Sign In

Access your security dashboard

Username

Password

I agree to the Authorised Use Terms and Conditions

Required for both sign-in methods — password and Microsoft (Entra ID).

Authorised Use Terms:

I will only use this system to scan, test, or assess domains, systems, networks, applications, and environments that I own, control, or have been explicitly authorised to assess.
I have obtained explicit written permission and authorisation from the legal owner(s) of any systems, networks, or infrastructure I scan that I do not directly own or control.
I will not use this system to conduct any unauthorised scanning, penetration testing, vulnerability assessment, or security testing of any kind.
I understand and acknowledge that unauthorised access to computer systems, networks, or data may constitute a criminal offence under applicable laws including, but not limited to, the Criminal Code Act 1995 (Cth) and relevant state and territory legislation.
I accept full legal and financial liability for all actions I perform using this system, including any damages, losses, or legal consequences that may arise from my use or misuse of this technology.
I will not use this system for any unlawful, malicious, or unauthorised purposes, and I will comply with all applicable laws, regulations, and ethical guidelines.
I acknowledge that I am solely responsible for ensuring I have proper authorisation before conducting any security assessments, and that the system provider bears no responsibility for my unauthorised use.
I will use this technology responsibly, ethically, and in accordance with industry best practices and professional standards for security testing and assessment.

API Base:

Signed in as

—

Active

License Usage —

—

Status Legend

Ready

Data available

Pending

Awaiting data

Checking status

Status auto-refreshes every 10 seconds

Managed Domains

View status and generate security reports

Domains

Custom IP Ranges (optional)

IPs already found during domain discovery will be automatically skipped.

Generate as SOC 2 audit-ready deliverable

Binds the scan to a pre-defined Engagement so the report carries the SOC 2 wrapper. The engagement's Target is added to the scan if it isn’t already in your domain list — recon dedup’s any web server it independently discovers.

Allow active validation (Tier 1)

Light-touch active probes — HTTP probes against takeover-prone resources, TLS handshakes with custom SNI, detection-only template probes. Explicit click-through consent is recorded for the audit trail. Tier 2 (destructive paths) requires an engagement letter with allow_intrusive_exploitation=true.

Click domain to copy

Domain	Discovery	Scanner	Last Scan	Actions
No domains configured

Web Application Pentest

Run an authenticated pentest with a credential, or pick "No credentials" to simulate an external attacker with no access

Scan Name (optional)

Target URL

Must include http:// or https://. The scanner crawls one hop from this URL on the same origin.

Authentication Method

Bearer Token Value

Credential is held in memory for the scan only; it is never written to disk and is redacted from the report.

Enable cross-user authorisation probe (IDOR screening)

Tests whether a different user can read this user's data through the same URL — the classic IDOR vulnerability.

What goes in this field

A second user’s credential from the same application — the same kind of credential as the primary one above (a bearer token), but issued to a different account. The scan will use this credential to replay every id-bearing URL it discovered while crawling as User A, then flag any URL where User B got the same data back — a strong indicator that the application is missing a per-user authorisation check.

Do paste:

A credential issued to a different account than the primary one — ideally a low-privilege test user with its own data (its own profile, its own records).
The same auth method as the primary credential. If the primary is a bearer token, this must also be a bearer token; mixing schemes (e.g. bearer for A, cookie for B) is not supported in this version.
Just the credential value — no Bearer prefix, no Cookie: name= prefix. Same paste convention as the primary field above.

Do not paste:

The same credential as User A. The test would silently “pass” every URL because both probes would obviously return the same data.
An admin / superuser token. Admins are supposed to be able to read every user’s data, so every comparison would look like an IDOR and the report would be full of false positives.
A username and password. This field expects an already-issued credential (token / API key / session value) — the scanner does not log in for you.
A token from a different application. The credential must be valid for the same host as the Target URL above.

Second User’s Bearer Token

How to obtain a second credential

Open the application in two separate browser sessions — one normal window, one Incognito / Private window — and log in as two different test users. In each window, open DevTools → Network, trigger a fetch to your API, and copy the Authorization header value (or the relevant cookie / API-key header). Paste User A’s value into the primary credential field above; paste User B’s into this field.

Like the primary credential, this value is held in memory only for the duration of the scan, never written to disk, and redacted from the report.

