One platform for every surface attackers touch.
Web, REST + GraphQL APIs, WebSocket auth, GitHub repo + Dockerfile base images, mobile binary, cloud account, Kubernetes, and Web3 smart contract, all in one workspace. Read-only by default. Immutable 0-100 risk rating per scan (A-F grade, per-surface breakdown) and one-click PDF evidence packs for seven compliance frameworks.
Not a certified pentest. Not a 24/7 monitor. A safe, automated security assessment that catches the obvious before your manual auditor arrives.
Or scan your website right now — one free preview per IP every 30 days, no signup.
$4.88M
Average breach cost in 2024 (IBM)
207 days
Average time to identify a breach (IBM)
97%
of breaches preventable with basic hygiene (OTA)
Target
api.example.com
Score
72/100
Findings
24
- HighCWE-319
Missing Strict-Transport-Security header
- MediumCWE-1275
Cookie missing SameSite attribute
- LowCWE-200
Server header reveals stack version
- Info+20 more
Coverage
One scanner for every surface attackers touch.
Web, API, repo, mobile binary, cloud account, Kubernetes, and Web3 smart contract, all in one workspace, one report set, one Compliance dashboard. Buyers no longer pick between a web scanner and a cloud auditor and a Web3 scanner. Pick NANOTESTING and ship one auditor-ready PDF.
Web apps
60+ check modules: Nuclei + ZAP active + nano-baseline. Security headers, CSP, COOP/COEP/CORP, cookies, JWT static, sensitive paths with host-calibration FP suppression.
APIs
Schemathesis OpenAPI contract fuzz + OWASP API authorization (BOLA / BFLA / mass-assignment) + JWT / JWKS hygiene + rate-limit + replay-protection probes. GraphQL parity (introspection + BOLA + BFLA). WebSocket upgrade auth.
GitHub repos
Shallow clone + osv-scanner + gitleaks + Trivy + Semgrep + Slither + Mythril + Echidna (Web3 add-on) + Foundry test discovery + Kubescape + mobsfscan.
Mobile (APK / IPA)
Upload the release binary. apktool / unzip decompile, mobsfscan MASVS + CWE, manifest + Info.plist hardening, SDK fingerprint, third-party CVE. AndroidX + launcher carve-outs, test-fixture filter.
Cloud (AWS / Azure / GCP)
Plug read-only audit credentials. Prowler runs across all three providers, CloudFox enumerates AWS principals + role trusts + workloads. Findings join the dashboard with KEV / EPSS priority.
Web3 / smart contracts
EVM (Ethereum, Polygon, BSC, Arbitrum, Optimism, Base, Avalanche): Slither + Mythril + NFT/ERC-20/oracle/compliance audit. Sui Move (Beta). Solana (Beta). $299 Web3 add-on.
- 1,200+ scans completed last 30 days
- 60+ check modules across 6 surfaces
- 9 chains scanned (Ethereum, Polygon, BSC, Arbitrum, Optimism, Base, Avalanche, Sui, Solana)
- MIT / Apache / BSD / LGPL toolchain (1 AGPL sidecar isolated)
- Read-only by default. Verified-owner scans rate-limited.
90-second product demo - coming this week
While we finish the screencast, take the same tour in 60 seconds via the sample report - same data, paginated across the four auditor-ready PDFs.
See a sample PDFThe trap
Founders pay manual pentesters to find bugs an automated scanner could have caught.
A manual pentest is the right tool for business-logic abuse, chained exploits, and creative attacker mindset work. It is a wildly expensive way to learn you forgot a Content-Security-Policy header. NANOTESTING runs the boring half before your pentester arrives so their hours go to the work only humans can do.
Pentesters are billed by the hour.
A typical engagement runs $5,000-$50,000 for two weeks of one senior consultant. Every hour they spend telling you to set HSTS, fix a missing SameSite cookie, or rotate a leaked test key is an hour you paid at $300/h for a $99 tool's job.
$5K-50K
Typical pentest spend
$300/h
Average billable rate
Re-test after fixing is another pentest.
Most pentest firms only re-validate findings in the same engagement window. If you fix 10 trivial issues in week 3, you book a second engagement to confirm they are closed. The same $50K spent on the same surface, twice.
2x
Spend when re-test is needed
3-6 wk
Calendar slip per re-test
Auditors and procurement teams are watching.
ISO 27001, SOC 2, and vendor-security reviews ask for recurring evidence, not a one-time PDF. When the cycle slips you stall enterprise deals in legal review for weeks - sometimes the deal dies before legal clears it.
