One platform for every surface attackers touch.
Web, REST + GraphQL APIs, WebSocket auth, GitHub repo + Dockerfile base images, mobile binary, cloud account, Kubernetes, and Web3 smart contract, all in one workspace. Read-only by default. Immutable 0-100 risk rating per scan (A-F grade, per-surface breakdown) and one-click PDF evidence packs for seven compliance frameworks.
Not a certified pentest. Not a 24/7 monitor. A safe, automated security assessment that catches the obvious before your manual auditor arrives.
$4.88M
Average breach cost in 2024 (IBM)
207 days
Average time to identify a breach (IBM)
97%
of breaches preventable with basic hygiene (OTA)
Coverage
One scanner for every surface attackers touch.
Web, API, repo, mobile binary, cloud account, Kubernetes, and Web3 smart contract, all in one workspace, one report set, one Compliance dashboard. Buyers no longer pick between a web scanner and a cloud auditor and a Web3 scanner. Pick NANOTESTING and ship one auditor-ready PDF.
Web apps
60+ check modules: Nuclei + ZAP active + nano-baseline. Security headers, CSP, COOP/COEP/CORP, cookies, JWT static, sensitive paths with host-calibration FP suppression.
APIs
Schemathesis OpenAPI contract fuzz + OWASP API authorization (BOLA / BFLA / mass-assignment) + JWT / JWKS hygiene + rate-limit + replay-protection probes. GraphQL parity (introspection + BOLA + BFLA). WebSocket upgrade auth.
GitHub repos
Shallow clone + osv-scanner + gitleaks + Trivy + Semgrep + Slither + Mythril + Echidna (Web3 add-on) + Foundry test discovery + Kubescape + mobsfscan.
Mobile (APK / IPA)
Upload the release binary. apktool / unzip decompile, mobsfscan MASVS + CWE, manifest + Info.plist hardening, SDK fingerprint, third-party CVE. AndroidX + launcher carve-outs, test-fixture filter.
Cloud (AWS / Azure / GCP)
Plug read-only audit credentials. Prowler runs across all three providers, CloudFox enumerates AWS principals + role trusts + workloads. Findings join the dashboard with KEV / EPSS priority.
Web3 / smart contracts
EVM (Ethereum, Polygon, BSC, Arbitrum, Optimism, Base, Avalanche): Slither + Mythril + NFT/ERC-20/oracle/compliance audit. Sui Move (Beta). Solana (Beta). $299 Web3 add-on.
- 1,200+ scans completed last 30 days
- 60+ check modules across 6 surfaces
- 9 chains scanned (Ethereum, Polygon, BSC, Arbitrum, Optimism, Base, Avalanche, Sui, Solana)
- MIT / Apache / BSD / LGPL toolchain (1 AGPL sidecar isolated)
- Read-only by default. Verified-owner scans rate-limited.
90-second product demo - coming this week
While we finish the screencast, take the same tour in 60 seconds via the sample report - same data, paginated across the four auditor-ready PDFs.
See a sample PDFThe trap
Founders pay manual pentesters to find bugs an automated scanner could have caught.
A manual pentest is the right tool for business-logic abuse, chained exploits, and creative attacker mindset work. It is a wildly expensive way to learn you forgot a Content-Security-Policy header. NANOTESTING runs the boring half before your pentester arrives so their hours go to the work only humans can do.
Pentesters are billed by the hour.
A typical engagement runs $5,000-$50,000 for two weeks of one senior consultant. Every hour they spend telling you to set HSTS, fix a missing SameSite cookie, or rotate a leaked test key is an hour you paid at $300/h for a $39 tool's job.
$5K-50K
Typical pentest spend
$300/h
Average billable rate
Re-test after fixing is another pentest.
Most pentest firms only re-validate findings in the same engagement window. If you fix 10 trivial issues in week 3, you book a second engagement to confirm they are closed. The same $50K spent on the same surface, twice.
