IaC · SAST · Cloud Audit · DAST · API Security · 15 Testing Domains

Full-stack security coverage: IaC · SAST · Cloud · DAST

VulnProScan runs structured testing across 15 security domains — from IaC misconfigurations and static code vulnerabilities caught pre-deploy, to live cloud configuration auditing, DAST injection flaws, API exposure, and security header gaps — giving teams a clear, categorized view of their full-stack attack surface.

Get access Run a demo scan View pricing

Testing domains

200+

Distinct check types

Scan types

OWASP / CWE

Methodology

What we test

Each domain maps to established OWASP, CWE, and CIS testing categories — covering pre-deploy IaC and SAST analysis, live cloud configuration auditing, and runtime DAST. Findings are returned with severity, evidence, affected asset, and remediation context.

Information Gathering & Attack Surface

Maps externally visible assets, endpoints, and exposed interfaces before any active testing begins.

◆Admin panels accessible without authentication
◆Directory listings and backup file exposure
◆Sensitive paths and debug endpoints
◆Server software and version disclosure

Public scan

Configuration & Deployment

Identifies server, infrastructure, and deployment misconfigurations that widen the attack surface.

◆Insecure CORS policies allowing arbitrary origins
◆HTTP methods unnecessarily enabled (PUT, DELETE, TRACE)
◆Misconfigured cache-control headers for sensitive content
◆Exposed Swagger, OpenAPI, or GraphQL introspection endpoints

Public scan

Authentication Weaknesses

Tests login flows and credential-handling for weaknesses that allow unauthorized account access.

◆Username enumeration via response differences
◆Missing brute-force and rate-limit protections
◆Weak password policy enforcement
◆Multi-factor authentication bypass patterns

Both scan types

Authorization & Access Control

Verifies that users can only access resources they are explicitly permitted to view or modify.

◆Insecure direct object references (IDOR)
◆Horizontal privilege escalation between accounts
◆Unprotected admin or privileged functionality
◆Missing function-level access controls on API routes

Authenticated scan

Session Management

Inspects session token handling, cookie security attributes, and CSRF protection coverage.

◆Session cookies missing HttpOnly or Secure flags
◆SameSite attribute absent or misconfigured
◆Session fixation vulnerabilities
◆Cross-site request forgery (CSRF) exposures

Both scan types

Core Web Vulnerabilities

Runs active injection and manipulation tests across all discovered parameters and form fields.

◆SQL injection (error-based, blind, time-based)
◆Reflected, stored, and DOM-based cross-site scripting
◆Open redirect and URL manipulation
◆Path traversal and local file inclusion attempts

Both scan types

Sensitive Data Exposure

Identifies places where the application leaks confidential data through responses, errors, or headers.

◆Stack traces and detailed error messages in production
◆Personally identifiable information in URL parameters
◆API keys, tokens, or credentials in HTTP responses
◆Sensitive internal paths and filenames exposed

Both scan types

Security Headers & Browser Protections

Audits HTTP response headers that instruct browsers how to enforce security policies.

◆Missing or weak Content-Security-Policy (CSP)
◆HTTP Strict Transport Security (HSTS) absent
◆Clickjacking risk — X-Frame-Options or CSP frame-ancestors missing
◆Referrer-Policy, Permissions-Policy not configured

Public scan

TLS & Transport Security

Evaluates the strength and configuration of encrypted transport to prevent interception attacks.

◆Deprecated TLS 1.0 / 1.1 protocol support
◆Weak or insecure cipher suite configuration
◆Mixed HTTP/HTTPS content loading
◆HSTS preload and max-age enforcement gaps

Public scan

API Security

Tests REST and GraphQL endpoints for authentication bypass, over-exposure, and injection risks.

◆Unauthenticated API endpoints returning sensitive data
◆Missing rate limiting on API routes
◆Verbose API error responses disclosing internals
◆GraphQL introspection enabled in production

Both scan types

Client-Side Security

Analyzes the application's browser-side behavior for injection surface and policy enforcement gaps.

◆DOM-based cross-site scripting via dangerous sinks
◆Clickjacking susceptibility without frame protection
◆Insecure third-party script loading (subresource integrity missing)
◆Sensitive data stored in localStorage or sessionStorage

Public scan

Business Logic & Advanced Findings

Identifies flaws in application workflows that automated checks alone cannot always surface.

◆Mass assignment and parameter tampering
◆Workflow step bypass and sequence manipulation
◆Insecure file upload and processing paths
◆Account takeover pathways through weak reset flows

Authenticated scan

Host & Configuration Scanning

Checks OS-level hardening, exposed services, and server configuration against established security baselines — coverage for the layer underneath your web application.

◆Unnecessary services running and exposed to the network
◆OS hardening gaps relative to CIS Benchmark baselines
◆Default or weak credentials on system accounts
◆World-writable files and misconfigured file permissions

Authenticated scan

Compliance Mapping

Maps findings across all scan types to recognized control frameworks — CIS Controls, NIST SP 800-53, PCI DSS, and ISO 27001-aligned controls — for audit-ready reporting.

◆Findings cross-referenced to CIS Control identifiers
◆PCI DSS requirement mapping for relevant vulnerability types
◆NIST SP 800-53 control references on configuration and access findings
◆Remediation status tracking for audit documentation purposes

Both scan types

Validation Mode

An opt-in, controlled proof-based verification workflow for selected high-severity findings — produces reproducible evidence of exploitability within your authorized scan scope.

