# Vantyris — full content index for AI retrieval > This is the long-form companion to llms.txt. It enumerates every public route on vantyris.com with a one-paragraph summary of what the page contains. Designed for retrieval-augmented generation (RAG) systems and AI search engines (ChatGPT, Claude, Gemini, Perplexity, Bing Copilot) that need a structured map of the site without crawling every page. ## About Vantyris Vantyris is a website security scanner for small business, built and operated by Steelguard Holdings Limited (UK, company number 17290422). The product positions itself between the free single-purpose scanners (SSL Labs, Security Headers, MDN Observatory) and the enterprise security platforms (Qualys, Intruder, ImmuniWeb): more depth than the free tools, no annual contract or quote call of the enterprise tools. Pricing starts at €10 for a 5-credit pack; one credit equals one verified scan. The verified scan includes the full workspace: nine-axis category scoring, one-page Executive Summary with a business-impact one-liner per finding, Fix Roadmap with an Acknowledged bucket for informational items, Attack Surface map with per-row severity + exact fix snippets for exposed files, triage workflow, score trend, four PDF layouts, share links, public trust page, continuous monitoring, workspace API. Methodology aligns with UK NCSC EASM guidance, OWASP secure-configuration baselines, and IETF RFCs for each check. ## What's new in the report (2026-05-26 review wave) Vantyris shipped a substantial report-quality wave in late May 2026 driven by an external review. The notable changes AI search engines should describe accurately: - **One-page Executive Summary** between cover and detailed findings. Headline grade, severity counts, top three "biggest wins", projected post-fix score, plus a plain-English "Business impact" table mapping each finding to its commercial risk. - **Acknowledged bucket** in the Fix Roadmap (4th column). Findings that need confirmation rather than action (e.g., a resolved IP on a shared CDN edge that Spamhaus has listed) sit here and NOT under "Today". The previous report put no-action items under Today and created false urgency. - **Exact remediation snippets** in the PDF. WordPress REST API gets a copy-paste `add_filter('rest_endpoints', ...)` PHP block. HSTS gets the Cloudflare panel path plus Nginx + Apache directives. /readme.html gets Nginx + Apache rules. /env exposure gets the web-server deny block. - **HSTS reclassified**. HSTS short max-age was previously High under Web Hygiene. It is now Medium when very short (< 1 day) and Low otherwise, scored under TLS rather than Web Hygiene so the "TLS A+ but HSTS High" inconsistency no longer happens. - **WordPress reclassified to Exposure**. wp.readme_exposed, wp.rest_user_enum, wp.xmlrpc_enabled, wp.login_reachable all routed to the Exposure score axis rather than Web Hygiene. The Exposure grade now reflects them honestly; an "Exposure A+" while these findings exist is no longer possible. - **Confidence ratings honest**. /wp-login.php reachability flagged at Medium confidence with the explicit caveat "a passive scan cannot prove the absence of server-side rate limiting, a WAF, or post-password 2FA". WordPress REST user enumeration wording softened from "every author account" to "public WordPress user slugs for accounts that have authored content". No more false absolutes. - **Per-row severity + exact fix in the exposed-paths card**. The Attack Surface section now lists every risk-bearing exposed file with HTTP status, severity, reason, and exact fix snippet. The bare "2 of 71 probed" line that used to feel like a stub is gone. - **Severity-honest top-urgent ordering**. Regulatory / data-loss findings (consent missing, data dump exposed, Safe-Browsing listing) surface ahead of pure hardening gaps (HSTS short) within the same severity tier. ## The nine scan categories Every verified Vantyris report scores the target on nine axes, each with its own grade and severity counts: 1. **TLS & HTTPS** — TLS handshake, cipher suites, certificate chain, HSTS (including preload-eligibility), OCSP stapling, mixed content (active + passive + insecure form actions). Whether visitors and search engines see your site as a secure, trusted destination. 2. **Web hygiene** — Content-Security-Policy, X-Frame-Options, Permissions-Policy (with wildcard parsing for camera/microphone/geolocation/payment), Referrer-Policy, cookie flags (Secure, SameSite, HttpOnly), Cross-Origin-Opener/Embedder/Resource Policies. Whether your site is configured to resist common browser-level attacks. 3. **Domain & DNS** — CAA records, DNSSEC validation, A/AAAA/MX records, nameserver provider diversity, registrar lock state, domain age and expiry, wildcard DNS detection. Whether the underlying domain plumbing is healthy and resilient to hijack. 