1 in 3
Startups fail vendor security on first pass
97%
Breaches preventable with basic hygiene (OTA)
The fix
Pretest. Fix. Then pentest.
Run NANOTESTING against every verified target on a schedule. Fix every Critical / High before you book a manual pentest. Hand the pentester a clean baseline. Now their two weeks go into business logic, chained exploits, and the bugs that need a human brain. Your $50K stays inside the work that actually matters.
Stats sourced from IBM Cost of a Data Breach Report 2024 + the Online Trust Alliance Cyber Incident & Breach Trends Report.
What NANOTESTING checks
60+ check modules across six surfaces, grouped by where attackers touch you.
Read-only by default. Verified-owner full scans add rate-limited active checks (ZAP active, Nuclei templates, Schemathesis OpenAPI contract fuzz) that stay within the schema and never go destructive.
Web apps
Read-only baseline, plus rate-limited active checks for verified owners.
- Nuclei templates (8000+) and ZAP active scan
- nano-baseline: TLS, DNS, DNSSEC, redirect chain, robots
- Security headers + CSP + COOP / COEP / CORP audit
- Cookies + CSRF token + JWT static analysis
- Sensitive paths with host-calibration FP suppression
- JS library CVE + DOM XSS canary
- Mixed content + CORS + OAuth + WebSocket probes
- File upload, HTTP request smuggling, cache poisoning
APIs
OpenAPI contract fuzz plus OWASP API Top 10 authorization probes.
- Schemathesis OpenAPI / Swagger 2 contract fuzz
- OWASP API1 BOLA: object-level authorization
- OWASP API5 BFLA: function-level authorization
- OWASP API6 mass-assignment heuristic
- JWT static analysis + JWKS hygiene
- Rate-limit + replay-protection probes
- GraphQL authz: introspection + BOLA + BFLA on top fields
- WebSocket upgrade: cross-origin + unauth-subscribe probe
- Redoc / Swagger discovery
- API key leak in JS bundle, excessive data exposure
- Webhook signature probe (HMAC, timestamp window)
GitHub repositories
Shallow clone, then run the full open-source SAST chain in one pass.
- osv-scanner: npm / yarn / pip / go.mod / Cargo / Gemfile / composer
- gitleaks: full git history for hardcoded secrets
- Trivy: IaC misconfig + Terraform / K8s / Dockerfile / Helm
- Trivy image: base-image OS-package CVE scan on every Dockerfile FROM (libc / openssl / perl / libgnutls30) - the same coverage paid scanners like Snyk Container charge for
- Semgrep: cross-language SAST rule packs
- Slither + Mythril + Echidna (Web3 add-on enabled)
- Foundry test discovery for Solidity coverage signal
- Kubescape NSA framework on K8s manifests
- mobsfscan on mobile source trees
- Proxy storage collision detection (Web3)
Mobile (APK / IPA)
Upload the release binary. Decompile, scan, and dedupe down to honest findings.
- apktool + unzip decompile (APK and IPA)
- mobsfscan MASVS + CWE rule packs
- AndroidManifest hardening: cleartext, debuggable, exported
- Info.plist hardening: ATS bypass, URL schemes
- Exported component permission-gating audit
- SDK fingerprint + third-party library CVE
- AndroidX library carve-out (no framework false positives)
- Launcher activity exemption + apktool original-manifest dedup
- Test-fixture filter (no findings on /test/ paths)
Cloud + Kubernetes
Read-only audit credentials, then run the three best open-source cloud auditors.
- Prowler on AWS (300+ checks across all services)
- Prowler on Azure (subscription, AAD, storage, identity)
- Prowler on GCP (IAM, GCS, GKE, organization policy)
- CloudFox: AWS principals + role-trusts + workloads
- Kubescape NSA framework + CIS K8s benchmarks
- Findings join the dashboard with KEV + EPSS priority
Web3 / smart contracts
On-chain source fetch, static + symbolic + fuzz, plus economic and ownership audit.
- On-chain Slither (Etherscan v2 verified source fetch)
- Mythril symbolic analysis + Echidna property fuzz
- NFT and ERC-20 audit: mint, blacklist, pause selectors
- ERC compliance (ERC-20 / 721 / 1155 standard conformance)
- Oracle config: Chainlink stale price, decimals, centralized feed
- Compiler audit: unverified source, outdated solc, optimizer off
- Owner classification: EOA, Gnosis Safe, OZ Timelock
- Honeypot simulation, fee-on-transfer, LP-lock check
- Bytecode opcode scan: SELFDESTRUCT, CALLCODE
- OFAC SDN sanctions lookup
- Sui Move (Beta): 19 detectors + UpgradeCap classification
- Solana (Beta): verified-build + Anchor IDL + SPL authority
- DApp frontend: wallet provider + RPC key leak + unlimited-approve
Every scan emits an immutable 0-100 risk rating (A-F grade, per-surface breakdown, top 5 risk drivers) plus normalized risk_signals that drive per-control tallies on the OWASP API Top 10 coverage card and the seven-framework compliance dashboard. Automated security assessment. Not a certified penetration test. Not a compliance attestation. We sell you a safe external security review that catches the obvious so your manual auditor finds the rest.