2x
Spend when re-test is needed
3-6 wk
Calendar slip per re-test
Auditors and procurement teams are watching.
ISO 27001, SOC 2, and vendor-security reviews ask for recurring evidence, not a one-time PDF. When the cycle slips you stall enterprise deals in legal review for weeks - sometimes the deal dies before legal clears it.
1 in 3
Startups fail vendor security on first pass
97%
Breaches preventable with basic hygiene (OTA)
The fix
Pretest. Fix. Then pentest.
Run NANOTESTING against every verified target on a schedule. Fix every Critical / High before you book a manual pentest. Hand the pentester a clean baseline. Now their two weeks go into business logic, chained exploits, and the bugs that need a human brain. Your $50K stays inside the work that actually matters.
Stats sourced from IBM Cost of a Data Breach Report 2024 + the Online Trust Alliance Cyber Incident & Breach Trends Report.
What NANOTESTING checks
60+ check modules across six surfaces, grouped by where attackers touch you.
Read-only by default. Verified-owner full scans add rate-limited Nuclei active templates. The active-attack-payload checks (ZAP active scan, Schemathesis OpenAPI fuzz, mass-assignment PATCH, Host-header injection) ship in the separate Invasive Testing add-on and only fire on identity-verified, per-target-authorized targets.
Web apps
Read-only baseline, plus rate-limited Nuclei active templates for verified owners.
- Nuclei templates (8000+): CVEs, exposures, misconfig
- nano-baseline: TLS, DNS, DNSSEC, redirect chain, robots
- Security headers + CSP + COOP / COEP / CORP audit
- Cookies + CSRF token + JWT static analysis
- Sensitive paths with host-calibration FP suppression
- JS library CVE + DOM XSS canary
- Mixed content + CORS + OAuth + WebSocket probes
- File upload, HTTP request smuggling, cache poisoning
- ZAP active scan + Host-header injection (Invasive add-on)
APIs
OWASP API Top 10 authorization probes; active fuzzing in the add-on.
- OWASP API1 BOLA: object-level authorization
- OWASP API5 BFLA: function-level authorization
- JWT static analysis + JWKS hygiene
- Rate-limit + replay-protection probes
- GraphQL authz: introspection + BOLA + BFLA on top fields
- WebSocket upgrade: cross-origin + unauth-subscribe probe
- Redoc / Swagger discovery
- API key leak in JS bundle, excessive data exposure
- Webhook signature probe (HMAC, timestamp window)
- Schemathesis OpenAPI fuzz + mass-assignment PATCH (Invasive add-on)
GitHub repositories
Shallow clone, then run the full open-source SAST chain in one pass.
- osv-scanner: npm / yarn / pip / go.mod / Cargo / Gemfile / composer
- gitleaks: full git history for hardcoded secrets
- Trivy: IaC misconfig + Terraform / K8s / Dockerfile / Helm
- Trivy image: base-image OS-package CVE scan on every Dockerfile FROM (libc / openssl / perl / libgnutls30) - the same coverage paid scanners like Snyk Container charge for
- Semgrep: cross-language SAST rule packs
- Slither + Mythril + Echidna (Web3 add-on enabled)
- Foundry test discovery for Solidity coverage signal
- Kubescape NSA framework on K8s manifests
- mobsfscan on mobile source trees
- Proxy storage collision detection (Web3)
Mobile (APK / IPA)
Upload the release binary. Decompile, scan, and dedupe down to honest findings.
- apktool + unzip decompile (APK and IPA)
- mobsfscan MASVS + CWE rule packs
- AndroidManifest hardening: cleartext, debuggable, exported
- Info.plist hardening: ATS bypass, URL schemes
- Exported component permission-gating audit
- SDK fingerprint + third-party library CVE
- AndroidX library carve-out (no framework false positives)
- Launcher activity exemption + apktool original-manifest dedup
- Test-fixture filter (no findings on /test/ paths)
Cloud + Kubernetes
Read-only audit credentials, then run the three best open-source cloud auditors.