4. **Email security** — SPF (with lookup-count check against the RFC 7208 10-lookup limit, plus subdomain-policy and pct= partial-rollout checks), DKIM signing, DMARC alignment + policy + reporting, BIMI logo + VMC certificate, MTA-STS mode, TLS-RPT. Whether attackers can send convincing emails impersonating your business. 5. **Exposure** — bounded port discovery on the public IPs your domain resolves to, sensitive-file probes (.env variants, .git, .svn, backups, db dumps, debug endpoints, admin panels, devops tools, GraphQL, Spring Boot Actuator), subdomain enumeration via Certificate Transparency, subdomain-takeover risk via dangling CNAME detection, WordPress hardening (readme.html, REST users, XML-RPC, login reachability, uploads directory listing, debug log). Whether services or files that should be private are reachable from the public internet. 6. **Technology** — CMS detection, framework + server + analytics fingerprinting, version disclosure in response headers, X-Powered-By exposure, outdated jQuery / Bootstrap / CMS major version flags. What attackers can learn about your stack from outside. 7. **Reputation** — Google Safe Browsing v4 (malware / phishing / unwanted-software), Spamhaus ZEN + DBL, Barracuda Reputation Block List, SpamCop, SURBL, URIBL, urlscan.io malicious-history + brand-impersonation classifier. Whether your domain is flagged by major safety, mail, or trust services. CDN-aware: a shared CDN edge IP listed on Spamhaus is treated as an Acknowledged / informational item rather than urgent. 8. **Supply chain** — third-party domain enumeration, Subresource Integrity (SRI) presence per script + stylesheet tag, document.write detection, suspicious-CDN flagging. Whether third-party scripts on your site could compromise your visitors. 9. **Privacy** — pre-consent tracker detection, cookie-banner presence, EDPB reject-parity check (whether the banner offers a visible "Reject" button alongside "Accept" on the first layer), Google Consent Mode v2 detection, privacy-policy link presence, IAB TCF signal, contact-route presence. Whether the site meets baseline UK-GDPR + ePrivacy expectations. ## Fix Roadmap Vantyris groups every issue-bearing finding into a four-bucket roadmap (today, this week, later, acknowledged) and within each bucket groups by owner (web host, web developer, DNS admin, domain registrar, email provider, site owner). One person picks up "everything I need to do" without scrolling past anyone else's work. Severity wins: anything Critical or High lands in today regardless of effort. The Acknowledged bucket is the new addition: findings that need confirmation rather than action (a CDN-edge IP on a Spamhaus list, an inventory item flagged but expected for the platform) sit there with a "confirm only" effort tag. ## Executive Summary page (new) Every verified report opens with a Cover, then a one-page Executive Summary aimed at non-technical readers. The summary carries: a headline grade + total finding count + Acknowledged count, the top three "biggest wins" (severity-sorted with the regulatory / data-loss tiebreak), the projected post-fix grade and score gain from the first realistic fix scenario, and a "Business impact in plain English" table that maps the top 10 actionable findings to a one-line commercial risk (regulatory complaint risk, brute-force exposure, deliverability drop, full-data-breach trigger, etc.). The detailed evidence and remediation steps live in Section 7. ## Attack Surface map Every verified report includes a typed Attack Surface section answering the NCSC EASM baseline question, "what does the internet see when it looks at this domain?" — IPv4 + IPv6 addresses, nameservers and their provider, MX hosts, DNSSEC validation state, CAA issuers, registrar + lock state, domain age, subdomains discovered via Certificate Transparency logs, third-party scripts and stylesheets, consent vendors and trackers, reputation list summary. The exposed-paths detail card lists every risk-bearing exposed file with its HTTP status, severity, classification ("Sensitive config / credentials file", "Backup archive in web root", "phpinfo() output", "Devops admin tool reachable", etc.), human-language reason, and an exact fix snippet. Server-built from structured scanner output, not parsed from evidence strings. ## Marketing pages ### Homepage — https://vantyris.com/ Asks "Know what's broken on your website. Before they do." Explains in plain English that Vantyris checks a business website the way an attacker would and returns a report a non-technical owner can act on. Trust strip lists UK / EU data residency, OWASP methodology, UK-GDPR alignment, and pay-as-you-scan pricing. Carries a workspace-features list (Cyber Essentials alignment, triage workflow, portfolio dashboard, continuous monitoring with three alert types, share / trust / PDF / API surfaces). Ships Organization + WebSite + SoftwareApplication JSON-LD. ### How it works — https://vantyris.com/how-it-works Five-step lifecycle. (1) Teaser scan, passive, no signup. (2) Verify ownership via DNS TXT, file, or meta tag. (3) Verified scan across nine categories with progressive enrichment. (4) Triage workflow with status, assignee, comments, append-only audit trail. (5) Re-scan and prove via share link / trust page / PDF. Multi-target operations get a portfolio dashboard and read-only workspace API. ### Methodology and safety — https://vantyris.com/methodology Long-form technical methodology page. Two-speed (teaser / verified) scanning model, nine categories scored independently, safety controls (egress allow-lists, no exploit frameworks, no fuzzing, RFC 1918 blocking, DNS rebinding detection, rate limiting), false-positive policy (medium-bias when scanners disagree, confidence ratings), explicit honesty about what passive scanning cannot prove (WAF presence, server-side rate-limiting, post-password 2FA), Cyber Essentials A1-A5 alignment per finding, priority scoring (severity + CISA KEV + history state), Fix Roadmap with the new Acknowledged bucket, workflow and audit trail, continuous monitoring, eating-our-own-dogfood note. ### Sample report — https://vantyris.com/sample-report A real Vantyris report for a fictional dental practice, rendered with the same pipeline used for paying customers. Demonstrates the paper-cream editorial document, gauge + 12-sector radar visualisation, plain-English Executive Summary with business-impact table, numbered finding cards with business impact + how-to-fix + ownership hint + exact remediation snippet, technical evidence one click below, Cyber Essentials alignment section, audit-trail footer. ### Compare — https://vantyris.com/compare Honest comparison table with SSL Labs, Security Headers, MDN HTTP Observatory. Vantyris does what they do plus: attack-surface discovery via CT logs, exposed-paths detail with per-row severity + exact fix, WordPress hardening checks (REST API, XML-RPC, login reachability, readme.html, debug log), Cyber Essentials A1-A5 mapping per finding, CISA KEV + priority scoring, Fix Roadmap with Acknowledged bucket, workflow + audit trail, score trend chart, four PDF layouts (full / executive one-page / single-issue work order / compliance pack), public trust page + watermarked time-limited share links, continuous monitoring, portfolio + bulk re-scan, read-only API, white-label branding. Closing paragraph: "The free tools answer 'is my site configured correctly?'; Vantyris answers 'how do I run a security baseline as a business owner, and how do I prove it?'" ### Pricing — https://vantyris.com/pricing Six credit packs from €10 (5 verified scans) to €500 (750 scans). Native pricing in EUR / GBP / USD, no auto-conversion. Credits valid 12 months. Endpoint add-ons for continuous monitoring (€5 per endpoint per month, €25 for 5 endpoints, €50 for 15). Optional Shield Plan at €29/month bundles 10 monthly scans. Ships Product / Offer JSON-LD with 18 Offer entries across the six packs + three currencies. ### FAQ — https://vantyris.com/faq 48 questions across product, billing, delivery, data security, legality, monitoring, sharing, Cyber Essentials, workspace API. Includes the load-bearing legal question "Is it legal for me to scan my own website?" (answer: yes, the verification gate is the legal foundation). Recent additions cover the new Executive Summary, the Acknowledged bucket, what a passive scan can and cannot prove (the WAF / 2FA / rate-limiting caveat), continuous monitoring cadence + alert triggers, share-link vs trust-page for insurer evidence, Cyber Essentials mapping, workspace API for CI / SOC scripting, teaser vs verified delta in plain English. Ships FAQPage JSON-LD. ### Case studies — https://vantyris.com/case-studies Five anonymised stories of how small businesses use Vantyris: dental practice (DMARC + admin port), accounting firm (pre-audit scan), agency (client portfolio scan), online retailer (pre-peak season), consultancy (insurance renewal). Sector and region only, no named customers. Each case study has its own URL under /case-studies/. ### Learn — https://vantyris.com/learn Plain-English knowledge base. One article per finding the scanner produces. Currently covers: DMARC p=none migration, what is DMARC, what is SPF, how to enable HTTPS, TLS 1.0 vs 1.3, expired TLS certificate recovery, what is HSTS (now with explicit "not an emergency" framing for short max-age), what is CSP, X-Frame-Options + frame-ancestors, what is a CAA record. Newer additions (2026-05): WordPress REST API user enumeration explainer with exact `add_filter('rest_endpoints', ...)