Scanner architecture

Scanner types, scan depth, and risk levels

This page explains what each scanner profile checks, which modules run, and the operational risks before you launch scans.

Authorized use policyDomain verification guide

Scanner capabilities

passive

Handles passive and low-impact scan workloads.

active

Handles active high-impact scan workloads.

wordpress

Dedicated routing capability for WordPress profiles.

Basic Scan (Legacy/Generic)

basicIntensity: MediumRuntime: 5-20 minutes

Legacy generic profile used by older integrations. Prefer the web/server/WordPress profiles in the domain selector.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Core web hardening and TLS/CSP checks
  • - Port and active web scanning modules

Risks and operational impact

  • - Moderate scan traffic and endpoint activity
  • - Can trigger IDS/WAF signatures

Module mix

CombinedScanner (passive)CspScan (passive)NmapPortScanner (low-active)OwaspZapScanner (active)SslCertificateScan (passive)TlsBestPracticesScan (passive)

Web Domain Scan (Standard)

basic_domainIntensity: MediumRuntime: 5-20 minutes

Recommended baseline for websites: web hardening, DNS/TLS posture, and balanced active web checks.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Security headers, redirect behavior, CSP, DNSSEC, and TLS posture/hardening
  • - TLS protocol/cipher/key/operational checks (including ALPN/HTTP2 and OCSP stapling best-effort checks)
  • - Port exposure, template-based checks, path discovery, and baseline active web testing

Risks and operational impact

  • - Moderate scan traffic; can trigger WAF/rate-limit protections
  • - Path discovery and active web checks are visible in logs

Module mix

CspScan (passive)DnssecTest (passive)GobusterScanner (active)HttpToHttpsRedirectScan (low-active)NmapPortScanner (low-active)NucleiScanner (active)OwaspZapScanner (active)SecurityHeadersTest (passive)SecurityTxtScan (passive)SslCertificateScan (passive)TlsBestPracticesScan (passive)TlsKeyExchangePolicyScan (passive)TlsOperationalFeaturesScan (passive)

Domain Scan (Legacy Alias)

domainIntensity: MediumRuntime: 5-20 minutes

Legacy alias of Basic Domain Scan. Kept for backward compatibility with older saved domains.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Same checks as Basic Domain Scan
  • - Use Basic Domain Scan in the UI for new configurations

Risks and operational impact

  • - Same operational impact as Basic Domain Scan

Module mix

CspScan (passive)DnssecTest (passive)GobusterScanner (active)HttpToHttpsRedirectScan (low-active)NmapPortScanner (low-active)NucleiScanner (active)OwaspZapScanner (active)SecurityHeadersTest (passive)SecurityTxtScan (passive)SslCertificateScan (passive)TlsBestPracticesScan (passive)TlsKeyExchangePolicyScan (passive)TlsOperationalFeaturesScan (passive)

Extensive Scan (Legacy Alias)

extensiveIntensity: HighRuntime: 20-60+ minutes

Legacy generic alias aligned to the Server & Infrastructure Scan profile for backward compatibility.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Same checks as Server & Infrastructure Scan
  • - Use the Server & Infrastructure Scan profile in the UI for new configurations

Risks and operational impact

  • - Same operational impact as Server & Infrastructure Scan

Module mix

DnssecTest (passive)NmapPortScanner (low-active)OpenVasScanner (active)SslCertificateScan (passive)TlsBestPracticesScan (passive)TlsKeyExchangePolicyScan (passive)TlsOperationalFeaturesScan (passive)TlsVersionScan (passive)

Free Scan

freeIntensity: LowRuntime: 1-5 minutes

Quick posture check for public-facing sites with low-impact modules only.

Free scan: AllowedVerified account: No

What will be scanned

  • - Security headers and security.txt
  • - TLS/DNS basics and limited port checks
  • - No high-impact active exploitation modules

Risks and operational impact

  • - Low traffic overhead
  • - Can still trigger basic web access logs or alerting

Module mix

CORSSecurityTest (low-active)CspScan (passive)DnssecTest (passive)NmapPortScanner (low-active)SecurityHeadersTest (passive)SecurityTxtScan (passive)SslCertificateScan (passive)TlsVersionScan (passive)

Web Domain Scan (Deep)

full_domainIntensity: HighRuntime: 20-60+ minutes

Deeper web/domain assessment that adds heavier infrastructure vulnerability coverage to the standard web scan.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Everything in Web Domain Scan (Standard)
  • - Additional deep vulnerability coverage via OpenVAS
  • - Broader evidence collection across the exposed web/domain surface

Risks and operational impact

  • - Higher endpoint load and longer runtime than the standard web scan
  • - More likely to trigger SOC/IDS/WAF alerts

Module mix

CspScan (passive)DnssecTest (passive)GobusterScanner (active)HttpToHttpsRedirectScan (low-active)NmapPortScanner (low-active)NucleiScanner (active)OpenVasScanner (active)OwaspZapScanner (active)SecurityHeadersTest (passive)SecurityTxtScan (passive)SslCertificateScan (passive)TlsBestPracticesScan (passive)TlsKeyExchangePolicyScan (passive)TlsOperationalFeaturesScan (passive)

Quick Scan (Legacy/Generic)

quickIntensity: LowRuntime: 1-3 minutes

Legacy generic profile used by older integrations. Not shown in the domain scan selector.

