Skip to main content
Vantyris

For digital agencies, web studios & freelancers

One workspace, every client site, worst-first.

Vantyris is the security scanner agencies use when one workspace has to cover ten or fifty client domains. Portfolio dashboard ranks targets by Critical/High count. One-click bulk re-scan. White-label PDFs and a public trust page on the client's name. Read-only API for your SOC dashboard. From £10 per scan, no £1,750/month line item to defend at finance.

The reality

What we hear from agency leads

01

You've inherited a dozen client sites over the years and can't say what's exposed on any of them.

02

A retainer client got a phishing email impersonating 'the web design agency' and asked what you're going to do about it.

03

You quote a security audit and the client wants something they can show their insurer, not a PDF that lives on your hard drive.

04

The enterprise scanner pricing made you laugh, then made you sad.

05

One of your old client WordPress sites turned up on a Spamhaus listing, and you spent two hours figuring out which of forty domains it was.

What a typical agencie scan surfaces

One finding, shown in plain English.

Every finding in your Vantyris report is shaped the same way: what it means for your business, how to fix it, who to ask, and the technical evidence one tap below.

high

WordPress REST API exposes user slugs on a legacy client site

A client site you handed off four years ago still runs WordPress with /wp-json/wp/v2/users returning the public user slugs for every author account. Combined with /wp-login.php being reachable and no visible CAPTCHA, this gives credential-stuffing botnets a clean target list. Vantyris flagged the finding on the portfolio dashboard the morning after the client's marketing director added a new author and triggered a baseline drift.

How to fix it

Drop the rest_endpoints filter (full PHP snippet in the report's Exact Fix section) into the client's theme's functions.php or a tiny must-use plugin. About 30 minutes including verification. Mark 'fixed' in Vantyris; the next monthly re-scan documents the closure as an audit-trail row your client retainer file can cite.

Why agencies buy Vantyris

One workspace, every client, worst-first

The portfolio dashboard ranks targets by Critical and High count, shows the workspace's average score, and a one-click bulk re-scan covers everything you have credits for. Export the lot as a CSV for the monthly review meeting. Each target's report includes a nine-axis category grid so you can see at a glance whether your portfolio's TLS posture is the weak link, or whether it's email security, supply-chain, or WordPress hardening.

A Fix Roadmap per client, grouped by owner

Every client report sorts its findings into Today / This Week / Later / Acknowledged buckets, then groups within-bucket by owner (web host, developer, DNS admin, email provider). Forward the relevant slice to each client's contractor; the contractor opens the work-order PDF and sees their one list. The compliance-PDF variant goes to the client's insurer or auditor as the dated artifact.

Executive Summary the client can actually read

Each report opens with a one-page executive summary aimed at non-technical readers: headline grade, top three biggest wins, projected score after fixes, plus a 'Business impact in plain English' table. Forward page two to the marketing director; forward page seven onward to the IT contractor. No translation needed.

White-label PDFs and trust pages

Pro and Agency tiers swap the Vantyris brand for yours on the report PDF and the public trust page. The client sees your logo and your colour, not ours. We stay out of your client relationship — your name on the artefact, your domain on the trust page.

An API that fits in two lines of curl

Create a read-only workspace API key, drop it into your monitoring dashboard or CI pipeline. GET /api/v1/targets, GET /api/v1/findings with severity and category filters. Bearer-token auth. No webhook plumbing — just polled GETs. Post to Slack when a new High lands; raise a Jira ticket from a CI pipeline; pipe the JSON into your SOC visualisation.

Continuous monitoring with one alert that means something

Enrol every retainer site in weekly re-scans. Vantyris emails you only when a new High lands, the score drops ten points, or a TLS cert is about to expire. You're not the inbox triage for daily noise; you only get pinged when a client needs your call. Acknowledged-bucket items don't trigger alerts.

Compounding tool, not a recurring tax

Buy 100 credits for £100. That's a hundred client scans, no annual seat-license argument, no renewal call. Top up when the bucket is low. Credits sit on the workspace, not on individual targets, so you can shift them around as the client mix changes.

We have no agencie testimonials to publish until real customers consent to being case-studied. Until then, we'd rather ship nothing than ship something fake.

Long read

12-minute read

The 30-minute monthly playbook for an agency's client portfolio security.

Plain-English playbook for agencies, written by the Vantyris editorial team. Specific, opinionated, not a generic checklist.

Read the full playbook →

FAQ for agencies

Common questions from agency owners

How do I get authorisation to scan a client's domain?

Each target requires the client to set up verification — DNS TXT, a file on the server, or an HTML meta tag. The client puts the token in place, which is the documented authorisation the UK Computer Misuse Act 1990 requires. Email us for a template authorisation letter if you want a paper trail in the retainer file before the client configures verification.

Can I white-label the PDF entirely?

Pro and Agency tiers swap the Vantyris brand for yours on shared reports and the trust page. Set your display name, logo URL (https), and accent colour at Settings → Branding. The Standard tier saves the settings but they don't apply until you upgrade — useful for trialling the design before committing.

Can I give clients a permanent URL to check posture themselves?

Yes. Enable a public trust page at /trust/<your-client-slug>. Pick which sections show (current grade, last-scan date, controls-in-place list, nine-axis grid). Hand the URL to the client; they can refresh whenever they want. View counter included for the curious.

Do credits roll over between clients?

Credits sit on the workspace, not on individual targets. You can run any pattern: 5 scans of one client this month, 20 of another next month. Credits are valid for 12 months from purchase.

Can my SOC dashboard pull findings programmatically?

Yes. Endpoints in v1: GET /api/v1/targets, GET /api/v1/findings with filters for severity / category / status / owner. Bearer-token auth on a workspace key. Two-line curl example on the API-keys settings page. Rate-limited at a sane default; raise if your dashboard needs more.

What about findings on client sites we don't host?

Vantyris is host-agnostic. We scan public-internet targets regardless of where they're hosted. The remediation fix is named in terms the client's host's support team will recognise — Cloudflare panel path, Nginx directive, Apache .htaccess block, GoDaddy DNS panel field, depending on what the finding requires.

How do I tell which client sites need attention this morning?

Open the portfolio dashboard. It defaults to worst-first ordering by Critical + High count, then by score-drop-since-last-scan. The Acknowledged column shows informational items separately so 'pending real action' is always honest. CSV export for the monthly review takes one click.

More questions? Full FAQ.

Ready when you are.