- What does Vantyris check on my website?
- Nine axes of cyber hygiene: TLS / HTTPS, web hygiene headers, DNS and domain plumbing, email authentication (SPF / DKIM / DMARC / MTA-STS / BIMI), exposure (open ports, sensitive files, WordPress hardening, subdomain enumeration), technology fingerprint, reputation lists, supply chain (third-party scripts + SRI), and privacy posture (consent, trackers, EDPB reject-parity, Consent Mode v2). Each axis is scored independently with its own grade.
- Is a Vantyris scan legal? Can I scan my own website?
- Yes. You can scan domains you own or have written authorisation to scan. Every Vantyris scan requires verified ownership (a DNS TXT record, a file on the server, or an HTML meta tag) before any active probe runs. The verification gate is what keeps us compliant with the UK Computer Misuse Act 1990 and the equivalent laws elsewhere.
- How much does it cost?
- Starter pack is €10 (≈£8) for 5 verified scans. Credits last 12 months. No subscription, no quote call, no annual contract. The free passive teaser is unlimited and requires no signup — paste a domain to see a partial grade in seconds.
- What does the report actually contain?
- Cover, one-page Executive Summary aimed at non-technical readers, Top Urgent Actions, nine-axis score breakdown, Attack Surface map with per-row severity + exact fix snippet for any exposed files, Fix Roadmap (Today / This Week / Later / Acknowledged), detailed findings each with a business-impact one-liner and a copy-paste remediation block, plus a Methodology + audit-trail appendix. Available in four PDF layouts: full editorial, executive one-page, single-issue work order, compliance pack.
- Why is HSTS not flagged as a High urgent item in your report?
- HSTS controls how long browsers remember to stay on HTTPS for your site. A short HSTS max-age is a hardening gap, not an emergency on its own — provided HTTPS is working, there's no mixed content, and the certificate is valid. We treat a very short HSTS (under one day) as Medium severity, anything else as Low. It's scored under TLS rather than Web Hygiene so the grades agree with each other.
- Will a Vantyris scan slow my website down?
- No. The teaser is a single page-load. The verified scan reads what's already publicly visible about your domain (DNS records, response headers, CT-log entries) and probes a small set of common sensitive paths with a 4-second timeout and bounded concurrency. We don't fuzz, brute-force, or run exploit frameworks. Real-world sites do not see measurable performance impact.
- How is Vantyris different from SSL Labs or Security Headers?
- Those are excellent free single-purpose tools — they answer one question well. Vantyris answers nine in one report, plus adds an attack-surface map, a Fix Roadmap grouped by who does the work, a one-page executive summary, Cyber Essentials A1-A5 alignment, CISA KEV priority scoring, share links, a public trust page, a portfolio dashboard, continuous monitoring, and a workspace API. Free tools answer 'is my config right?'; Vantyris answers 'how do I run a security baseline as a business owner, and how do I prove it?'
- What's the Acknowledged bucket?
- A new category in the Fix Roadmap for findings that need confirmation rather than action. Example: your resolved IP is on a shared Cloudflare edge that Spamhaus has listed — the listing is real, but it's shared-tenancy noise from another tenant on that IP, not something you can or should fix. Acknowledged sits below Today / This Week / Later so it doesn't make the report feel like an emergency over informational items.