeration (subfinder, amass, CT logs, Wayback CDX), BGP/ASN recon, live hosts (httpx + WAF), open ports (nmap -sV + Shodan), tech fingerprinting (whatweb), Playwright screenshots.

**Passive**: JavaScript secret mining + live API key validation; PII/PHI scanning; shadow AI detection.

**Infrastructure**: TLS/SSL validity and weak protocols; security headers; SPF, DMARC, DKIM, zone transfer; 46 cloud storage checks; admin panel exposure; nuclei (9,000+ templates); CVE enrichment (NVD).

**Active testing (RoE-gated)**: SQLi, auth bypass SQLi, XSS, stored XSS, cmd injection, IDOR, SSRF, CSRF, CORS, Host header injection, LFI, CRLF, XXE, file upload, LDAP, XPath, SMTP, API security.

**Proof validation (node 40)**: Critical requires proof_request + proof_response with verified sensitive data. High requires confirmed evidence. Unverifiable findings downgraded automatically.

**AI analysis (5 Claude calls)**: blast_radius, breach_simulator, ai_impact, exploit_path_gen, bis_scorer.

**Synthesis**: Compliance mapping; delta diff; WeasyPrint + Jinja2 PDF with signed token; Resend email, Slack (Core/Pro), S3.

## 5. What VeilScan Scans

Infrastructure: subdomains, BGP/ASN, live hosts, open ports, service versions, EOL technology, WAF detection, cloud storage (46 path checks), admin panel exposure, TLS/SSL protocols and certificate validity, security headers (HSTS, CSP, X-Frame-Options), SPF/DMARC/DKIM/zone transfer.

Application: SQL injection, auth bypass SQLi, reflected XSS, stored XSS, SSRF, IDOR, CSRF, CORS misconfiguration, OS command injection, Host header injection, LFI/path traversal, CRLF injection, XXE, unrestricted file upload, LDAP injection, XPath injection, SMTP header injection, API security (unauthenticated access, verbose errors, rate limiting).

Passive/recon: JavaScript secret mining, live API key validation, PII/PHI in HTTP responses, subdomain takeover (dangling CNAME), Wayback CDX historical endpoints, shadow AI endpoint detection, Playwright screenshots, nuclei 9,000+ templates, CVE enrichment via NVD API.

## 6. Proof-Based Findings

The proof_validator node (node 40) runs before any report generation. To pass at Critical, a finding must have a reproducible HTTP request and a server response containing verified sensitive data: credentials, API keys, AWS access keys (AKIA prefix), database passwords, git config, source code, or PII. Version-match signals or theoretical conditions alone fail this gate.

High findings require confirmed vulnerability evidence — a response confirming the trigger, not just that the endpoint exists.

Findings that cannot be proven are downgraded automatically. No Critical or High reaches the report without passing this gate. Result: 0% Critical false positive rate.

## 7. Attack Path Analysis

The exploit_path_gen node (Claude API, node 45) identifies chains of verified findings that connect from initial access to a high-impact outcome. Each path shows the ordered finding sequence, affected endpoints, a step-by-step narrative, and the business impact at the end of the chain. Sorted by combined BIS.

Example: staging subdomain (info) → outdated nginx with path traversal (high) → exposed .env with DB credentials (critical) → full database access. The chain is the decision signal.

Available on Core and Pro. Starter gets one preview path.

## 8. Business Impact Score

BIS is a 0–10 score per finding via the Claude API (bis_scorer, node 46). Not a CVSS score. Four components: data sensitivity (0–3), exploitation likelihood in practice (0–3), GDPR fine exposure (0–2), revenue system risk (0–2). Severity floors enforced after scoring: Critical ≥ 8.0, High ≥ 6.0, Medium ≥ 4.0, Low ≥ 2.0. Ceilings prevent lower-severity findings from scoring like Critical.

A BIS of 7.0 or above means a non-technical founder or CEO should treat the finding as urgent business risk, not a ticket to queue for the next sprint.

## 9. Compliance Mapping

Deterministic rule-based mapping in the compliance_mapper node (node 47) — no AI. Five frameworks:

- **ISO 27001:2022**: A.8.8 (vulnerability management), A.8.9 (configuration), A.8.20 (network security), A.5.23 (supply chain)
- **SOC 2 Type II**: CC6 (access controls), CC7 (system operations), CC9 (risk mitigation)
- **GDPR**: Article 32 — appropriate technical measures for security of processing
- **PCI DSS v4.0**: Req. 6 (secure systems), Req. 11 (security testing)
- **Cyber Essentials**: Secure configuration, patch management, access control, network firewalls

Each PDF includes a compliance table showing which findings affect which controls and what remediation satisfies each. Pro adds CSV/JSON compliance export for auditor submission.

