Methodology & Safety
What Vantyris actually does.
VT-2026 · v1.4.0 · Last reviewed 2026-05-26 · Changelog
This page explains what a Vantyris scan actually runs, what it doesn't, why we draw those lines, and the safety controls we apply so we can scan public-internet systems without becoming part of the problem we're trying to solve.
Vantyris is a safety-constrained scanning service. The UK Computer Misuse Act 1990 criminalises unauthorised access to computer material. OWASP guidance on Server-Side Request Forgery shows how a loose outbound request can reach internal services. The architecture below is grounded in both.
Two speeds
A target gets two kinds of attention. The free teaser reads only what's already visible to any internet user: how your padlock is configured, and what protective instructions your site sends to your visitor's browser. No ownership check, no signup, partial answer in seconds. Treat it as a sample.
The verified scan only runs once you've proven the site is yours (DNS record, file, or HTML meta tag, your pick). It adds the email-impersonation and DNS-hijack checks that need your authorisation under UK law before we run them. Today it covers about 70% of the typical small-business hygiene surface; the rest is on the roadmap below. First report in under 60 seconds.
The full report is in plain English, with a "what this means for your business" explanation, a "how to fix it" with who does it and roughly how long, and the technical evidence one click away if you want it. Three PDF layouts ship from the same data: a full editorial document, a single-page executive view for a board pack, and a single-issue work order you can hand directly to whoever does the fix.
Alignment with external standards
Vantyris's posture model is anchored to two public standards. The first is the UK NCSC's External Attack Surface Management (EASM) guidance, which frames the baseline question as "what does the internet see when it looks at us?" That means subdomains, services, certificates, technologies. Every verified target has an attack-surface snapshot pane that answers that question with data from Certificate Transparency logs and DNS.
The second is the OWASP secure-configuration baselines for the categories we check (TLS, HTTP headers, email authentication, CAA). Where two standards disagree (rare), the report cites both and explains the difference.
Each finding card carries a small "References" list with links to the IETF RFC, the NCSC guidance, the CISA KEV entry, or the MDN page that defines what we're flagging. The reader can verify the finding's premise without taking our word for it.
Cyber Essentials alignment
Vantyris is not a certifying body for UK Cyber Essentials. We don't sign certificates, we don't issue the badge. What we do is map each finding to the five NCSC Cyber Essentials control areas (firewalls, secure configuration, security update management, user access control, malware protection) and show on the report which controls each finding informs.
This is useful in the most common preparation pattern: you're putting together a Cyber Essentials submission and you want to know which questions an external scanner can speak to versus which need internal evidence (endpoint posture, policy, training). The alignment section on every verified report draws that line for you.
Priority and confidence
Each finding carries a confidence rating (high, medium, low) drawn from how deterministic the underlying check is. A TLS handshake either negotiates a deprecated protocol or it doesn't; that's high. A version-banner heuristic could be wrong; that's medium. A finding that depends on what the scanner cannot see from outside (server-side rate-limiting, a WAF rule that fires after several attempts, post-password 2FA) is Medium with explicit caveats. Low-confidence findings carry a visible label so a reader knows where to apply judgement.
Each finding also carries a priority score (0–100) that blends three signals: the severity of the finding, whether the underlying CVE (if any) is in CISA's Known Exploited Vulnerabilities catalogue, and the history state compared to the previous scan (new, recurring, or regressed). A finding that was new last month and got worse this month sorts higher than a finding of the same severity that just appeared.
The findings list defaults to severity order so the report reads naturally, but you can switch to priority order in a single click, or group by category to triage by area of your stack. Within a severity tier, regulatory and data-loss findings (consent missing, data dump exposed, Safe-Browsing listing) surface before pure hardening gaps (HSTS short).
What a passive scan can and cannot prove
Vantyris is a passive scanner — we read what's already visible to anyone on the open internet about your domain. That covers a lot (TLS posture, response headers, DNS records, exposed paths, third-party scripts, public reputation listings) but it does not cover everything. We're explicit about that in the report, because pretending otherwise is what produces "the scanner said X was a critical High but actually our WAF blocks it" arguments at the client meeting.
Things a passive Vantyris scan can prove from outside the front door: that /wp-login.php is reachable; that no CAPTCHA, bot challenge, or 2FA hint is visible in the rendered page; that DMARC is or isn't published; that /readme.html is or isn't downloadable; that the TLS handshake offers TLS 1.0; that /wp-json/wp/v2/users returns a list of slugs.
Things a passive Vantyris scan cannot prove from outside: that server-side login rate-limiting is absent; that a Cloudflare bot-protection rule won't fire after three failed attempts; that account-level 2FA isn't enforced after the password step; that a WAF won't transparently block the next request. We flag the finding so you know to verify those controls, but we don't claim they don't exist. Findings touching this boundary carry Medium confidence and a "what a passive scan cannot prove" caveat in the evidence pack.