- Prowler on AWS (300+ checks across all services)
- Prowler on Azure (subscription, AAD, storage, identity)
- Prowler on GCP (IAM, GCS, GKE, organization policy)
- CloudFox: AWS principals + role-trusts + workloads
- Kubescape NSA framework + CIS K8s benchmarks
- Findings join the dashboard with KEV + EPSS priority
Web3 / smart contracts
On-chain source fetch, static + symbolic + fuzz, plus economic and ownership audit.
- On-chain Slither (Etherscan v2 verified source fetch)
- Mythril symbolic analysis + Echidna property fuzz
- NFT and ERC-20 audit: mint, blacklist, pause selectors
- ERC compliance (ERC-20 / 721 / 1155 standard conformance)
- Oracle config: Chainlink stale price, decimals, centralized feed
- Compiler audit: unverified source, outdated solc, optimizer off
- Owner classification: EOA, Gnosis Safe, OZ Timelock
- Honeypot simulation, fee-on-transfer, LP-lock check
- Bytecode opcode scan: SELFDESTRUCT, CALLCODE
- OFAC SDN sanctions lookup
- Sui Move (Beta): 19 detectors + UpgradeCap classification
- Solana (Beta): verified-build + Anchor IDL + SPL authority
- DApp frontend: wallet provider + RPC key leak + unlimited-approve
Every scan emits an immutable 0-100 risk rating (A-F grade, per-surface breakdown, top 5 risk drivers) plus normalized risk_signals that drive per-control tallies on the OWASP API Top 10 coverage card and the seven-framework compliance dashboard. Automated security assessment. Not a certified penetration test. Not a compliance attestation. We sell you a safe external security review that catches the obvious so your manual auditor finds the rest.
False-positive engineering
Accuracy is the product. We optimise for honest findings, not finding counts.
Most automated scanners chase volume. We chase verification. Three layers between the raw tool output and your dashboard kill the noise that gives automated security testing a bad reputation.
Real customer test, May 2026
Before
50
findings on a Vercel-hosted SaaS first scan
Sensitive-path 403s flooded the report. Most were the platform's catch-all, not real exposures.
After
3
real findings, zero false positives
Host-calibration probe, AndroidX carve-out, apktool original-manifest dedup, managed-host downgrade landed.
Every uncertain finding now carries an explicit False-positive risk: caveat with the exact reason it might be wrong and how to verify. The customer triage budget goes into real fixes, not into chasing scanner ghosts.
Host calibration probe
Before per-path scanners run, three GET probes to random non-existent paths build a (status, body-hash) baseline. Real probes that match the baseline are the host's catch-all, not findings. Vercel-style soft-404s stop generating false positives.
Managed-host downgrade
When the Server header matches Vercel, Cloudflare, Netlify, CloudFront, Fly, Render, Fastly, or GitHub Pages, sensitive-path 403s get a severity downgrade plus an explicit caveat naming the platform. Platform WAFs no longer count as your security posture.
FP-risk caveats
Every finding with known uncertainty appends 'False-positive risk: <reason>' to its description. The customer sees what would make the finding a false positive and exactly how to verify it before they panic, file a ticket, or escalate to engineering.
A report with 5 honest findings beats a report with 50 noisy ones. That is the only honest way to sell automated security assessment.
How it works
From a verified target to a clean report in four steps.
- Step 01
Add target
Add a website, web app, or API. We validate the URL, normalize the host, and block private and metadata IPs.
- Step 02
Verify ownership
Prove ownership with a DNS TXT record or HTML file. Full scans are gated behind verification.
- Step 03
Run safe scan
Our worker runs read-only checks against your target. No payloads, no destructive tests, no aggressive load.
