How it works

A first answer in seconds. The full picture in minutes.

Two-speed scanning · Verified-ownership-only · No surprises

Vantyris runs in two speeds because security scanning has a fundamental tension: you want a quick answer, but the deep checks take time. We resolve it by giving you both, a passive teaser in seconds, then a verified standard scan that returns its first report fast and enriches afterward.

1. The teaser scan

Paste a domain on the home page. Vantyris reads what's publicly visible, TLS handshake, security headers, MX records, basic DNS, and returns a partial grade in seconds. No sign-up, no verification, no card.

The teaser is deliberately passive. It does not knock on doors, attempt logins, or send anything that the target system would notice as a probe. We never run an active module against an unverified domain.

2. Verify ownership

Before any verified scan runs, you prove the domain is yours. Pick one of three methods:

DNS TXT. Add _vantyris.<your-domain> with the token we give you. About five minutes if your registrar's UI is helpful.
File. Put a small text file at /.well-known/vantyris-verification.txt. Good if you don't have DNS access.
Meta tag. Add a <meta name="vantyris-verification" content="…"> tag to your homepage. Easiest if you control the site code.

The token is single-use, time-limited, and scoped to that target. Verification is the legal and operational core of the service, Vantyris will not run a verified scan without it.

3. The verified standard scan

One credit. The scan returns a first report quickly, passive modules complete first (TLS, headers, DNS / email posture), then heavier modules stream in: bounded port discovery, curated web-vuln checks, third-party enrichment (SSL Labs deep assessment, where applicable).

You see live progress in the report view. Each module has a status, queued, running, completed, degraded, deferred. If a third-party service is rate-limiting us, we mark that module deferred rather than pretending the scan is finished.

4. The report

Every finding gets the same shape: a plain-English "what this means for your business," a concrete "how to fix it" with an ownership hint and an approximate time, and the technical evidence one tap below. You can filter findings by severity or category, suppress a finding with a reason (suppressions expire), and download the report as a PDF.

The PDF and the web view are the same content, generated by the same pipeline as the sample report. Forward the PDF to your web host, your developer, your accountant, or your insurer.

5. Re-scan to verify the fix

Each verified scan is one credit. Re-scan whenever you've made a fix. The dashboard shows your score trend, so the act of fixing produces visible progress.

For continuous coverage, enrol a domain as a continuously-watched endpoint (€5 per endpoint per month). It's re-scanned on a schedule and we alert you on regressions, a new High finding, a score drop of 10+ points, an SSL certificate inside 14 days of expiry.

What we deliberately don't do

· We don't run exploit frameworks, brute force, credential stuffing, or fuzz testing.
· We don't make formal compliance claims ("PCI-compliant," "HIPAA-compliant," etc.).
· We don't run any active module against an unverified target.
· We don't share your data with advertisers or sell it.
· We don't autorenew. The Shield Plan is monthly and explicitly opt-in.

Read the full methodology.