The corollary: if you already enforce those server-side controls, you can mark the finding "Accepted as known risk" with a written reason and the workflow records the call. The 90-day auto-expiry means the suppression doesn't outlive the rationale.
Workflow and audit trail
Every finding has a workflow state: open, fixed, accepted as known risk, ignored, or assigned. State transitions are append-only: every change writes a row to a separate history table with the user who made it and the timestamp. The history is what an auditor reads when they want to know "when did you decide this was acceptable, and why?"
Accepted and ignored states require a written reason and auto-expire after 90 days, so a long-running suppression doesn't quietly turn into a forgotten one. Assignments take an email and an optional due date.
Continuous monitoring
A verified target can be enrolled in re-scanning on a daily, weekly, biweekly, or monthly cadence. An email alert fires on the three specific events that move the needle: a new high or critical finding, a security-score drop of ten points or more compared to the prior scan, or a TLS certificate within fourteen days of expiry. Cadence and alert flags are workspace-controlled. No daily noise.
The nine categories we score
Every verified report scores your site on nine axes. Each axis gets its own score, grade, severity counts, and worst-case finding. Healthy axes get a green tick; the report stays honest about which ones we didn't assess.
- TLS & HTTPS. Whether visitors and search engines see your site as a secure, trusted destination. The connection between visitor and server, the certificate, the protocol versions accepted, the HSTS policy. (HSTS is scored under this category, not Web Hygiene — a 2026-05 fix so the TLS grade and the HSTS finding can't disagree with each other.)Technical: TLS handshake, cipher suites, certificate chain + expiry, HSTS (max-age + includeSubDomains + preload-eligibility), OCSP stapling, mixed-content references.
- Web hygiene. Whether your website is configured to resist common browser-level attacks. The response headers that tell the browser how to defend your visitor.Technical: Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy, X-Content-Type-Options, Set-Cookie flags (Secure, SameSite, HttpOnly).
- Domain & DNS. Whether the underlying domain plumbing is healthy and resilient to hijack. Who's allowed to issue certificates, whether forgotten subdomains still resolve, whether DNSSEC validates.Technical: CAA records, DNSSEC validation, A/AAAA/MX records, nameserver provider hint, registrar lock state, domain age.
- Email security. Whether attackers can send convincing emails impersonating your business. SPF, DKIM, DMARC, and the modern follow-ons.Technical: SPF, DKIM signing, DMARC alignment + policy + reporting, BIMI logo cert, MTA-STS, TLS-RPT.
- Exposure. Whether services or files that should be private are reachable from the public internet. Real-world wins are usually here, the thing your previous web team meant to lock down and forgot. WordPress-specific hardening (readme.html, REST users, XML-RPC, login reachability, uploads directory listing, debug log) is scored here too — a 2026-05 fix so the Exposure grade reflects the WordPress posture honestly.Technical: bounded port discovery on the public IPs your domain resolves to, ~71 sensitive-file probes (.env, .git, backups, DB dumps, debug endpoints, devops tools, WordPress hardening), subdomain enumeration via Certificate Transparency, subdomain-takeover risk via dangling CNAMEs.
- Technology. What attackers can learn about your stack from outside, without logging in. Versions you're advertising, CMS fingerprints, banner leaks.Technical: CMS detection, framework + server + analytics fingerprinting, version disclosure in response headers and HTML.
- Reputation. Whether your domain is flagged by major safety, mail, or trust services. Even if your site is clean today, an old subdomain that got compromised once can sit on Spamhaus or SURBL for months.Technical: Google Safe Browsing v4 (malware / phishing / unwanted-software), Spamhaus ZEN + DBL, Barracuda Reputation Block List, SpamCop, SURBL, URIBL.
- Supply chain. Whether third-party scripts on your site could compromise your visitors. If a third-party CDN gets owned, your site executes whatever they ship next.Technical: third-party domain enumeration, Subresource Integrity (SRI) presence per script tag, suspicious-CDN flagging.
- Privacy. Whether the site meets baseline privacy expectations for visitors and regulators. Trackers before consent, missing privacy notice, IAB TCF signal absent.Technical: pre-consent tracker detection, cookie-banner presence, privacy-policy link presence, IAB TCF signal.
Fix Roadmap: every finding sorted into Today / This Week / Later / Acknowledged
Vantyris groups every issue-bearing finding into a four-bucket roadmap: today (fixes the site owner can do this morning), this week (fixes that need developer time or coordination), later (fixes scheduled by lifecycle, like renewals or large upgrades), and acknowledged (findings that need confirmation rather than action). Severity always wins for the first three buckets: anything Critical or High lands in today regardless of how much effort the fix takes.