- Step 04
Export report
Review findings by severity, track remediation, and export a NANOTESTING-branded PDF for auditors and clients.
Reports and evidence
A clean report that stands up to a procurement review.
Findings are normalized, deduplicated, and grouped by severity. Every report includes scope, methodology, limitations, and an authorization statement so the reader knows exactly what was tested.
- Executive summary with security score and severity counts.
- Detailed findings with remediation, evidence, and CWE mapping.
- Verified-report variant with reviewer notes for due diligence.
Target
app.example.com
Security score
72/ 100
Issues detected
24
Detailed findings
LockedCompliance evidence
Auditor-ready evidence, not a certificate we are not allowed to issue.
Every scan emits compliance evidence rows alongside findings. Your auditor reads concrete proof points mapped to the control IDs they care about, then signs off. We sit underneath the auditor, not above them.
Sample evidence rows
- HSTS configured (max-age 1y + includeSubDomains + preload)
- TLS 1.3 supported, weak versions (1.0 / 1.1) disabled
- DNSSEC enabled (chain validates to root)
- No exposed sensitive paths (host calibration confirmed non-uniform)
Every row maps to the specific ISO 27001 Annex A control, SOC 2 Trust Services Criterion, and OWASP Top 10 category it satisfies. Auditor reads the mapping, opens the scan snapshot, signs off.
Dual view per control
The Compliance dashboard shows BOTH findings (what is broken) AND evidence (what is verified satisfied) per control. Auditor-friendly green / red / grey colour coding so reviewers see at a glance what passes, what fails, and what was not exercised this scan.
Per-scan immutable snapshot
Generated when each scan completes. A reviewer can show 'as of <scan date>, controls X, Y, Z were satisfied with this evidence'. The historical record stays stable even after the next scan, so audit windows have a fixed point of reference.
Seven framework mappings
OWASP Top 10 2025, ISO 27001:2022 Annex A, SOC 2 Trust Services Criteria, NIST CSF 2.0, CIS Controls v8, PCI DSS 4.0, and HIPAA Security Rule. 93 controls and 223 signal mappings live in the database, so an 8th framework needs no code change.
Per-framework PDF evidence pack
One-click PDF download per framework on /compliance: "HIPAA evidence pack", "SOC 2 evidence pack", and the other five. Hand the right pack to the right auditor without exposing the other six frameworks they have no business seeing. Footer disclaimer on every page is auditor-honest: evidence support, not a certification.
Drill-through from control to finding
Click any control row and land on /findings filtered to the exact set of signatures that contributed to its tally. No more "the dashboard says we have 3 mediums on PCI 6.2, where are they?" - one click answers it.
Compliance evidence support, not a certification or attestation. NANOTESTING gives your auditor a structured evidence pack and a per-scan immutable snapshot. Your auditor remains the source of truth for sign-off, framework interpretation, and the final report.
Use cases
Built for the moments where evidence is the deliverable.
Pursuing a framework? Here is exactly what NANOTESTING scans, what evidence it produces, and which controls it speaks to - per framework, honestly. We map findings to seven frameworks and support the testing obligations of others without inventing a control map we cannot stand behind.
ISO 27001:2022
Stand up the technical half of your ISMS evidence
Point NANOTESTING at your production web apps, REST + GraphQL APIs, and GitHub repos and it runs the technical-vulnerability and secure-development checks an ISO 27001 auditor expects to see exercised on a schedule. Each scan writes compliance_evidence rows that roll up to specific Annex A controls: weak TLS / missing HSTS to A.8.24 (cryptography), missing security headers / CSP to A.8.26 (application security requirements), dependency CVEs and outdated components to A.8.8 (technical vulnerabilities), gitleaks secrets and leaked credentials to A.8.2 (privileged access), and SAST plus dependency hygiene to A.8.25 (secure development life cycle). The per-scan snapshot is immutable, so during the audit window you can show "as of this dated scan, A.8.24 was satisfied with this evidence."
