Skip to main content
Vantyris

How it works

A first answer in seconds. The full picture in minutes.

Two-speed scanning · Verified-ownership-only · No surprises

Vantyris runs in two speeds because security scanning has a real tradeoff: you want a quick answer, but the deep checks take time. We resolve it by giving you both, a passive teaser in seconds, then a verified standard scan that returns its first report fast and enriches afterward.

1. The teaser scan

Paste a domain on the home page. Vantyris reads what's publicly visible, TLS handshake, security headers, MX records, basic DNS, and returns a partial grade in seconds. No sign-up, no verification, no card.

The teaser is deliberately passive. It does not knock on doors, attempt logins, or send anything that the target system would notice as a probe. We never run an active module against an unverified domain.

2. Verify ownership

Before any verified scan runs, you prove the domain is yours. Pick one of three methods:

The token is single-use, time-limited, and scoped to that target. Verification is the legal and operational core of the service, Vantyris will not run a verified scan without it.

3. The verified scan

One credit. The scan scores your site on nine axes:

The first answer appears in your workspace in under a minute. Each finding has a plain-English explanation, a concrete fix, a typed owner (web host, developer, DNS admin, domain registrar, email provider, or site owner), and a typed effort estimate (5-10 minutes / about 30 minutes / 1-2 hours / developer day / on next renewal).

You see live progress in the report view. If a third-party service is rate-limiting us, we mark that module as deferred rather than pretending the scan finished. Some advanced surfaces (Nuclei CVE matching, ZAP baseline) require the worker pipeline and are marked as such on each report; the core nine-axis coverage runs in-process and is always live.

4. The report

Every finding gets the same shape: a plain-English "what this means for your business," a concrete "how to fix it" with an ownership hint and an approximate time, and the technical evidence one tap below. The report also includes a Cyber Essentials alignment section that maps each finding to the five NCSC control areas, a small references list per finding linking to the IETF RFC or NCSC guidance behind the check, and an audit-trail footer with the scan ID and methodology version.

You can filter findings by workflow status (open, fixed, accepted, ignored, assigned), switch the sort from severity to priority (a composite score blending severity, CISA KEV listing, and history state against the previous scan), or group by category (TLS, web, DNS, email, exposure, technology, reputation, supply chain, privacy) to triage by area of your stack. CSV export is one click.

Above the findings list, the report shows a Fix Roadmap: every issue-bearing finding sorted into three buckets — today, this week, later — and within each bucket grouped by owner. The DNS admin gets one list, the developer gets another, and you get the "today, fix in your hosting panel" list. Severity always wins: anything Critical or High lands in today regardless of effort.

And above the Fix Roadmap, the Attack Surface map answers the NCSC EASM baseline question, "what does the internet see when it looks at this domain?" — IPv4 and IPv6 addresses, nameservers and provider, MX hosts, DNSSEC state, CAA issuers, registrar and lock state, domain age, subdomains discovered via Certificate Transparency.

The same data produces four PDF layouts: a full editorial document for the file, a single-page executive summary for the board pack, a single-issue work order to forward directly to whoever does the fix, and a compliance-style report sized for an auditor or insurer. All four generated server-side from the same scan; the PDF is the same content as the web view, rendered by the same pipeline as the sample report.

5. Triage and track

Each finding has a workflow status. Mark it fixed once you've closed it. Accept it as a known risk with a written reason (the suppression auto-expires after 90 days so it isn't silently forgotten). Assign it to a contact email with a due date. Post a comment to record what your IT contractor said.

Every transition writes to an append-only history table so an auditor can see who decided what, when, and why. It's the kind of evidence that turns a security tool into the operating system around your security work.

6. Re-scan and watch the trend

Each verified scan is one credit. Re-scan whenever you've made a fix. The target page shows your score trend as a chart: one line, one dot per scan, an outer ring on dots where a critical or high finding landed. You see whether the act of fixing produced visible progress.

For continuous coverage, enrol a verified target in monitoring at a daily, weekly, biweekly, or monthly cadence. Vantyris re-runs the scan on schedule and emails you only on the three specific things that move the needle: a new high or critical finding, a security-score drop of ten points or more, or a TLS certificate inside fourteen days of expiry. No daily noise.

7. Prove it to someone else

Three ways to put the scan in front of a third party without giving them a Vantyris account. A time-limited share link with optional watermark, in full, executive, or evidence-redacted mode, viewable for 1 to 90 days, revocable any time. A public trust page at a slug you choose with a controls-in-place matrix the recipient can refresh themselves. Or the PDF, always.

For multi-target workspaces (agencies, multi-brand businesses, a few clinics under one operator), a portfolio dashboard ranks every target worst-first, shows the workspace's average score, and a one-click bulk re-scan covers every verified target your credit balance can pay for. Workspace API keys with read-only or read-write scope let your CI pipeline or SOC dashboard read the same data programmatically.

What we deliberately don't do

  • · We don't run exploit frameworks, brute force, credential stuffing, or fuzz testing.
  • · We don't make formal compliance claims ("PCI-compliant," "HIPAA-compliant," etc.).
  • · We don't run any active module against an unverified target.
  • · We don't share your data with advertisers or sell it.
  • · We don't autorenew. The Shield Plan is monthly and explicitly opt-in.

Read the full methodology.