Run the full deep-tier active probes (default)

Includes active SQL-injection, XSS, command-injection, SSRF (out-of-band confirmed), JWT inspection, OAuth flow checks, mass-assignment, file-upload polyglot, GraphQL, web-cache deception, subdomain takeover, and chained-exploit synthesis. Untick only when the customer hasn't authorised active probing or the target is too fragile.

Generate as SOC 2 audit-ready deliverable

Binds this scan to a pre-defined Engagement (see Engagements tab) so the report includes named lead/reviewer attestation, ROE reference, distribution list, TSC + OWASP Top 10 coverage matrices, and the retest/remediation diff.

Pre-flight verifies the URL exists and your token is accepted (not 401/403) before charging 1 license.

What's the difference? The Target URL is the address the scanner probes (e.g. https://api.example.com/v1/me). The Bearer Token is a string the scanner sends in the Authorization header to prove it's logged in as you.

Open the application in Chrome / Firefox / Edge and log in normally.
Open DevTools (F12 or right-click → Inspect) and go to the Network tab.
Trigger an action that fetches data (refresh the page, click a list item, etc.).
Click any request that goes to the API — usually XHR or Fetch.
The Target URL is the request URL shown at the top of the Headers panel.
Scroll to Request Headers → find authorization: Bearer eyJhbGciOi… — copy the part after the word Bearer.

Open the request you usually use to hit your API.
The Target URL is the URL bar at the top of the request.
Go to the Authorization tab. If type is "Bearer Token", copy the value from the Token field. If type is "Inherit auth from parent" or you set it as a header, look in the Headers tab for Authorization.
You only need the token value — strip the word Bearer if it's there.

Open your Swagger UI / API Explorer page.
Click the Authorize button (padlock icon) — paste your token there to log in.
Try any endpoint and click Execute. The cURL preview shows the full request.
The Target URL is the URL in the cURL preview after curl -X GET.
The Bearer Token is the value after -H "Authorization: Bearer …" in the same preview.

If a teammate sent you a working cURL command, you can copy values from it. Example:

curl https://api.example.com/v1/me \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.abc123…'

Target URL: https://api.example.com/v1/me
Bearer Token: eyJhbGciOiJIUzI1NiJ9.abc123… (everything after Bearer )

What happens during the scan?

We send one HEAD/GET request with your token attached. Anything other than a 401, 403, or 404 means the URL exists and your token was accepted — pre-flight passes.
If the token has expired or the URL is wrong, you'll see a specific error and no license is charged.
1 license is consumed only after pre-flight passes.
The scanner crawls one hop on the same origin and runs Nuclei vulnerability templates with your token attached.
Destructive-looking endpoints (logout, delete, revoke…) are discovered but never actively probed, so the scan won't sign you out or delete data.
Your token is held only in memory for the scan and is redacted from the report.

Recent web application pentests

Scan	Status	Findings	Started	Actions
No web application pentests yet

SOC 2 Engagements

Customers, testers, and engagement records for audit-ready penetration test reports

Ref	Customer	Target	Environment	Window	Status	Actions
No engagements yet — click "New Engagement" to create one

Engagements package the metadata a SOC 2 auditor expects to see on a pen-test report: the customer, the engagement window, the rules-of-engagement reference, the testers who signed off, the distribution list, and the Trust Service Criteria in scope. Once created, link an engagement to a domain or web-app scan from the corresponding tab — reports for that scan will then include the full SOC 2 procedural wrapper.

Name	Legal Name	Contact Email	Contact Phone	Actions
No customers yet — click "New Customer" to create one

Customers are reusable across engagements. Edit a customer once and every engagement using it inherits the updated details. Customers with active engagements cannot be deleted until the engagements are reassigned or removed.

Name	Credentials	Firm	Email	Status	Actions
No testers yet — click "New Tester" to create one

Testers are reusable across engagements. Credentials update here flow into the Attestation & Sign-off block on every report generated for engagements that list this tester. Testers linked to engagements cannot be deleted; mark them inactive instead.

Change Password

Update your account credentials

Current Password

New Password

Confirm New Password

Must be at least 10 characters with 3 of: lowercase, uppercase, digits, symbols

Strength: —

User Management

Create, edit, and manage user accounts and licenses

Username	Role	Auth	Licenses	Domains	Actions
Loading users...

False Positive Hosts

FQDNs excluded from all metrics, statistics, and reports

FQDN	Reason	Added	Actions
Loading...