The Acknowledged bucket is the addition reviewers asked for in the May 2026 wave. Example: your resolved IP belongs to a shared Cloudflare edge that Spamhaus has listed. The listing is real, but it's noise from another tenant on that shared IP — not something you can or should fix. Putting it under Today made the report feel like an emergency over an informational note; Acknowledged keeps it visible without forcing urgency.
Within each bucket, findings are grouped by owner (web host, web developer, DNS admin, domain registrar, email provider, site owner). One person can pick up "everything I need to do" without scrolling past anyone else's work. This is the difference between a list of problems and a list of next actions.
Every finding also carries a typed effort field (5-10 minutes / about 30 minutes / 1-2 hours / developer day / on next renewal / confirm only) so you can plan against your actual calendar, not against vague "low/medium/high" labels.
Executive Summary page (new)
Every verified report now opens with a Cover, then a one-page Executive Summary aimed at non-technical readers — the partner, the clinic owner, the board member who will read exactly one page and forward the PDF.
The Executive Summary carries: a headline grade and total finding count (with Acknowledged separated out), the top three "biggest wins" severity-sorted with the regulatory/data-loss tiebreak, the projected post-fix grade and score gain from the first realistic fix scenario, and a Business impact in plain English table that maps the top 10 actionable findings to a one-line commercial risk (regulatory complaint risk, brute-force exposure, deliverability drop, full-data-breach trigger, etc.). The detailed evidence and remediation steps live in Section 7.
Exact remediation snippets
Every finding in the detailed-findings section now ships an exact, copy-paste fix alongside the prose. WordPress REST API user enumeration gets the full add_filter('rest_endpoints', …) block. HSTS gets the Cloudflare panel path plus Nginx and Apache directives. /readme.html gets the Nginx location = /readme.html { return 404; } rule and the Apache RedirectMatch equivalent. .env exposure gets the web-server deny block.
The intent is the same as the rest of the report — make the next action obvious. The owner forwards the snippet to whoever runs the relevant panel; the panel-runner pastes it; the re-scan documents the closure.
Attack Surface map (server-built, structured)
Every verified report includes a typed Attack Surface section answering the NCSC EASM baseline question, "what does the internet see when it looks at this domain?" The section covers IPv4 and IPv6 addresses the domain resolves to, nameservers and their provider hint (Cloudflare, AWS Route53, etc.), MX hosts that receive your email, DNSSEC validation state, CAA issuers, registrar + lock state, domain age, and subdomains discovered through Certificate Transparency logs.
The data is read from the structured detail-JSON the scanner persists, not parsed out of evidence strings. That makes it stable as we add new modules: a new module can extend the surface object without breaking the report rendering.
Safety controls
We run scan jobs in isolated containers with strict egress allow-lists. A worker can reach the public-internet target IP and approved third-party APIs, that is all. It cannot reach private IP ranges (RFC 1918), link-local addresses, the cloud-metadata endpoint at 169.254.169.254, loopback, or CGNAT space.
We re-resolve DNS mid-scan and abort if the IP suddenly changes (a DNS-rebinding pattern). We apply per-target, per-workspace, and per-IP rate limits to remain a polite citizen of the internet.
We never run exploit frameworks, credential stuffing, brute force, or fuzz testing. We never run Nuclei's code, headless, or fuzz template paths. We only run pinned, signed template bundles that we have reviewed.
False-positive policy
We deliberately prefer a shorter, more correct report over a longer noisy one. When two scanners disagree about a finding, we surface it as medium rather than the higher of the two ratings. Suppressions you set on a finding (via the Ignore with reason action) carry an expiry, they don't silently hide an issue forever. We review the suppression queue weekly and roll back any template that produces a surge of false positives.
What we don't do
- We are not a penetration test. We don't have a human attacker model.
- We do not make formal compliance claims. No "PCI-compliant" / "HIPAA-compliant" / "NIS2-compliant" / "Cyber-Essentials-certified" labels. Vantyris's mapping to those standards is informational only.
- We do not bypass the verification gate. Ever.
- We do not scan systems on the user's behalf without their assertion of authority to do so.
- We do not store more than is needed: PDFs 12 months, raw artefacts 30–90 days, audit logs 12 months.
Remediation library
Every finding maps to a human-authored remediation note: a one-sentence "what this means for your business," a concrete "how to fix it" with an ownership hint (your web host / your developer), and an approximate time-to-fix. The library is maintained by named expert reviewers on retainer and is updated quarterly.
Eating our own dog food
We run Vantyris against vantyris.com itself. The security headers on this page (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy) are configured to the standards we describe. Our staging environment runs the same scanner pipeline against itself before every release.