For digital agencies, web studios & freelancers
One workspace, every client site, worst-first.
Vantyris is the security scanner agencies use when one workspace has to cover ten or fifty client domains. Portfolio dashboard ranks targets by Critical/High count. One-click bulk re-scan. White-label PDFs and a public trust page on the client's name. Read-only API for your SOC dashboard. From £10 per scan, no £1,750/month line item to defend at finance.
The reality
What we hear from agency leads
You've inherited a dozen client sites over the years and can't say what's exposed on any of them.
A retainer client got a phishing email impersonating 'the web design agency' and asked what you're going to do about it.
You quote a security audit and the client wants something they can show their insurer, not a PDF that lives on your hard drive.
The enterprise scanner pricing made you laugh, then made you sad.
One of your old client WordPress sites turned up on a Spamhaus listing, and you spent two hours figuring out which of forty domains it was.
What a typical agencie scan surfaces
One finding, shown in plain English.
Every finding in your Vantyris report is shaped the same way: what it means for your business, how to fix it, who to ask, and the technical evidence one tap below.
WordPress REST API exposes user slugs on a legacy client site
A client site you handed off four years ago still runs WordPress with /wp-json/wp/v2/users returning the public user slugs for every author account. Combined with /wp-login.php being reachable and no visible CAPTCHA, this gives credential-stuffing botnets a clean target list. Vantyris flagged the finding on the portfolio dashboard the morning after the client's marketing director added a new author and triggered a baseline drift.
How to fix it
Drop the rest_endpoints filter (full PHP snippet in the report's Exact Fix section) into the client's theme's functions.php or a tiny must-use plugin. About 30 minutes including verification. Mark 'fixed' in Vantyris; the next monthly re-scan documents the closure as an audit-trail row your client retainer file can cite.
Why agencies buy Vantyris
One workspace, every client, worst-first
A Fix Roadmap per client, grouped by owner
Executive Summary the client can actually read
White-label PDFs and trust pages
An API that fits in two lines of curl
Continuous monitoring with one alert that means something
Compounding tool, not a recurring tax
We have no agencie testimonials to publish until real customers consent to being case-studied. Until then, we'd rather ship nothing than ship something fake.
Long read
12-minute read
The 30-minute monthly playbook for an agency's client portfolio security.
Plain-English playbook for agencies, written by the Vantyris editorial team. Specific, opinionated, not a generic checklist.
Read the full playbook →FAQ for agencies
Common questions from agency owners
How do I get authorisation to scan a client's domain?
Each target requires the client to set up verification — DNS TXT, a file on the server, or an HTML meta tag. The client puts the token in place, which is the documented authorisation the UK Computer Misuse Act 1990 requires. Email us for a template authorisation letter if you want a paper trail in the retainer file before the client configures verification.
Can I white-label the PDF entirely?
Pro and Agency tiers swap the Vantyris brand for yours on shared reports and the trust page. Set your display name, logo URL (https), and accent colour at Settings → Branding. The Standard tier saves the settings but they don't apply until you upgrade — useful for trialling the design before committing.
Can I give clients a permanent URL to check posture themselves?
Yes. Enable a public trust page at /trust/<your-client-slug>. Pick which sections show (current grade, last-scan date, controls-in-place list, nine-axis grid). Hand the URL to the client; they can refresh whenever they want. View counter included for the curious.
Do credits roll over between clients?
Credits sit on the workspace, not on individual targets. You can run any pattern: 5 scans of one client this month, 20 of another next month. Credits are valid for 12 months from purchase.
Can my SOC dashboard pull findings programmatically?
Yes. Endpoints in v1: GET /api/v1/targets, GET /api/v1/findings with filters for severity / category / status / owner. Bearer-token auth on a workspace key. Two-line curl example on the API-keys settings page. Rate-limited at a sane default; raise if your dashboard needs more.
What about findings on client sites we don't host?
Vantyris is host-agnostic. We scan public-internet targets regardless of where they're hosted. The remediation fix is named in terms the client's host's support team will recognise — Cloudflare panel path, Nginx directive, Apache .htaccess block, GoDaddy DNS panel field, depending on what the finding requires.
How do I tell which client sites need attention this morning?
Open the portfolio dashboard. It defaults to worst-first ordering by Critical + High count, then by score-drop-since-last-scan. The Acknowledged column shows informational items separately so 'pending real action' is always honest. CSV export for the monthly review takes one click.
More questions? Full FAQ.