External Attack Surface Intelligence

The security layer your
infrastructure never had.

VeilScan maps your external perimeter, verifies every finding against real exploit evidence, and delivers a boardroom-ready risk report — in under two hours.

Start your first scan View sample report
Zero critical false positives Results in under 2 hours EU data residency
SCAN REPORT — acmecorp.com Complete
Risk Score
7.4/10
Business Impact
Critical
2
Verified
High
4
Verified
Subdomains
23
Discovered
Findings
Critical SQL Injection — user search endpoint api.acmecorp.com 9.1
Critical Exposed .env file with credentials app.acmecorp.com 8.8
High TLS 1.0 still enabled api.acmecorp.com 6.2
Med Missing DMARC record acmecorp.com 4.1
Info Open redirect on auth callback auth.acmecorp.com 2.3
Attack path detected
SQL Injectionapi.acmecorp.com
Exposed .envapp.acmecorp.com
Admin accessadmin.acmecorp.com
"Credentials from .env confirm admin login. Full database exposed — no auth required."
ISO 27001 mapped GDPR Article 32 SOC 2 ready PCI DSS aligned Cyber Essentials
2hrs
Average time to first report
0%
Critical false positive rate
34
AI pipeline nodes in the scan chain
5+
Scanning tools chained per run
The Problem

Security scanners give you lists.
You need answers.

Most tools produce hundreds of findings with no context, no proof, and no clear next step. Your team ends up triaging noise instead of fixing real risk.

Too many false positives

Automated scanners flag anything suspicious. Teams waste days chasing findings that aren't exploitable — and real risks get buried in the noise.

No context, no action

A CVE ID is not a decision. Without proof of exploitability and business context, findings sit in a spreadsheet — unread, unactioned, unresolved.

Blind spots between scans

Point-in-time assessments miss new deployments, forgotten subdomains, and supply chain exposure that appears between tests.

How VeilScan is Different

Verified findings. Real attack paths.
Delivered in two hours.

01
Proof-backed findings

Every Critical includes a working reproducible request and real server response. If we can't prove exploitability, it doesn't ship as Critical — full stop.

02
AI-chained attack paths

Verified findings are chained into realistic multi-step scenarios using a 34-node LangGraph pipeline. See how an attacker moves, not just isolated CVEs.

03
Business impact scoring

Every finding gets a 0–10 Business Impact Score. Prioritise by what matters to the business, not just CVSS severity.

04
Continuous monitoring

Weekly or daily automated scans catch new exposure within hours. Track what's new, what's fixed, and what's overdue — without lifting a finger.

Process

Up and running in minutes.

No agents. No credentials. No internal access required.

01 / ADD DOMAIN
Enter your domain

Paste the domain you want monitored. Takes 30 seconds — no configuration needed.

02 / VERIFY
Confirm ownership

Add a DNS TXT record once. We never scan a target without written authorisation from you.

03 / SCAN
Pipeline runs

Subdomain discovery, port scanning, vuln detection, and AI verification — fully automated.

04 / REPORT
Report delivered

Professional PDF to your inbox. Criticals trigger Slack alerts immediately — not two hours later.

Sample Output

What your report actually looks like.

Not a spreadsheet. A clear, actionable picture of your external risk — with proof attached to every finding.

Example finding Critical
SQL Injection — User Search Endpoint
api.acmecorp.com/users/search

The q parameter is injectable. An attacker can enumerate and extract the full user table without authentication.

Proof (reproducible)
curl "https://api.acmecorp.com/users/search?q=' OR '1'='1"
Verified ISO 27001 A.12.6 GDPR Art.32
Example attack path High risk
Step 1
SQL Injection
api.acmecorp.com
Step 2
Exposed .env
app.acmecorp.com
Step 3
Admin access
admin.acmecorp.com
What this means

An attacker uses the SQL injection to extract database credentials. The exposed .env file confirms the admin password. With both, they log into the admin panel — full control, no authentication required.

Business consequence: Full customer database exposed. GDPR breach notification required within 72 hours.

What customers say

Trusted by teams who take risk seriously.

"

VeilScan found a critical SQL injection on our staging API that had been exposed for months. We had no idea. The attack path narrative made it immediately clear to our CTO why it needed to be fixed that day.

SK
Sana Khalil
Head of Engineering, Finlink
"

We went from a quarterly pentest cycle to continuous coverage. The Business Impact Score means I can walk into a board meeting and explain exactly what's at risk — without a translator.

MR
Marcus Reid
CTO, Vault Payments
"

The proof-of-concept attached to every critical finding is a game changer. No more debating whether something is actually exploitable — the evidence is right there in the report.

JP
Jana Petrov
CISO, DataBridge
Pricing

Simple, transparent pricing.

Every plan includes proof-backed findings and compliance mapping. No per-scan fees. No surprises.

Starter
$ 49
per month
For small teams getting started with external security.
1 domain monitored
1 manual scan / month
Monthly automated scan
Proof-backed findings
Compliance mapping
PDF report + portal access
Attack paths
Slack alerts
Get started
Most popular
Core
$ 149
per month
For security-focused engineering teams who need depth.
5 domains monitored
5 manual scans / month
Weekly automated scans
Proof-backed findings
Compliance mapping
PDF report + portal access
Attack paths
Slack alerts on criticals
Delta reports
Start with Core →
Pro
$ 299
per month
For enterprises and security teams operating at scale.
20 domains monitored
25 manual scans / month
Daily automated scans
Proof-backed findings
Compliance mapping
PDF report + portal access
Attack paths + Slack alerts
Delta reports
Compliance export (CSV / JSON)
Start with Pro

All plans require a signed Rules of Engagement document. Manual onboarding for first 20 customers.

How we validate

Every finding has proof attached.

We don't guess. We don't surface noise. Every finding meets a documented proof standard before it reaches your report.

Proof-backed Critical findings
Every Critical finding includes a reproducible curl command and the actual server response confirming the vulnerability. No proof — no Critical.
Conservative validation
Unverified signals are automatically downgraded to Informational — never reported at face value. We'd rather under-report than send you false alarms that waste your team's time.
Attack paths, not vulnerability lists
Exploit paths are generated only when multiple verified findings can be chained together from an external, unauthenticated position. Every hop is independently confirmed. No speculation.
AI clearly labelled
AI assists with business impact scoring and remediation context — never with finding detection. Every AI-assisted section in your report is clearly identified. Scan results are tool-generated, not AI-generated.
Get Started

Your first scan.
In under two hours.

Add your domain, verify ownership, and let VeilScan do the rest. No agents, no credentials, no internal access required.

Start scanning I already have an account
No hidden scan fees Cancel any time Data stays in London (eu-west-2)