veilscan
Features Pricing About Blog FAQ Compare Use Cases Get started free →
Attack surface, solved

See the breach before it happens.

VeilScan finds your exposures, then shows you the exact step-by-step attack an intruder would run — grounded in your real infrastructure. Not a list. A movie of the breach.

★ No credit card ★ First report in 2 hrs ★ Data stays in the UK
SCAN REPORT · acmecorp.com Complete
Risk score 0.0/10
Critical business impact
0Critical
0High
0Subdomains
CRITSQL Injection — user searchapi.acmecorp.com9.1
CRITExposed .env credentialsapp.acmecorp.com8.8
HIGHTLS 1.0 still enabledapi.acmecorp.com6.2
⚡ Attack path detected
SQL InjectionExposed .envAdmin access
0% false
positives
proof
attached ✓
0pipeline nodes per scan
0%critical false positives
0mavg simulated breach
0AI reasoning models
The problem

Scanners give you
lists. Not answers.

01

Too much noise

Automated scanners flag anything suspicious. Teams burn days chasing findings that aren't even exploitable — while the real risk hides in the pile.

02

No context, no action

A CVE ID isn't a decision. Without proof and business impact, findings rot in a spreadsheet — unread, unactioned, unresolved.

03

Blind between scans

Point-in-time tests miss new deploys, forgotten subdomains, and supply-chain exposure that appears the moment you ship.

AI breach simulation

We don't list bugs.
We replay the heist.

VeilScan chains your real vulnerabilities into a step-by-step intrusion — SQL injection to credential grab to admin takeover — and tells you how fast. Every hop is independently confirmed. Zero speculation.

See how chaining works
Simulated attack path · acmecorp.com
1
SQL Injectionapi.acmecorp.com
0:00
2
Exposed .env fileapp.acmecorp.com
0:11
3
Admin takeoveradmin.acmecorp.com
0:23

"Credentials from the .env confirm the admin login. Full database exposed — no auth required."

proof · verified
# reproduce it yourself
curl "https://api.acmecorp.com/users/search?q=' OR '1'='1"

# server response
HTTP/1.1 200 OK
{ "users": 14,205 rows returned,
  "auth": none required }
VERIFIEDISO 27001 A.12.6GDPR Art.32
Proof-backed findings

If we can't
prove it, it's
not Critical.

Every Critical finding ships with the exact curl command that reproduces it and the real server response that proves it. No proof, no Critical — full stop. That's how we keep the false-positive rate at zero.

Built different

Reports a CEO
actually reads.

CEO-ready

Plain English. Real business impact.

Every critical finding explained for the person who has to act on it. No jargon, no naked CVE IDs — just what's at risk, why it matters, and how to fix it. Each scan ships a Business Impact Score from 0–10.

Always-on

Catches what appears between tests.

New subdomains, forgotten staging servers, fresh deploys — VeilScan re-scans on a schedule and pings Slack the second a Critical appears. Not two hours later. Now.

Slack alertsDelta reportsDaily re-scan
The engine

Three stages.
Zero analysts.

1

Scan

A 50-node pipeline maps your whole external surface — subdomains, ports, exposed services, JS secrets, cloud buckets, vulnerable endpoints. No setup.

2

Reason

AI correlates findings into real attack paths. Which bugs connect? Which would an attacker actually chain? What's the true blast radius?

3

Simulate

The breach simulator shows exactly how they'd get in — step by step, with timings — grounded in confirmed evidence from your infrastructure.

Up in minutes

No agents. No
credentials. No fuss.

01 · Add domain

Paste your domain

30 seconds, no config.

02 · Verify

Confirm ownership

One DNS TXT record. We never scan without written authorisation.

03 · Scan

Pipeline runs

Discovery, ports, vulns, AI verification — fully automated.

04 · Report

Report lands

A clean PDF to your inbox. Criticals hit Slack instantly.

Sample output

What you actually get.

Not a spreadsheet. A clear, actionable picture of your external risk — with proof stapled to every finding.

Example findingCRITICAL

SQL Injection — User Search

api.acmecorp.com/users/search

The q parameter is injectable. An attacker can dump the full user table — no authentication needed.

PROOFcurl "…/users/search?q=' OR '1'='1"
ISO 27001GDPR Art.32VERIFIED
What this meansHIGH RISK

Full database, zero auth.

The SQL injection extracts database credentials. The exposed .env confirms the admin password. With both, an attacker logs into the admin panel — total control, no authentication.

Business consequence: Full customer database exposed. GDPR breach notification required within 72 hours.
View full sample report
Early users

Loved by teams who
take risk seriously.

Even without a deep technical background, I could understand the risks and communicate them internally. That's rare for security tools.
AAAayush AdhikariCMO, Apulza
As a non-technical founder, security reports go over my head. VeilScan changed that. The impact score and attack path made it obvious what was urgent and why.
AEArif EsaFounder, Cabex FX
The proof-backed findings are the difference. Instead of vague alerts, we get reproducible evidence. It removes the guesswork entirely.
EUEarly Access UserSaaS Engineering
Pricing

Simple. Transparent.
Proof included.

Every plan includes proof-backed findings and compliance mapping. Free forever to start.

Free

$0forever

Try the scanner on one domain, no commitment.

  • 1 domain
  • 1 lifetime scan
  • Medium & Low findings
  • Critical & High
  • PDF report
  • Attack paths
Try for free

Starter

$49/mo

For small teams starting external security.

  • 1 domain monitored
  • 1 scan / month
  • Proof-backed findings
  • Compliance mapping
  • PDF + portal
  • Attack paths
  • Slack alerts
Get started
Most popular

Core

$149/mo

For engineering teams who need depth.

  • Up to 5 domains
  • 5 scans / month
  • Weekly re-scan
  • Proof-backed findings
  • Attack paths
  • Slack alerts
  • Delta reports
Start with Core →

Pro

$299/mo

For SaaS teams with many public assets.

  • Up to 20 domains
  • 25 scans / month
  • Daily re-scan
  • Attack paths + Slack
  • Delta reports
  • Compliance export
Start with Pro

All plans require a signed Rules of Engagement · Full pricing details →

Your first scan.
In under two hours.

Add your domain, verify ownership, and let VeilScan do the rest. A full external scan returned as a verified, proof-backed report — straight to your inbox.

https://
★ No credit card★ Cancel anytime★ Data stays in London