Maps to
SOC 2
Recurring evidence for the Common Criteria, on a schedule
A SOC 2 Type II audit covers a window, not a moment, so it needs evidence that recurring controls operated the whole time. Schedule weekly or daily scans and NANOTESTING produces dated proof against the Common Criteria: authentication and public-exposure findings map to CC6.1 (logical access controls), MFA / session / auth-header weaknesses to CC6.6 (boundary protection), weak TLS / missing HSTS / mixed content to CC6.7 (restriction of data transmission), missing security headers and input-validation defects to CC6.8 (malicious-software prevention), dependency CVE / monitoring gaps to CC7.1 (detection of vulnerabilities), and dependency hygiene to CC8.1 (change management). Export the one-click SOC 2 evidence pack and hand only that pack to your auditor.
Maps to
PCI DSS 4.0
Quarterly external scans and the secure-config requirements
PCI DSS 4.0 wants externally-facing systems scanned regularly and configured securely. NANOTESTING's read-only baseline plus the verified-owner active checks exercise the requirements a network/web scan can speak to: TLS posture, weak ciphers, and protocol downgrade map toward Requirement 4 (protect cardholder data in transit), missing security headers and exposed surfaces toward Requirement 6 (develop and maintain secure systems), and the dependency / SAST / secrets findings toward 6.3's known-vulnerability handling. The /compliance dashboard carries a dedicated PCI DSS 4.0 tab with per-control finding tallies, and every control row drills through to the exact findings behind it, so a QSA can move from a requirement straight to the evidence. Export the scoped PCI DSS PDF / CSV / JSON evidence pack for the assessor.
Maps to
DORA (EU)
Operational-resilience ICT testing your scanning can support
DORA (the EU Digital Operational Resilience Act) requires financial entities to run regular ICT vulnerability assessments and threat-led testing of their digital operational resilience. NANOTESTING is not a "DORA compliance map" - DORA is not one of our seven formally-mapped frameworks and we will never claim a control matrix for it. What it does honestly support: continuous, scheduled scanning across your web, API, repo, cloud, and Kubernetes surfaces, immutable per-scan snapshots, KEV + EPSS prioritisation, and auditor-ready reports you can put in front of a regulator or third-party-risk reviewer as evidence that ICT vulnerability assessment is happening on a recurring basis. Treat it as the always-on baseline that feeds your DORA testing programme, not a substitute for the threat-led penetration testing DORA also expects.
Supports
NIST CSF 2.0 / CIS v8 / HIPAA
One scan, mapped across the rest of your framework stack
The same findings roll up against four more frameworks without a second tool. NIST CSF 2.0 and CIS Controls v8 carry per-control tallies derived from the risk_signals join (vulnerability management, secure configuration, data protection in transit). The HIPAA Security Rule tab maps web + API + cloud findings to the technical safeguards - 164.312(e)(1) Transmission Security lights up from your TLS / HSTS evidence, for example - and every control row links straight to the underlying finding signatures. Each framework has its own scoped PDF / CSV / JSON evidence pack so you hand the HIPAA pack to the HIPAA auditor and nothing else.
Maps to
Vendor due diligence & remediation
Answer questionnaires with a live report, then close the loop
Reply to a security questionnaire or a buyer's due-diligence request with a current NANOTESTING report - website, API, repo (dependency CVEs, leaked secrets, IaC misconfig), cloud, and mobile assessed together - instead of stale screenshots. Internally, triage findings by KEV + EPSS-weighted priority (not raw severity), assign owners through the per-finding discussion thread, mark a finding fixed, and click "Run retest": a new scan re-checks the signature and flips it to verified-fixed if it is gone. The README risk badge and rating.json endpoint let you gate CI or publish your grade, so the evidence stays live between audits.
Maps to
Compliance evidence support, not a certification or attestation. NANOTESTING gives your auditor a structured evidence pack and an immutable per-scan snapshot; your auditor remains the source of truth for framework interpretation and sign-off.
