Vulnerability Scanning For Compliance

Know your vulnerabilities before attackers do—and prove it to auditors.

PCI DSS, HIPAA, NIST 800-171, Cyber Essentials Plus, ISO 27001.

Start Free Scan View Pricing

Compliance requirements

What Each Standard Requires

Compliance frameworks mandate regular vulnerability scanning. Here's the breakdown.

PCI DSS

Quarterly scans. External + Internal. Required for payment processors.

HIPAA

Every 6 months. All ePHI systems. 2025 Security Rule update makes it mandatory.

NIST 800-171

Risk-based frequency. All CUI systems. CMMC Level 2 expects quarterly.

Cyber Essentials+

Annual certification. External + Internal scans. UK government contracts require it.

ISO 27001

Quarterly recommended. ISMS systems. Best practice for information security.

SOC2

Continuous monitoring. All systems. B2B SaaS companies need this for enterprise sales.

What gets scanned

Three Types of Scanning

Different scan types catch different vulnerabilities.

External Scanning

Tests from the internet. Checks publicly exposed systems: web servers, APIs, firewalls. First line of defense.

Internal Scanning

Uses credentials to scan inside your network. Finds what attackers exploit after breaching perimeter. Mandatory in PCI DSS v4.0.

Application Scanning

Tests custom code and APIs. Catches SQL injection, XSS, broken auth. Required for NIST 800-171 and ISO 27001.

Our capabilities

Built for Compliance Workflows

Scheduled scans, compliance reports, multi-channel alerts.

Scheduled Scans

Quarterly, monthly, or on-demand. Set it once and stay compliant.

Internal & External

Both authenticated and unauthenticated scanning in one platform.

Compliance Reports

PDF exports formatted for PCI DSS, HIPAA, NIST 800-171 auditors.

Integrations

SIEM, ticketing, Slack, Teams. Real-time alerts via 8 channels.

Common questions

Common Questions

How often do we need to scan?

PCI DSS: quarterly. HIPAA: every 6 months. NIST 800-171: risk-based, typically quarterly. When in doubt, quarterly is the safe baseline.

What's the difference between scanning and penetration testing?

Scanning is automated (faster, cheaper). Penetration testing is manual (thorough, expensive). Most organizations do both: scanning for ongoing compliance, pentesting periodically for deeper assessment.

Can we scan in-house?

Yes for monitoring. But PCI DSS requires certified ASVs for official compliance scans. Hybrid approach is common: internal scanning for continuous monitoring, certified vendor quarterly for auditor documentation.

How long does a scan take?

External: 30 minutes to 2 hours. Internal: 1 to 4 hours (requires credentials). Most organizations schedule during off-peak hours. Reports delivered within 24 hours.

Get started

Start Scanning Today

Free tier: 5 domains, daily scans. Pro: $99/mo, 100 domains, compliance reports.

Start Free Trial View All Plans