False-positive engineering
Accuracy is the product. We optimise for honest findings, not finding counts.
Most automated scanners chase volume. We chase verification. Three layers between the raw tool output and your dashboard kill the noise that gives automated security testing a bad reputation.
Real customer test, May 2026
Before
50
findings on a Vercel-hosted SaaS first scan
Sensitive-path 403s flooded the report. Most were the platform's catch-all, not real exposures.
After
3
real findings, zero false positives
Host-calibration probe, AndroidX carve-out, apktool original-manifest dedup, managed-host downgrade landed.
Every uncertain finding now carries an explicit False-positive risk: caveat with the exact reason it might be wrong and how to verify. The customer triage budget goes into real fixes, not into chasing scanner ghosts.
Host calibration probe
Before per-path scanners run, three GET probes to random non-existent paths build a (status, body-hash) baseline. Real probes that match the baseline are the host's catch-all, not findings. Vercel-style soft-404s stop generating false positives.
Managed-host downgrade
When the Server header matches Vercel, Cloudflare, Netlify, CloudFront, Fly, Render, Fastly, or GitHub Pages, sensitive-path 403s get a severity downgrade plus an explicit caveat naming the platform. Platform WAFs no longer count as your security posture.
FP-risk caveats
Every finding with known uncertainty appends 'False-positive risk: <reason>' to its description. The customer sees what would make the finding a false positive and exactly how to verify it before they panic, file a ticket, or escalate to engineering.
A report with 5 honest findings beats a report with 50 noisy ones. That is the only honest way to sell automated security assessment.
How it works
From a verified target to a clean report in four steps.
- Step 01
Add target
Add a website, web app, or API. We validate the URL, normalize the host, and block private and metadata IPs.
- Step 02
Verify ownership
Prove ownership with a DNS TXT record or HTML file. Full scans are gated behind verification.
- Step 03
Run safe scan
Our worker runs read-only checks against your target. No payloads, no destructive tests, no aggressive load.
- Step 04
Export report
Review findings by severity, track remediation, and export a NANOTESTING-branded PDF for auditors and clients.
Reports and evidence
A clean report that stands up to a procurement review.
Findings are normalized, deduplicated, and grouped by severity. Every report includes scope, methodology, limitations, and an authorization statement so the reader knows exactly what was tested.
- Executive summary with security score and severity counts.
- Detailed findings with remediation, evidence, and CWE mapping.
- Verified-report variant with reviewer notes for due diligence.
Target
app.example.com
Security score
72/ 100
Issues detected
24
Detailed findings
LockedCompliance evidence
Auditor-ready evidence, not a certificate we are not allowed to issue.
Every scan emits compliance evidence rows alongside findings. Your auditor reads concrete proof points mapped to the control IDs they care about, then signs off. We sit underneath the auditor, not above them.
Sample evidence rows
- HSTS configured (max-age 1y + includeSubDomains + preload)
- TLS 1.3 supported, weak versions (1.0 / 1.1) disabled
- DNSSEC enabled (chain validates to root)
- No exposed sensitive paths (host calibration confirmed non-uniform)
Every row maps to the specific ISO 27001 Annex A control, SOC 2 Trust Services Criterion, and OWASP Top 10 category it satisfies. Auditor reads the mapping, opens the scan snapshot, signs off.
Dual view per control
The Compliance dashboard shows BOTH findings (what is broken) AND evidence (what is verified satisfied) per control. Auditor-friendly green / red / grey colour coding so reviewers see at a glance what passes, what fails, and what was not exercised this scan.
Per-scan immutable snapshot
Generated when each scan completes. A reviewer can show 'as of <scan date>, controls X, Y, Z were satisfied with this evidence'. The historical record stays stable even after the next scan, so audit windows have a fixed point of reference.
Seven framework mappings
OWASP Top 10 2021, ISO 27001:2022 Annex A, SOC 2 Trust Services Criteria, NIST CSF 2.0, CIS Controls v8, PCI DSS 4.0, and HIPAA Security Rule. 93 controls and 223 signal mappings live in the database, so an 8th framework needs no code change.
