# Vantyris > Vantyris is a website security scanner for small business. It checks the publicly-visible attack surface of a domain (TLS, DNS, DMARC, WordPress, exposed files, third-party scripts, privacy posture) and returns a plain-English report with concrete fixes, exact remediation snippets, and a Fix Roadmap grouped by who needs to do the work. From £10 per verified scan. No contracts. No quote calls. Built and operated by Steelguard Holdings Limited, UK-registered (company number 17290422). UK / EU data residency. UK-GDPR aligned. NCSC EASM-aligned methodology. Not a penetration test. Not a compliance certification. A hygiene scan written for the dentist, the accountant, and the agency lead, not for security engineers. ## What Vantyris is Vantyris answers two questions a small-business owner cannot answer on their own without hiring a security person: 1. "What does the open internet see about my business, and is any of it a problem?" 2. "If something is a problem, what exactly do I do about it, and who does it?" The product is a verified-ownership-gated scanner plus a workspace around it. The scanner returns a 0-100 score, a per-category breakdown across nine axes, a one-page executive summary with a business-impact one-liner per finding, a Fix Roadmap that buckets every action into Today / This Week / Later / Acknowledged (the last for items that need confirmation rather than action), and four PDF layouts. Every finding ships with a plain-English business impact, an exact code snippet for the fix, and a confidence rating (high / medium / low) with explicit caveats about what a passive scan can and cannot prove. ## What Vantyris does - [How it works](https://vantyris.com/how-it-works): a passive teaser in seconds with no signup; a verified scan once you prove ownership via DNS-TXT, file, or HTML meta tag; a first report in under 90 seconds with progressive enrichment; a Fix Roadmap that groups findings into Today / This Week / Later / Acknowledged and within each bucket by owner; a one-page Executive Summary aimed at non-technical readers; an Attack Surface map (IPs, NS, MX, DNSSEC, registrar, age, CT-log subdomains, exposed paths with severity + exact fix snippet); workflow with append-only audit trail; share links and public trust pages for third-party verification; portfolio dashboard and read-only API for multi-target operations; continuous monitoring with alerts on only three signals (new high/critical, score drop ≥10, TLS cert expiring ≤14 days). - [Sample report](https://vantyris.com/sample-report): a real Vantyris report rendered for a fictional dental clinic by the production pipeline. No sign-up required. - [Methodology and safety](https://vantyris.com/methodology): nine scan categories (TLS & HTTPS, web hygiene, domain & DNS, email security, exposure, technology, reputation, supply chain, privacy). Each category scored independently with its own grade + severity counts. Verification-only intrusive scanning, plain-English false-positive policy, NCSC EASM and Cyber Essentials A1-A5 alignment, CISA KEV-informed priority scoring, typed owner + effort fields per finding, append-only workflow audit trail, explicit honesty about what a passive scan cannot prove (server-side rate limiting, WAF behaviour, post-password 2FA enforcement). - [Compare](https://vantyris.com/compare): an honest comparison against the free single-purpose checkers (SSL Labs, Security Headers, MDN HTTP Observatory). Vantyris extends them with: nine-axis coverage, Attack Surface map, Fix Roadmap, Acknowledged bucket for informational items, reputation lists (Google Safe Browsing + Spamhaus + SURBL + URIBL), supply chain (third-party scripts + SRI), privacy (pre-consent trackers + cookie banner reject-parity + IAB TCF + Google Consent Mode v2), WordPress hardening (REST API, XML-RPC, login reachability, readme.html, debug log), Cyber Essentials A1-A5 mapping, CISA KEV + priority scoring, workflow + audit trail, score trend, four PDF layouts, share links + trust page, portfolio + bulk re-scan, read-only API, white-label branding. - [Knowledge base / Learn](https://vantyris.com/learn): plain-English explainers for each finding the scanner produces. DMARC, SPF, HSTS, CSP, CAA, TLS protocol versions, certificate management, X-Frame-Options, WordPress REST API user enumeration, passive-vs-active scanning limits. Written for business owners, not security engineers. ## What's new in the report (2026-05-26 review wave) - **One-page Executive Summary** between cover and detailed findings. Headline grade + counts, top three "biggest wins", projected post-fix score, plus a plain-English "Business impact in plain English" table that maps each finding to its commercial risk (regulatory complaint risk, brute-force exposure, deliverability drop, etc.). - **Acknowledged bucket** in the Fix Roadmap. Findings that need confirmation rather than action (e.g., a resolved IP that lands on a shared CDN edge that Spamhaus has listed, where the customer cannot act and probably doesn't need to) sit in their own band, NOT under "Today". Stops the report from feeling like an emergency over informational items. - **Exact remediation snippets** in the report PDF. WordPress REST users gets a copy-paste `add_filter('rest_endpoints', ...)