Methodology & Safety

What Vantyris actually does.

VT-2026 · v1.0.0 · Last reviewed 2026-05-23

This page explains what a Vantyris scan actually runs, what it doesn't, why we draw those lines, and the safety controls we apply so we can scan public-internet systems without becoming part of the problem we're trying to solve.

Vantyris is a safety-constrained scanning service. The UK Computer Misuse Act 1990 criminalises unauthorised access to computer material. OWASP guidance on Server-Side Request Forgery shows how a loose outbound request can reach internal services. The architecture below is grounded in both.

Two-speed scanning

A target gets two kinds of attention. The teaser scan runs without ownership verification and is deliberately passive, DNS lookups, public SSL/TLS handshake reads, security-header read, MX-record check. No active probing. It returns a partial grade in seconds.

The verified standard scan only runs after you've proven ownership through DNS TXT, a file, or a meta tag. It includes a passive module set first (returns a first report fast), then progressively enriches with deeper modules: port discovery (limited, bounded Nmap), known-web-vuln checks (curated signed Nuclei templates only), email-security posture (SPF + DKIM + DMARC analysis), and DNS hygiene (CAA, DNSSEC, look-alike detection).

Six categories

TLS / SSL, cipher suites, certificate chain, HSTS, OCSP. We grade in the SSL Labs spirit and explain in plain English.
Security headers, CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy. What's missing, what to set, who needs to set it.
Exposed services, bounded port discovery. Admin panels on non-standard ports, database services facing the internet, services that should be private.
Web vulnerabilities, a curated allow-list of Nuclei templates, signed and pinned. We never run user-supplied templates, never the code or headless or fuzz template paths.
Email security, SPF, DKIM, DMARC, BIMI. The cluster small businesses get wrong most often.
DNS hygiene, CAA records, DNSSEC posture, forgotten subdomains, basic look-alike detection.

Safety controls

We run scan jobs in isolated containers with strict egress allow-lists. A worker can reach the public-internet target IP and approved third-party APIs, that is all. It cannot reach private IP ranges (RFC 1918), link-local addresses, the cloud-metadata endpoint at 169.254.169.254, loopback, or CGNAT space.

We re-resolve DNS mid-scan and abort if the IP suddenly changes (a DNS-rebinding pattern). We apply per-target, per-workspace, and per-IP rate limits to remain a polite citizen of the internet.

We never run exploit frameworks, credential stuffing, brute force, or fuzz testing. We never run Nuclei's code, headless, or fuzz template paths. We only run pinned, signed template bundles that we have reviewed.

False-positive policy

We deliberately prefer a shorter, more correct report over a longer noisy one. When two scanners disagree about a finding, we surface it as medium rather than the higher of the two ratings. Suppressions you set on a finding (via the Ignore with reason action) carry an expiry, they don't silently hide an issue forever. We review the suppression queue weekly and roll back any template that produces a surge of false positives.

What we don't do

We are not a penetration test. We don't have a human attacker model.
We do not make formal compliance claims. No "PCI-compliant" / "HIPAA-compliant" / "NIS2-compliant" / "Cyber-Essentials-certified" labels. Vantyris's mapping to those standards is informational only.
We do not bypass the verification gate. Ever.
We do not scan systems on the user's behalf without their assertion of authority to do so.
We do not store more than is needed: PDFs 12 months, raw artefacts 30–90 days, audit logs 12 months.

Remediation library

Every finding maps to a human-authored remediation note: a one-sentence "what this means for your business," a concrete "how to fix it" with an ownership hint (your web host / your developer), and an approximate time-to-fix. The library is maintained by named expert reviewers on retainer and is updated quarterly.

Eating our own dog food

We run Vantyris against vantyris.com itself. The security headers on this page (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy) are configured to the standards we describe. Our staging environment runs the same scanner pipeline against itself before every release.