◆Confirmed exploitability evidence for critical and high-severity findings
◆Reproducible proof-of-concept artifacts attached to validated findings
◆False-positive reduction through controlled scope-bound verification
◆"Verified Finding" status badge for confirmed issues in the dashboard

Authenticated scan

Public and authenticated scanning

The scan mode determines which parts of the application are reachable. Authenticated scans significantly expand coverage into protected areas that anonymous scanning cannot reach.

Public scan

No credentials required

Tests the application surface reachable without authentication — ideal for an initial exposure assessment or verifying your public-facing security posture.

✓Surface enumeration and attack surface mapping
✓Security header and TLS configuration checks
✓Public endpoint injection testing (XSS, SQLi, open redirect)
✓Information disclosure and verbose error detection
✓CORS and deployment misconfiguration checks

Authenticated scan

Deeper coverage behind login

Logs into the application using supplied credentials, then crawls and tests protected areas — surfacing access control, session, business logic, and API findings that an unauthenticated scan cannot reach.

✓Authorization and IDOR testing in protected areas
✓Session management and cookie security checks
✓Authenticated API endpoint coverage
✓Business logic and workflow bypass testing
✓Post-login injection and XSS across all parameters

Findings organized for action

Every finding is structured so engineers can reproduce, triage, and fix issues without needing a dedicated AppSec specialist to interpret the output.

Severity-based prioritization

Findings are classified as Critical, High, Medium, Low, or Informational — enabling teams to fix the highest-risk issues first without guesswork.

IaC findings — file, line & framework context

IaC misconfigurations include the exact Terraform file, line number, and resource block that triggered the finding, plus the Checkov rule ID and a remediation snippet.

SAST findings — CWE / OWASP mapping + code fix

Each static analysis finding maps to a CWE category and OWASP Top 10 item. Developers see the vulnerable file, line, pattern match, and a language-specific fix recommendation.

Cloud audit findings — resource + policy context

Cloud findings include the affected resource ARN or ID, the misconfigured policy or setting, the Prowler check ID, and a remediation step scoped to your cloud provider.

Category and endpoint grouping

Each finding is tagged by security category (e.g. Injection, IaC, Cloud IAM) and linked to the specific asset, endpoint, or infrastructure resource where it was detected.

Authentication context

Findings indicate whether they were discovered during a public or authenticated scan, clarifying scope and reproducing steps.

Remediation guidance

Each finding includes a short explanation of the risk and a remediation direction developers can act on without cross-referencing external documentation.

Trend and activity history

The dashboard surfaces findings over time across scan runs, showing new issues, resolved findings, and overall security posture trends.

Asset-level visibility

View findings grouped by host, asset, IaC repo, or cloud account — useful for teams with multiple environments running parallel scan programs.

Coverage by testing domain

A quick reference for what VulnProScan exercises across your full stack — pre-deploy IaC and SAST, live cloud configurations, and runtime DAST across your application surface.

Domain	Scan type	Plan	Key examples
Pre-deploy
IaC — Terraform & CloudFormation	IaC (Checkov)	Starter+	Public S3 buckets, IAM wildcards, unencrypted storage, insecure SGs
IaC — Kubernetes YAML & ARM	IaC (Checkov)	Pro+	K8s RBAC over-permissions, privileged containers, missing network policies
IaC ↔ Cloud drift detection	IaC + Cloud	Business+	Live environment deviates from IaC definitions
SAST — JS / TypeScript / Python / Go	SAST (Semgrep)	Pro+	Injection, hardcoded secrets, insecure deserialization · OWASP/CWE pack
Cloud audit
AWS IAM & access policies	Cloud (Prowler)	Pro+	Wildcard actions, missing MFA, cross-account trust misuse
AWS S3 & storage configs	Cloud (Prowler)	Pro+	Public buckets, missing encryption, disabled versioning
Azure & GCP configurations	Cloud (Prowler)	Pro+	Misconfigured NSGs, disabled logging, storage account access
Cloud network & VPC rules	Cloud (Prowler)	Pro+	Overly permissive security groups, unrestricted inbound rules
Runtime (DAST)
Attack surface mapping	DAST	All plans	Admin panels, directory listings, verbose banners
Configuration issues	DAST	All plans	CORS, HTTP methods, debug endpoints
Authentication weaknesses	DAST	All plans	Rate limiting, enumeration, weak policy
Authorization & IDOR	DAST (auth)	All plans	Horizontal privilege, missing function guards
Session management	DAST	All plans	Cookie flags, CSRF, session fixation
XSS / SQLi / Injection	DAST	All plans	Reflected, stored, DOM, blind SQLi
Sensitive data exposure	DAST	All plans	Stack traces, API keys in responses
Security headers	DAST	All plans	CSP, HSTS, X-Frame-Options, Referrer-Policy
TLS & transport	DAST	All plans	Weak ciphers, TLS 1.0/1.1, mixed content
API security	DAST	All plans	Unauthed endpoints, GraphQL introspection, CORS
Client-side security	DAST	All plans	DOM XSS, SRI missing, clickjacking
Business logic	DAST (auth)	All plans	Mass assignment, workflow bypass

Ready to see your real attack surface?

Try a demo scan in minutes — no agents, no instrumentation. After you sign in with approved access, use the full product for authenticated scanning and deeper coverage.

Get access Run a demo scan Compare plans Read the FAQ