` block. HSTS gets the Cloudflare panel path plus Nginx + Apache directives. /readme.html gets the Nginx + Apache rules. /env exposure gets the deny block. - **Severity-honest ordering**. HSTS short max-age was misclassified as urgent High in the old report; it is now Medium (when very short) or Low (otherwise), and explicitly scored under TLS rather than Web Hygiene to remove the "TLS A+ but HSTS High" inconsistency. The Top Urgent ordering now puts regulatory / data-loss findings ahead of pure hardening gaps within the same severity tier. - **Confidence ratings**. /wp-login.php reachability is flagged at Medium confidence with the explicit caveat "a passive scan cannot prove the absence of server-side rate limiting, a WAF, or post-password 2FA". WordPress REST user enumeration wording softened from "every author account" to "public WordPress user slugs for accounts that have authored content". No more false absolutes. - **Per-row severity + exact fix in the exposed-paths detail**. The Attack Surface card now lists every risk-bearing exposed file with its HTTP status, severity, reason, and exact fix snippet. The bare "2 of 71 probed" line that used to feel like a stub is gone. ## Pricing - [Pricing page](https://vantyris.com/pricing): credit packs from €10 (5 scans) to €500 (750 scans), each in EUR + GBP + USD with no auto-conversion. One credit equals one verified scan with the full workspace: workflow, score trend, four PDF layouts (full editorial, executive one-page, single-issue work order, compliance pack), share links, public trust page, continuous monitoring, workspace API, CSV export. Credits valid 12 months. Endpoint add-ons for continuous monitoring (€5/endpoint/month, €25 for 5, €50 for 15). Optional Shield Plan at €29/month bundles 10 monthly scans and is never required. - [Refund policy](https://vantyris.com/legal/refunds): unused credits refundable within 14 days; processed in 5 to 10 business days. ## Who Vantyris is for - [Clinics and private practices](https://vantyris.com/for/clinics): dental, GP, vet, physio practices with patient data on a booking system. Continuous monitoring with alerts only on three signals. Trust page for patients and inspectors. Cyber Essentials alignment. ICO-context for every privacy finding. - [Accountants and bookkeepers](https://vantyris.com/for/accountants): firms that want a documented hygiene check for engagement letters or professional indemnity renewals. Four PDF layouts. Share links and a public trust page so an insurer can verify without an account. - [Agencies and freelancers](https://vantyris.com/for/agencies): one workspace covering many client domains. Worst-first portfolio dashboard. One-click bulk re-scan. White-label PDFs and trust page. Read-only API for SOC dashboards and CI pipelines. ## Featured long-form - [Clinic cyber-hygiene checklist UK 2026](https://vantyris.com/for/clinics/cyber-hygiene-checklist-uk-2026): the 12 checks a UK clinic should run on its public-facing systems, in priority order, with the ICO context for each. - [PI renewal cyber questions decoded](https://vantyris.com/for/accountants/professional-indemnity-renewal-cyber-questions): the questions UK PI insurers actually ask at renewal, in plain English, with how a Vantyris report answers each. - [Agency portfolio security monthly playbook](https://vantyris.com/for/agencies/client-portfolio-security-monthly-playbook): the 30-minute monthly process for an agency owner to keep ten client sites continuously checked without becoming a SOC analyst. ## Frequently asked - [FAQ](https://vantyris.com/faq): 48 questions across product, billing, delivery, data security, legality, monitoring, sharing, Cyber Essentials, workspace API. Includes the load-bearing question, "Is this legal? Can I scan a client's site?" ## Legal and trust - [Acceptable Use Policy](https://vantyris.com/legal/acceptable-use): the verification gate is the legal foundation. You scan only what you have proven you own. - [Privacy Policy](https://vantyris.com/legal/privacy): UK-GDPR plus EU-GDPR plus CCPA. EU-hosted database. Data export and deletion available. Google Analytics consent-gated only (no load until visitor explicitly accepts). - [Terms of Service](https://vantyris.com/legal/terms): governed by the law of England and Wales. - [About Steelguard Holdings Limited and Vantyris](https://vantyris.com/about): the company behind the product. ## What Vantyris is not - Not a penetration test. Vantyris is automated hygiene scanning with no human attacker model. - Not a compliance certification. We do not make formal PCI, HIPAA, NIS2, or Cyber Essentials claims. Informational mapping only. - Not a guarantee. No findings does not mean a system is safe; it means the specific passive checks we ran today found nothing actionable today. - Not a substitute for a WAF, EDR, or 2FA enforcement audit. A passive scan can flag that /wp-login.php is reachable; it cannot prove (from outside) that rate-limiting, a WAF rule, or account-level 2FA are absent. - Not for scanning systems you do not own or have not been authorised to scan. ## Contact - Support: help@vantyris.com - Refunds: refunds@vantyris.com - Privacy and data requests: privacy@vantyris.com - Company: Steelguard Holdings Limited (company number 17290422), 172 Stafford Street, Wolverhampton, England WV1 1NA, United Kingdom.