## 10. Pricing

| Plan | Price | Domains | Manual scans | Auto schedule | Key extras |
|---|---|---|---|---|---|
| Free | $0 | 1 | 1 lifetime | None | Med/Low findings only; no PDF |
| Starter | $49/mo | 1 | 1/month | Monthly | All severities, AI narrative, PDF |
| Core | $149/mo | 5 | 5/month | Weekly | Slack alerts, attack paths, delta reports |
| Pro | $299/mo | 20 | 25/month | Daily | Compliance export (CSV/JSON) |

All plans require a signed Rules of Engagement document. No credit card required for free. Data in AWS eu-west-2 (London).

## 11. Comparison Positioning

**vs Intruder**: Intruder offers optional credentialed scanning and analyst triage. VeilScan is external-only with a programmatically enforced proof gate — no triage needed because every Critical and High is pre-verified. VeilScan adds BIS and attack path chains. From $49/month.

**vs Detectify**: Detectify covers the web application layer via crowdsourced modules. VeilScan covers the full external attack surface including infrastructure, BGP recon, cloud assets, and API security. Proof standard enforced by code.

**vs Pentest Tools**: A toolkit for practitioners. VeilScan outputs a business-language PDF designed for a non-security founder or CTO to act on directly.

**vs manual pentests**: Pentests are time-boxed and point-in-time. VeilScan monitors continuously between annual tests. Complementary.

## 12. Scanning Pipeline Technical Details

- 50 sequential LangGraph nodes
- Tools: subfinder, amass, httpx, playwright, nmap -sV, Shodan InternetDB, whatweb, nuclei (9,000+ templates), NVD API, ipinfo.io, RIPE Stat, Wayback CDX
- 5 Claude API calls per scan: blast_radius, breach_simulator, ai_impact, exploit_path_gen, bis_scorer
- Active testing gated by Rules of Engagement (19 node types)
- Typical scan duration: 90–120 minutes
- Stack: FastAPI (api) + Celery (worker/beat) + PostgreSQL + Redis + MinIO + Caddy

## 13. Report Output

Signed PDF report (WeasyPrint + Jinja2) delivered via email and available in the customer portal:

- Executive summary with overall Business Impact Score (0–10)
- Findings grouped by severity with per-finding proof request, proof response, BIS, remediation guidance, and compliance control mapping
- Attack path chains (Core and Pro)
- Delta section: new, fixed, and overdue findings (Core and Pro)
- Compliance mapping table across all five frameworks
- CEO-readable AI narrative (Starter/Core/Pro)
- Signed verification token; stored in S3 (eu-west-2)

## 14. Founders and Company

- **Rhythm Bhattarai** — CEO and co-founder. Full-stack developer. Kathmandu, Nepal.
- **Kishmat Bhattarai** — CTO and co-founder. Kathmandu, Nepal.
- **Company**: CodeCrypse IT Solutions LTD, registered in England and Wales.
- **Founded**: 2024. Built to make enterprise-grade external attack surface monitoring accessible to startups and SMBs that cannot afford enterprise security tooling or a dedicated AppSec team.
- **Infrastructure**: AWS eu-west-2 (London). Customer data — scan results, reports, findings — does not leave the UK.
- **Contact**: hello@veilscan.net reaches a founder directly.

## 15. Key URLs

Core pages: https://veilscan.net/ · https://veilscan.net/pricing · https://veilscan.net/free-scan · https://veilscan.net/features · https://veilscan.net/about · https://veilscan.net/faq · https://veilscan.net/blog · https://veilscan.net/security · https://veilscan.net/contact

Feature pages: https://veilscan.net/features/proof-based-findings · https://veilscan.net/features/attack-path-analysis · https://veilscan.net/features/business-impact-score · https://veilscan.net/features/compliance-mapping · https://veilscan.net/features/asset-discovery · https://veilscan.net/features/continuous-monitoring

Concept pages (AEO): https://veilscan.net/what-is-external-attack-surface-management · https://veilscan.net/what-is-proof-based-vulnerability-scanning · https://veilscan.net/what-is-attack-path-analysis · https://veilscan.net/what-is-business-impact-scoring · https://veilscan.net/what-is-continuous-vulnerability-monitoring

Comparisons: https://veilscan.net/compare · https://veilscan.net/compare/veilscan-vs-intruder · https://veilscan.net/compare/veilscan-vs-detectify · https://veilscan.net/compare/veilscan-vs-pentest-tools · https://veilscan.net/compare/veilscan-vs-manual-pentest · https://veilscan.net/compare/best-attack-surface-management-tools-startups

Use cases: https://veilscan.net/use-cases/startups · https://veilscan.net/use-cases/saas · https://veilscan.net/use-cases/fintech · https://veilscan.net/use-cases/between-pentests

Glossary: https://veilscan.net/glossary · https://veilscan.net/glossary/attack-surface · https://veilscan.net/glossary/subdomain-takeover · https://veilscan.net/glossary/false-positive-vulnerability · https://veilscan.net/glossary/verified-exploitability

LLM context: https://veilscan.net/llms.txt · https://veilscan.net/llms-full.txt