Find the vulnerabilities before the attackers
Your web applications are part of your attack surface. Securapilot's web scanning tests them automatically, prioritizes the most important findings and follows them through until the vulnerability is fixed.
Keep an eye on your attack surface
Vulnerabilities keep appearing — in code, configuration and DNS. Securapilot's web scanning tests your web applications, APIs and domains regularly, sorts the findings by severity and connects them to risks and compliance.
The result: an ongoing, prioritized view of your web vulnerabilities — with traceable remediation handling.
All scanning work in one module
The web scanning module covers the path from registered target to fixed finding across six connected areas.
Scan targets
A register of the web applications, APIs and web services to be security-tested, with settings per target.
Scans
Automated security tests using the industry-standard tools OWASP ZAP and Nuclei — scheduled or started on demand.
Findings
Detected vulnerabilities sorted by severity (CVSS score) and weakness type (CWE), with structured follow-up.
Risk suggestions
Serious findings produce risk suggestions you can review and move into the Risk module.
Email security in DNS
Review of the domain's DNS records for email (SPF, DKIM, DMARC) — also catches outdated and insecure records.
Webhooks
Automatic notifications to external systems when a scan finishes, fails or finds something critical.
How the module supports your vulnerability work
Eight capabilities from automatic scanning and ownership checks to sorting findings, filtering duplicates and AI-suggested fixes.
Two scanning engines
Two industry-standard tools are used: OWASP ZAP maps the application, Nuclei runs vulnerability tests based on known patterns.
Ownership check
Before an active scan can start, you need to prove you own the domain — via a DNS record or a file on the site. This protects against unauthorized scanning.
Sort and follow up on findings
Every finding moves through a clear flow — false positive, accepted risk or fix. Decisions require a reason and every change is logged, so they cannot be altered after the fact.
No duplicates, recurring issues flagged
The same vulnerability across several scans is grouped automatically. Vulnerabilities that were fixed and come back are flagged separately.
Prioritization by real impact
The severity (CVSS) is weighed against how sensitive the affected asset is, so the most important findings rise to the top.
Risk suggestions
Serious findings produce pre-filled risk suggestions you can approve and move into the Risk module with one click.
Email security in DNS
Reviews the domain's DNS records for email (SPF, DKIM, DMARC) and finds configurations that can be abused for spoofing or phishing.
AI-suggested fixes and trends
AI suggests concrete steps to fix each finding. The trend view shows progress over time and the average time to fix.
From scan to fixed finding
Web scanning follows a clear workflow — from a registered target to a verified fix.
Add target
Register the web application, API or domain to be security-tested — with settings for what may be scanned.
Confirm ownership
Prove you own what you want to scan — either via a DNS record or by placing a file on the site. Required before an active scan can start.
Scan
The security tests run automatically, scheduled or on demand — you can follow progress in real time.
Sort the findings
Assess every finding: is it a false positive, a risk you accept, or something to be fixed? The decision is justified and logged.
Fix and verify
Carry out the fix, create a risk or NIS2 incident if needed, and verify at the next scan that the finding is gone.
Frequently asked questions about web scanning
Which scanning engines are used?
The module uses two engines: OWASP ZAP for crawling (spider) and passive/active scanning, and Nuclei for template-based vulnerability detection with community and custom templates. The engines run in their own containers.
Why do we have to verify ownership before scanning?
Active scanning sends traffic to the target and therefore requires proven ownership. You verify by publishing a token as a DNS TXT record or as a well-known file on the site. The verification has a validity period and must be renewed.
How does a finding become a risk?
Findings with a sufficiently high CVSS score automatically generate a risk candidate with a suggested threat, likelihood and consequence. The candidate is reviewed in a queue and can be approved — promoting it to a formal risk in the Risk module — or rejected with a justification.
Can web scanning trigger a NIS2 incident?
Yes. For targets with incident triggering enabled, a NIS2 incident is created automatically when a critical finding is detected. Scan results can also be projected as evidence for compliance controls in the GAP module.
Get control of your web vulnerabilities
Book a demo and we'll show you how web scanning gives you an ongoing, prioritized view of your attack surface.
Related modules
Build a complete management system by combining modules that work together.