Platform tour

Every feature, shown clearly

A complete walkthrough of PenScan — from adding your first website to sharing a verified security certificate with your customers.

Scanning Vulnerability report Asset discovery Trust certificates Team access
Scanning engine

Seven security tools running at once

Most businesses would need to hire a security team to run these checks. PenScan runs them all automatically — checking for the most common ways hackers break into websites — and combines everything into one clear report.

Checks for SQL injection, XSS & 200+ attack types
These are the most common ways hackers steal data. PenScan tests every input on your site automatically.
Checks your SSL certificate & encryption settings
Weak encryption is like leaving your front door unlocked. We flag it before anyone exploits it.
One clean report — no tool-switching required
All findings from all seven tools are merged and de-duplicated. You see one clear list, not seven separate outputs.
app.penscan.org / scans / active
Active scan · api.acmecorp.com
Overall progress 67%
Nmap — Port & service scan Done
SSLyze — TLS/SSL analysis Done
Nikto — Server misconfiguration Done
ZAP — Web application scan Running
Nuclei — CVE & template checks Queued
Dalfox — Advanced XSS fuzzing Queued
7 issues identified so far
app.penscan.org / vulnerabilities
4
Critical
8
High
12
Medium
3
Low
SQL Injection CRITICAL
/api/users?id= · Detected by ZAP & Wapiti
Remote Code Execution CRITICAL
/admin/upload · CVE-2024-1234 · Nuclei
Stored XSS HIGH
/comments · Detected by Dalfox
TLS 1.1 Active HIGH
Outdated encryption · Detected by SSLyze
Missing Security Headers MEDIUM
CSP, HSTS not configured · Nikto
Vulnerability report

A clear list of what to fix, ranked by risk

Every issue we find is sorted from most dangerous to least. You won't need a security expert to interpret the results — each finding tells you what's wrong and why it matters in plain language.

Critical, High, Medium, Low — all clearly labelled
You always know what needs fixing today vs. what can wait until the next sprint.
Plain-English explanation for every issue
No security jargon. Each finding explains what it is, why it's a problem, and how to fix it.
Mark as fixed and verify with a follow-up scan
Track your progress. Mark fixes as complete and re-scan to confirm they're resolved.
Asset discovery

We find the parts of your site you forgot about

Old test environments, forgotten subdomains, internal tools accidentally left exposed — hackers actively hunt for these. PenScan maps everything connected to your domain automatically, the moment you add it.

Automatic — no setup, no configuration
Add your domain and PenScan instantly starts finding connected sites. No credits used, no manual work needed.
High-risk assets flagged immediately
If a discovered subdomain looks exposed or misconfigured, it's flagged so you can prioritise it straight away.
No blind spots — your full attack surface, covered
Most security checks only cover what you manually add. PenScan finds everything, so nothing slips through.
app.penscan.org / targets / acmecorp
Discovered assets
5 found · 0 credits
acmecorp.com
Primary domain
Verified
app.acmecorp.com
Auto-discovered via CT logs
Ready
api.acmecorp.com
Auto-discovered via DNS
Ready
staging.acmecorp.com
Auto-discovered · publicly exposed
Review
legacy.acmecorp.com
Auto-discovered · old stack, high risk
High risk
app.penscan.org / certificates
Security Certificate
Verified by PenScan
acmecorp.com
Scanned Jun 24, 2026 · Certificate #PS-8821-XC
0
Critical
0
High
2
Medium
1
Low
Embeddable badge
Security verified by PenScan
Copy embed code
Trust certificates

Show customers you've been security tested

After a scan, you get a verifiable security certificate and a badge you can add to your website with one line of HTML. It's proof — not just a claim — that your site has been professionally tested.

Anyone can verify your certificate is genuine
Each certificate has a unique ID. Customers, investors, and partners can check it's real with one click.
Live badge — always shows your latest status
The widget on your site updates automatically after every scan. No manual updates needed.
Win more deals by showing security proof
Enterprise buyers always ask about security. A verified certificate gives you a credible, verifiable answer.
Team & access

Invite your team — everyone sees what they need to

Add your developers, managers, or external auditors and control exactly what each person can see and do. Your data is always completely private to your organisation.

Owner, Analyst, or Viewer — three clear roles
Owners run scans. Analysts review findings. Viewers read reports. Simple, granular control.
Your data stays private — always
Each organisation's data is completely separate. Your scan results are never visible to other PenScan users.
Full audit trail for compliance
Every action is logged. Perfect for SOC 2, ISO 27001, and any team that needs to show evidence of security testing.
app.penscan.org / settings / team
Team members · 4
+ Invite
JD
Jane Doe
jane@acmecorp.com
Owner
MS
Mark Smith
mark@acmecorp.com
Analyst
AL
Amy Lee
amy@acmecorp.com
Viewer
RT
Raj Thomas
raj@acmecorp.com
Analyst
Recent activity
jane ran scan on api.acmecorp.com · 2h ago
mark marked SQL Injection as fixed · 1d ago
jane added amy as Viewer · 3d ago
What you get

Everything you need to keep your website safe

No security team needed. PenScan does the hard work and gives you simple, clear answers.

Thorough checks, zero effort
We run seven different security checks on your website at the same time — the same ones professional hackers use. You get one clean report instead of seven confusing ones.
Full coverage without the complexity
We find parts of your site you forgot about
Old subdomains, staging sites, forgotten pages — hackers look for these and so do we. PenScan automatically maps out everything connected to your domain so nothing gets missed.
No blind spots
Only your website, never anyone else's
Before we scan anything, we confirm you actually own it. This keeps you legally protected and means our scans are always authorised — no surprises.
Safe, authorised scanning every time
A clear to-do list, not a wall of alerts
Every issue is ranked by how serious it is, so you know what to fix first. Track progress, mark things as resolved, and always know where you stand.
Fix the right things first
Show customers you take security seriously
Once your site passes a scan, you can display a verified security badge. It's a simple, honest way to build trust with visitors, clients, and partners.
Turn security into a selling point
Invite your team, keep control
Add teammates and choose exactly what they can see and do. Your data stays separate from every other account — always private, always yours.
The right access for the right people
Get started today

Your next scan is
minutes away

Add a target, verify ownership with a DNS record, and run your first full security scan. No setup, no infrastructure, no waiting.

Start scanning free Talk to our team

No credit card required  ·  Credits never expire  ·  Cancel any time