Per-framework PDF evidence pack
One-click PDF download per framework on /compliance: "HIPAA evidence pack", "SOC 2 evidence pack", and the other five. Hand the right pack to the right auditor without exposing the other six frameworks they have no business seeing. Footer disclaimer on every page is auditor-honest: evidence support, not a certification.
Drill-through from control to finding
Click any control row and land on /findings filtered to the exact set of signatures that contributed to its tally. No more "the dashboard says we have 3 mediums on PCI 6.2, where are they?" - one click answers it.
Compliance evidence support, not a certification or attestation. NANOTESTING gives your auditor a structured evidence pack and a per-scan immutable snapshot. Your auditor remains the source of truth for sign-off, framework interpretation, and the final report.
Use cases
Built for the moments where evidence is the deliverable.
ISO 27001 readiness
Show evidence of automated security testing as part of your ISMS. Includes website, API, and GitHub repository scanning (osv-scanner, gitleaks, Trivy IaC) so findings map to controls across your stack.
SOC 2 prep
Schedule recurring evidence snapshots on production targets and keep dated, auditor-ready evidence on tap for the audit window.
Vendor due diligence
Reply to security questionnaires with a current NANOTESTING report instead of stale screenshots. Repository scan results (dependency CVEs, leaked secrets, IaC misconfigs) come alongside the website assessment.
Internal remediation
Triage findings by severity, assign owners, and re-test with one click. The report stays in sync.
Pricing
Pricing that scales with your evidence cadence.
Start free. Move up as your scan frequency grows. Agencies manage multiple client workspaces with branded reports.
14-day free trial on Starter, Growth, and Agency. No charge during the trial. Cancel any time before day 14 from the billing portal.
Free
Kick the tires on a single verified target.
- 1 verified target
- 1 scan / month
- DNS, TLS, security headers
- No PDF export
Starter
Basic automated checks for solo founders.
Billed annually · save 20%
Start Starter- 3 verified targets (web, API, repo)
- 10 scans / month
- Weekly evidence snapshots
- Executive + Developer PDF reports
- Compliance evidence rows (ISO / SOC2 / OWASP)
- Retest workflow
Growth
Full multi-surface coverage: web, API, repo, mobile, cloud, K8s.
Billed annually · save 20%
Start Growth- 15 verified targets (any surface)
- 100 scans / month
- Mobile binary scan (APK / IPA)
- Cloud audit (AWS / Azure / GCP via Prowler)
- Kubernetes manifests (Kubescape NSA)
- Advanced API testing (BOLA / BFLA / mass-assignment)
- Repo scan: osv-scanner + gitleaks + Trivy + Semgrep
- All 4 PDF reports (Executive / Developer / Compliance / Trend)
- KEV + EPSS prioritization
Agency
Repeatable multi-client coverage with branded reports.
Billed annually · save 20%
Start Agency- 50 verified targets across 25 client workspaces
- 15 team members
- Branded PDF reports (Executive / Developer / Compliance / Trend)
- Per-client Compliance dashboard
- Multi-client dashboard with cross-workspace rollup
Enterprise
Custom limits, SSO, regulated environments.
- Custom targets and scan volume
- SSO / SAML
- Advanced RBAC + audit logs
- Internal scanner agent
- Priority support
Web3 / smart contract scanning
Layered on Growth or Agency. Token contracts, public wallet exposure, sanctions signals, liquidity risk, honeypot detection.
- EVM (7 chains): Ethereum, Polygon, BSC, Arbitrum, Optimism, Base, Avalanche
- Sui Move (Beta) - 19 static detectors + UpgradeCap owner classification
- Solana (Beta) - verified-build + upgrade authority + Anchor IDL + SPL authority
- Slither + Mythril + Echidna analysis (EVM)
- Honeypot + fee-on-transfer detection
- Owner classification (EOA / Safe / Timelock)
- OFAC SDN compliance lookup
- Web3 risk score on every target
Verified Security Report — currently unavailable. Automated evidence reports remain available across Starter, Growth, and Agency.
All plans require verified target ownership for full scans. Anonymous previews are limited to one per IP per 30 days. NANOTESTING is not a certified penetration test or a compliance attestation.
Questions
Straight answers about what NANOTESTING does and doesn't do.
If you don't see your question, contact the team. We try to be specific about scope so you can evaluate fit.
Stop sending screenshots. Start sending reports.
Create an account, verify your target, and run a safe automated assessment in minutes. Or run a limited public preview first.