Pricing
Pricing that scales with your evidence cadence.
Start free. Move up as your scan frequency grows. Agencies manage multiple client workspaces with branded reports.
Start any paid plan with a 14-day free trial — no charge until it ends. Cancel any time before day 14 and you owe nothing.
A card is collected at checkout so the plan continues automatically after the trial. Manage or cancel from the billing portal.
Free
Kick the tires on a single verified target.
- 1 verified target
- 1 scan / month
- DNS, TLS, security headers
- No PDF export
Starter
Basic automated checks for solo founders.
Billed annually · save 20%
Starts with a 14-day free trial
Start free trial- 3 verified targets (web, API, repo)
- 10 scans / month
- Weekly evidence snapshots
- Executive + Developer PDF reports
- Compliance evidence rows (ISO / SOC2 / OWASP)
- Retest workflow
Growth
Full multi-surface coverage: web, API, repo, mobile, cloud, K8s.
Billed annually · save 20%
Starts with a 14-day free trial
Start free trial- 15 verified targets (any surface)
- 100 scans / month
- Mobile binary scan (APK / IPA)
- Cloud audit (AWS / Azure / GCP via Prowler)
- Kubernetes manifests (Kubescape NSA)
- Advanced API testing (BOLA / BFLA / mass-assignment)
- Repo scan: osv-scanner + gitleaks + Trivy + Semgrep
- All 4 PDF reports (Executive / Developer / Compliance / Trend)
- KEV + EPSS prioritization
Agency
Repeatable multi-client coverage with branded reports.
Billed annually · save 20%
Starts with a 14-day free trial
Start free trial- 50 verified targets across 25 client workspaces
- 15 team members
- Branded PDF reports (Executive / Developer / Compliance / Trend)
- Per-client Compliance dashboard
- Multi-client dashboard with cross-workspace rollup
Enterprise
Custom limits, SSO, regulated environments.
- Custom targets and scan volume
- SSO / SAML
- Advanced RBAC + audit logs
- Internal scanner agent
- Priority support
Web3 / smart contract scanning
Layered on Growth or Agency. Token contracts, public wallet exposure, sanctions signals, liquidity risk, honeypot detection.
- EVM (7 chains): Ethereum, Polygon, BSC, Arbitrum, Optimism, Base, Avalanche
- Sui Move (Beta) - 19 static detectors + UpgradeCap owner classification
- Solana (Beta) - verified-build + upgrade authority + Anchor IDL + SPL authority
- Slither + Mythril + Echidna analysis (EVM)
- Honeypot + fee-on-transfer detection
- Owner classification (EOA / Safe / Timelock)
- OFAC SDN compliance lookup
- Web3 risk score on every target
Invasive testing (active attack payloads)
Layered on Growth or Agency. The active checks that send real attack payloads - safely, only on targets you explicitly authorize (staging recommended).
- Active web scanner (OWASP ZAP): SQLi / XSS / CSRF / SSRF / path traversal / cmd injection / SSTI
- OpenAPI contract fuzz (Schemathesis): generated POST / PUT / DELETE
- Mass-assignment probe: privileged-field PATCH (confirmed CWE-915)
- Host-header injection: password-reset + cache-poisoning primitive
- Two-gate safety: add-on + explicit per-target authorization
- Per-tool opt-out, staging-first, no DoS / brute-force
Verified Security Report - currently unavailable. Automated evidence reports remain available across Starter, Growth, and Agency.
All plans require verified target ownership for full scans. NANOTESTING is not a certified penetration test or a compliance attestation.
Questions
Straight answers about what NANOTESTING does and doesn't do.
If you don't see your question, contact the team. We try to be specific about scope so you can evaluate fit.
Stop sending screenshots. Start sending reports.
Create an account, verify your target, and run a safe automated assessment in minutes.