Scroll to top
Client Portal

Scanners

The same industry-standard scanners leading providers use, packaged so small businesses and lean SaaS teams can actually use them

A complete scanner toolbox, made approachable

The scanners larger platforms offer, delivered through a clear on-demand workflow you can start in minutes

PortWarden runs the same open-source and industry-standard scanners used by leading providers, including OpenVAS, OWASP ZAP, Nmap, TLS analysis, web discovery, and targeted validation tools. We also add deeper reconnaissance and exploit validation options. Each scanner is packaged as a clear on-demand scan with normalized findings, evidence, and guidance, so small businesses and small SaaS teams don't need an in-house security analyst to get started.

Buy what you need. Run it against your authorized assets. Get back a finding report a real person can act on. Escalate to a human security professional when the situation calls for it.

Start Free

Why a list of scanners matters

  • Industry-standard tools, not a black-box "secret scanner"
  • Every scan produces normalized, auditable evidence
  • Our AI compares each result to known vulnerability databases
  • Guided remediation walks your team through the fix
  • Human security professionals are on call when needed
From scan result to fix

Scanners are the starting point. AI analysis and human review make the findings useful.

A raw scanner dump is noise. PortWarden turns every scan into a prioritized, plain-English finding with remediation steps your team can follow, and a clear path to a human expert when you want a second pair of eyes.

Scan icon

1. Run the right scanner

Pick a scanner that matches the question you need answered, such as surface mapping, port discovery, TLS posture, web vulnerability review, or targeted validation. Then run it against your authorized assets.

AI analysis icon

2. AI compares results to vulnerability databases

PortWarden's AI cross-references each scan result against known vulnerability databases and threat intelligence, deduplicates noise, prioritizes by real-world risk, and explains each finding in language your team can act on.

Remediation guidance icon

3. Guided remediation, step by step

For each finding, PortWarden explains what to change, why it matters, and how to verify the issue is closed once remediation is complete.

Retest icon

4. Retest to confirm the fix

Rerun the same scanner against the same scope and confirm the issue is gone. Every retest is captured as evidence, so you have a clear trail of what changed and when.

Human review icon

5. Human security professionals on call

When a finding needs deeper judgment, or when something looks like an active issue, you can escalate to a qualified human security professional for targeted validation, deeper testing, or a full penetration test.

Evidence and audit icon

6. Evidence and audit trail

Every scan stores its raw scanner artifact, a normalized JSON report, and a client-facing finding summary. Auditable, exportable, and ready for compliance conversations.

The full scanner catalog

Scanner families, grouped by security program category

Six categories, one scanner toolbox. Industry-standard tools are packaged into clear jobs with predictable scope and evidence-backed results. Specific scan depth and bundle options are selected inside the client portal.

Recon

Reconnaissance & surface mapping

Identify the externally visible footprint of a domain and gather context before choosing deeper testing.

Reconnaissance scans

Map the public footprint before deeper testing

Purpose. Reconnaissance answers the first question in external testing: what does this domain or business appear to expose from the outside? It builds the target picture before port discovery, web testing, TLS review, vulnerability scanning, or human validation.

What it looks for

  • Public subdomains, hostnames, and related internet-facing assets
  • Resolved hosts, reachable web services, and basic technology fingerprints
  • Forgotten applications, staging systems, shadow IT, and externally visible entry points
  • Signals that help choose the next scan, such as web discovery, Nmap, TLS review, OWASP ZAP, or OpenVAS

Popular tools in this phase

  • Subdomain and asset discovery: Amass, Subfinder, Assetfinder, Findomain
  • DNS and host validation: dnsx, shuffledns, MassDNS
  • Web probing and fingerprinting: httpx, WhatWeb, Wappalyzer, WafW00f
  • Crawling and URL discovery: Katana, gau, waybackurls
Discovery

Port, service & web content discovery

Find reachable ports, visible services, and exposed web paths so the next scan starts with the right scope.

Port discovery scans

Find reachable ports and exposed services

Purpose. Port discovery answers which services are reachable from the public internet. It gives teams a clean exposure map before service enumeration, TLS review, vulnerability scanning, or remediation work.

What it looks for

  • Open TCP ports and internet-facing services on authorized assets
  • Unexpected listeners after firewall, DNS, hosting, or deployment changes
  • Service signals that help choose follow-up Nmap, TLS, OWASP ZAP, or OpenVAS checks
  • Quick exposure confirmation or broader port coverage depending on the target and urgency

Popular tools in this phase

  • Masscan, Nmap, Naabu, RustScan
Web discovery scans

Find exposed web paths, files, and application entry points

Purpose. Web discovery maps the visible content and routes of a web application so teams can spot forgotten paths, risky files, administrative areas, and targets for deeper web testing.

