Skip to main content
Vantyris

Website security scanner for small business — UK

Know what's broken on your website. Before they do.

Vantyris checks your business website the way an attacker would — TLS, DMARC, DNS, WordPress hardening, exposed files, third-party scripts, privacy posture — then writes a plain-English report with a one-page executive summary, a Fix Roadmap grouped by who fixes it, and exact copy-paste remediation snippets.

A first answer in seconds. A verified report from £10. No contracts. No quote calls. UK-based.

UK / EU

Data residency

OWASP

Methodology

UK-GDPR

Aligned

No subs

Pay as you scan

Demo targetbright-smile-dental.example

Findings

4/4

Scan time

71s

Modules

4/4

Sample output. Verified scan, fictional clinic, action required.

The reality

Small businesses don't have a security team. Attackers know it.

  1. 01

    You have no security person.

    You're a dentist, an accountant, an agency owner. You hired someone to build the website four years ago. You have no idea what's running on it now.

  2. 02

    Every other tool talks past you.

    CVE this, CVSS that. SAST, DAST, EASM. You don't care what it's called. You want to know if the door is open.

  3. 03

    Or it costs £1,750 a month.

    Or you do find a tool, and it wants a quote call, a twelve-month commitment, and your CFO's signature. For a one-off website check. No thanks.

The method

Paste a domain. Get an answer. Fix what matters.

  1. 01

    Teaser

    Paste a domain. A passive scan returns a partial grade in seconds. No signup, no card.

  2. 02

    Verify

    Add a DNS record, a file, or a meta tag. We only run a verified scan once you've proven ownership.

  3. 03

    Scan

    A first report arrives fast. Deeper checks stream in. You see what's happening, in real time.

  4. 04

    Triage

    Mark a finding fixed, accept it as known risk with a reason, assign it to your web host. Every change keeps an audit trail.

  5. 05

    Rescan & prove

    Re-run on a schedule or hand off a public trust page that shows your current grade to a customer or insurer.

What you get

A workspace, not just a PDF.

The report is the artefact, but the workspace is the operating system around it. Triage, monitor, share, and prove. Built so a business owner can run their own security baseline without hiring a security person.

The artefact

Forwardable to your developer or your accountant.

Every finding has a plain-English "what this means", a concrete "how to fix", and the raw technical evidence one tap below.

Finding 02 / 11 · ExposureHigh severity

WordPress REST API exposes public user slugs

/wp-json/wp/v2/users returns the public WordPress user slugs for any account that has authored content. These slugs are commonly fed into automated tools before credential-stuffing or password-spray attempts against /wp-login.php.

Business impact: easier brute-force and credential stuffing.


Exact fix — drop into your theme's functions.php

add_filter('rest_endpoints', function ($endpoints) {
  if (isset($endpoints['/wp/v2/users'])) {
    unset($endpoints['/wp/v2/users']);
  }
  return $endpoints;
});

Time-to-fix: ~30 min · Owner: web developer · Confidence: high

VT-2026 · v1.0.0 · Section 7 · Page 10

What we check

Nine questions about your website, in plain English.

The report scores your site across nine axes (TLS, web hygiene, DNS, email, exposure, technology, reputation, supply chain, privacy) and explains each one the way you'd brief your web host. The acronym in small grey type at the end is for the engineer if you have one.

The rates

Pay only for what you scan.

No contracts. No quote call. One credit = one verified scan. Credits valid 12 months.

See all six packs & Shield Plan →

No subscription required. Shield Plan is optional.

Who it's for

Built for owners. Loved by their developers.

Delivery

How you receive your report.

  • 01Credits load instantlythe moment payment confirms.
  • 02Your verified scan starts immediatelywhen credits are available.
  • 03A first report appears in the workspacewithin ~90 seconds; deeper modules stream in.
  • 04Email confirmation arrivesfrom noreply@vantyris.com with a link to the report.
  • 05Three PDF layouts download with one clickfull editorial, single-page executive, or a single-issue work order.
  • 06A time-limited share linkwith optional watermark and three content modes, lets a recipient view without an account.
  • 07A public trust pageat a slug you choose lets a customer or insurer check your current grade themselves.
  • 08A workspace API keylets your CI pipeline or SOC dashboard read targets and findings programmatically.

Common questions

The eight questions every owner asks before scanning.

What does Vantyris check on my website?
Nine axes of cyber hygiene: TLS / HTTPS, web hygiene headers, DNS and domain plumbing, email authentication (SPF / DKIM / DMARC / MTA-STS / BIMI), exposure (open ports, sensitive files, WordPress hardening, subdomain enumeration), technology fingerprint, reputation lists, supply chain (third-party scripts + SRI), and privacy posture (consent, trackers, EDPB reject-parity, Consent Mode v2). Each axis is scored independently with its own grade.
Is a Vantyris scan legal? Can I scan my own website?
Yes. You can scan domains you own or have written authorisation to scan. Every Vantyris scan requires verified ownership (a DNS TXT record, a file on the server, or an HTML meta tag) before any active probe runs. The verification gate is what keeps us compliant with the UK Computer Misuse Act 1990 and the equivalent laws elsewhere.
How much does it cost?
Starter pack is €10 (≈£8) for 5 verified scans. Credits last 12 months. No subscription, no quote call, no annual contract. The free passive teaser is unlimited and requires no signup — paste a domain to see a partial grade in seconds.
What does the report actually contain?
Cover, one-page Executive Summary aimed at non-technical readers, Top Urgent Actions, nine-axis score breakdown, Attack Surface map with per-row severity + exact fix snippet for any exposed files, Fix Roadmap (Today / This Week / Later / Acknowledged), detailed findings each with a business-impact one-liner and a copy-paste remediation block, plus a Methodology + audit-trail appendix. Available in four PDF layouts: full editorial, executive one-page, single-issue work order, compliance pack.
Why is HSTS not flagged as a High urgent item in your report?
HSTS controls how long browsers remember to stay on HTTPS for your site. A short HSTS max-age is a hardening gap, not an emergency on its own — provided HTTPS is working, there's no mixed content, and the certificate is valid. We treat a very short HSTS (under one day) as Medium severity, anything else as Low. It's scored under TLS rather than Web Hygiene so the grades agree with each other.
Will a Vantyris scan slow my website down?
No. The teaser is a single page-load. The verified scan reads what's already publicly visible about your domain (DNS records, response headers, CT-log entries) and probes a small set of common sensitive paths with a 4-second timeout and bounded concurrency. We don't fuzz, brute-force, or run exploit frameworks. Real-world sites do not see measurable performance impact.
How is Vantyris different from SSL Labs or Security Headers?
Those are excellent free single-purpose tools — they answer one question well. Vantyris answers nine in one report, plus adds an attack-surface map, a Fix Roadmap grouped by who does the work, a one-page executive summary, Cyber Essentials A1-A5 alignment, CISA KEV priority scoring, share links, a public trust page, a portfolio dashboard, continuous monitoring, and a workspace API. Free tools answer 'is my config right?'; Vantyris answers 'how do I run a security baseline as a business owner, and how do I prove it?'
What's the Acknowledged bucket?
A new category in the Fix Roadmap for findings that need confirmation rather than action. Example: your resolved IP is on a shared Cloudflare edge that Spamhaus has listed — the listing is real, but it's shared-tenancy noise from another tenant on that IP, not something you can or should fix. Acknowledged sits below Today / This Week / Later so it doesn't make the report feel like an emergency over informational items.

Get a first check in seconds.

Free passive teaser, no card. A verified scan from €10. No contracts.