Free scan: NoVerified account: Allowed

What will be scanned

  • - TLS version and DNSSEC posture
  • - No deep vulnerability modules

Risks and operational impact

  • - Lowest operational impact among authenticated profiles

Module mix

DnssecTest (passive)TlsVersionScan (passive)

Server & Infrastructure Scan

serverIntensity: HighRuntime: 20-60+ minutes

Infrastructure-focused profile for exposed services, transport protections, and deep host/service vulnerability coverage.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Service exposure (ports) and transport protections (certificate + TLS posture)
  • - DNS/TLS checks relevant to the target hostname
  • - Deep infrastructure vulnerability assessment (OpenVAS)

Risks and operational impact

  • - Can generate substantial scan traffic to exposed services
  • - Best run on verified assets and ideally in approved maintenance windows

Module mix

DnssecTest (passive)NmapPortScanner (low-active)OpenVasScanner (active)SslCertificateScan (passive)TlsBestPracticesScan (passive)TlsKeyExchangePolicyScan (passive)TlsOperationalFeaturesScan (passive)TlsVersionScan (passive)

WordPress Scan (Deep)

wordpress_deepIntensity: HighRuntime: 25-90+ minutes

High-depth WordPress assessment that extends the standard WordPress scan with advanced WP-specific web/DNS/deprecation analysis.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Everything in WordPress Scan (Standard)
  • - Advanced WordPress-specific web and DNS analysis
  • - Deprecated component/version checks and deeper WP-focused evidence collection

Risks and operational impact

  • - Higher request volume and stronger chance of defense triggers
  • - Should run only for verified assets with owner approval

Module mix

CspScan (passive)DnssecTest (passive)HstsChecker (low-active)HttpToHttpsRedirectScan (low-active)MixedContentScan (low-active)NmapPortScanner (low-active)OwaspZapScanner (active)SecurityHeadersTest (passive)SecurityTxtScan (passive)SessionCookieSecurityScan (low-active)SslCertificateScan (passive)TlsBestPracticesScan (passive)TlsKeyExchangePolicyScan (passive)TlsOperationalFeaturesScan (passive)WordPressAdvancedAnalyzer (low-active)WordPressComponentEnumerator (low-active)WordPressConfigurationChecker (low-active)WordPressDeprecatedChecker (passive)WordPressDnsAnalyzerAdvanced (passive)WordPressDnsAnalyzerCore (passive)WordPressExposureScanner (low-active)WordPressFingerprinting (passive)

WordPress Scan (Standard)

wordpress_standardIntensity: MediumRuntime: 10-30 minutes

WordPress-focused baseline that adds WP-specific detection, exposure, and configuration checks beyond generic web/domain scanning.

Free scan: NoVerified account: Allowed

What will be scanned

  • - Generic web posture checks (headers, TLS, CSP, DNSSEC, redirects) plus WP-specific checks
  • - WordPress fingerprinting, exposure checks, DNS checks, component enumeration, and WP config checks
  • - Active web/network checks tailored for WordPress targets

Risks and operational impact

  • - Can trigger plugin/firewall protections
  • - Enumeration activity visible in logs

Module mix

CspScan (passive)DnssecTest (passive)HstsChecker (low-active)HttpToHttpsRedirectScan (low-active)MixedContentScan (low-active)NmapPortScanner (low-active)OwaspZapScanner (active)SecurityHeadersTest (passive)SecurityTxtScan (passive)SessionCookieSecurityScan (low-active)SslCertificateScan (passive)TlsBestPracticesScan (passive)TlsKeyExchangePolicyScan (passive)TlsOperationalFeaturesScan (passive)WordPressComponentEnumerator (low-active)WordPressConfigurationChecker (low-active)WordPressDnsAnalyzerCore (passive)WordPressExposureScanner (low-active)WordPressFingerprinting (passive)

Policy notes

  • - Only verified-account scans can execute active modules.
  • - The domain selector should prefer: basic_domain, full_domain, server, wordpress_standard, wordpress_deep.
  • - Legacy profiles (domain, quick, basic, extensive) remain available for backward compatibility.
  • - Unknown profiles and modules are denied by default policy.
  • - Profile/module policy is enforced before tasks are executed.