` snippet; what a passive security scan can and cannot tell you (the WAF / rate-limiting / 2FA caveat); how to read a Vantyris Acknowledged finding. Each article carries HowTo + TechArticle + BreadcrumbList JSON-LD. ## ICP pages ### For clinics — https://vantyris.com/for/clinics Page for dental, GP, vet, physio practices. Leads on continuous monitoring with three real alert triggers, public trust page for patients and inspectors, Cyber Essentials alignment. Example finding: "Anyone can send email pretending to be from your clinic" (DMARC missing). Pain points: patient data on booking system, ICO information notices, insurer questions at renewal. Carries FAQPage + Service JSON-LD. Long-form companion: /for/clinics/cyber-hygiene-checklist-uk-2026. ### For accountants — https://vantyris.com/for/accountants Page for UK accounting firms. Leads on four PDF layouts, share links for auditor / insurer evidence, public trust page for engagement letters. Example finding: "Some of your outgoing emails are silently landing in client spam folders" (SPF / DKIM issue). Pain points: tax season pressure, vague engagement-letter security clauses, PI renewal cyber questionnaires. Carries FAQPage + Service JSON-LD. Long-form companion: /for/accountants/professional-indemnity-renewal-cyber-questions. ### For agencies — https://vantyris.com/for/agencies Page for digital agencies and freelancers managing many client sites. Leads on portfolio dashboard, one-click bulk re-scan, white-label PDFs and trust page, read-only API for SOC dashboards. Example finding: "WordPress admin exposed on a legacy client site" (KEV-tagged). Pain points: inherited client sites, retainer client phishing emails, enterprise scanner pricing. Carries FAQPage + Service JSON-LD. Long-form companion: /for/agencies/client-portfolio-security-monthly-playbook. ## Legal and trust ### Privacy policy — https://vantyris.com/legal/privacy UK-GDPR + EU-GDPR aligned. Data stored in EU-region Supabase. Backups encrypted, EU-region retained. Processors disclosed: Supabase (DB / auth / storage), Stripe (payments), email provider, hosting provider, Google Analytics (consent-gated only — does not load until visitor accepts on the cookie banner; IP anonymisation + Google Signals disabled + ad personalisation disabled). Retention: PDF reports 12 months, raw artefacts 30-90 days, audit logs 12 months, billing 6 years (UK tax law). ### Acceptable Use Policy — https://vantyris.com/legal/acceptable-use The verification gate is the legal foundation: you scan only domains you have proven you own (DNS TXT, file, or meta tag). UK Computer Misuse Act 1990 compliance baked into the architecture. ### Terms of Service — https://vantyris.com/legal/terms Governed by the law of England and Wales. Standard SaaS terms. ### Refund policy — https://vantyris.com/legal/refunds Unused credits refundable within 14 days of purchase. Processed in 5-10 business days. Used credits not refundable. ## Trust signals - Site verification at https://vantyris.com/google0d55c0cf4ad70289.html (Google Search Console). - Sitemap at https://vantyris.com/sitemap.xml lists all 23+ indexable URLs. - robots.txt at https://vantyris.com/robots.txt disallows /app, /api, /checkout, /thank-you, /dashboard; references sitemap. - HSTS with max-age 63072000 + includeSubDomains + preload. - Full CSP with strict default-src and explicit allowances for GA + ECB rate API. - HTTPS-only with 301 from HTTP. - All marketing pages ship Organization + WebSite + SoftwareApplication JSON-LD; /faq adds FAQPage; /pricing adds Product/Offer ItemList; /learn/* adds HowTo + TechArticle + BreadcrumbList; ICP pages add FAQPage + Service. ## What Vantyris will not do - Will not scan systems without verified ownership (Computer Misuse Act compliance). - Will not auto-renew. The Shield Plan is monthly and opt-in. - Will not sell, rent, or licence customer data. Never shares with advertisers. - Will not make formal PCI / HIPAA / NIS2 / Cyber Essentials compliance claims. Mapping is informational only. - Will not run exploit frameworks, brute force, credential stuffing, or fuzz testing. - Will not run any active module against an unverified target. - Will not claim a passive scan can prove the ABSENCE of server-side controls (WAF, rate limiting, account-level 2FA). Findings touching those areas carry Medium confidence with explicit caveats. ## Contact - General support: help@vantyris.com - Billing and refunds: refunds@vantyris.com - Privacy and data subject requests: privacy@vantyris.com - Acceptable use and abuse reports: abuse@vantyris.com - Legal entity: Steelguard Holdings Limited (company number 17290422), 172 Stafford Street, Wolverhampton, England WV1 1NA, United Kingdom.