What it looks for

  • Common directories, admin panels, backup files, config files, and test paths
  • Application URLs, crawled routes, linked resources, and historical paths
  • Potentially sensitive content that should be reviewed or removed
  • Better scope for follow-up OWASP ZAP, XSStrike, sqlmap, or human web review

Popular tools in this phase

  • ffuf, Feroxbuster, Gobuster, Dirsearch, Katana, gau, waybackurls, Hakrawler
Enumeration

Service, version & TLS enumeration

Service, version, and protocol-level detail collection so you know exactly what's behind every exposed port.

Nmap service enumeration

Identify what is running behind open ports

Purpose. Nmap-based enumeration adds service-level context to discovered open ports. It helps teams understand what software, versions, protocols, and safe evidence signals are exposed before deciding what to patch, harden, or test deeper.

What it looks for

  • Service names, versions, banners, and protocol behavior on confirmed open ports
  • Operating system and device hints where they can be collected safely
  • Safe script output that gives richer remediation evidence without destructive testing
  • Exposure signals that help prioritize TLS review, OpenVAS checks, web testing, or human validation

Popular tools in this phase

  • Nmap, NSE safe scripts, service/version detection, OS fingerprinting where appropriate
TLS configuration review

Review certificates, protocols, and encryption settings

Purpose. TLS review checks whether public HTTPS and TLS-enabled services are using safe protocol versions, strong cipher suites, valid certificates, and consistent configuration across the exposed estate.

What it looks for

  • Supported TLS protocols, cipher suites, certificate details, and trust-chain signals
  • Expired, mismatched, weak, or inconsistently deployed certificates
  • Common TLS misconfigurations that can weaken encrypted services
  • Endpoint-level differences across a domain or public service estate

Popular tools in this phase

  • testssl.sh, SSLyze, OpenSSL, Nmap ssl-enum-ciphers
Vulnerability scanning

Automated vulnerability assessment

Automated checks for known weaknesses and risky configurations, using the same scanners trusted by leading providers in the space, including OpenVAS and OWASP ZAP.

Vulnerability assessment scanners

Find known weaknesses across exposed hosts and web applications

Purpose. Vulnerability scanning checks exposed services, web applications, and known software fingerprints for security weaknesses that can be prioritized, fixed, and retested. It combines network vulnerability assessment, web application review, and targeted validation signals into one remediation-focused phase.

What it looks for

  • Known CVEs, risky service versions, exposed software, and insecure configurations
  • Web application weaknesses such as missing security headers, exposed files, injection indicators, XSS indicators, and common OWASP issues
  • Vulnerability evidence that can be normalized, deduplicated, prioritized, and tied to a practical fix
  • Findings that may need no-harm validation or human review before remediation decisions

Popular tools in this phase

  • OpenVAS, OWASP ZAP, Nuclei, Nikto, Nessus, Nexpose, Metasploit
  • XSStrike, sqlmap, Nmap NSE vulnerability scripts, testssl.sh, SSLyze
Validation

Exploitation validation

Validation of practical exploitability with tightly scoped, no-harm checks. These scans help reduce false positives and produce evidence a developer or auditor can act on.

Validation scanners

Confirm suspected issues without turning testing into a free-for-all

Purpose. Validation testing checks whether a suspected weakness appears real, reproducible, and worth fixing first. It is used after discovery or vulnerability scanning to reduce false positives, collect clearer evidence, and support remediation decisions without broad exploitation.

What it looks for

  • Evidence that suspected XSS, SQL injection, command injection, file inclusion, SSRF, authentication, or exposed-service findings are valid
  • Controlled proof signals that help developers reproduce and fix the issue
  • False positives from vulnerability scanners that should be downgraded or dismissed
  • Cases where no-harm validation or human security review is the safer next step

Popular tools in this phase

  • Metasploit, XSStrike, sqlmap, Nuclei, Burp Suite, OWASP ZAP
  • Dalfox, Commix, ffuf, Feroxbuster, Nikto, Nmap NSE scripts, custom no-harm validation checks
Bundles

Package bundles for common scenarios

When a single scanner isn't enough, PortWarden offers pre-built bundles that combine the right scanners for the most common situations.

Host Deep Dive

Per-IP deep dive

A full picture of a single IP: broad port sweep, service and version detection, standard vulnerability assessment, and TLS posture where applicable. The fastest way to fully characterize one host.

Host Emergency

Priority host emergency

When something looks wrong on a critical host and you need answers fast: deeper port and service analysis, deep vulnerability assessment, TLS review, and a priority report.

Web App Deep Dive

Web application deep dive

A focused, deeper review of one web application: expanded content discovery and broader web vulnerability checks combined into a single bundle, with normalized findings ready for developer remediation.

Built for small businesses and small SaaS teams

You shouldn't need an in-house security analyst to run industry-standard scanners

PortWarden takes the same open-source and industry-standard tools leading security providers charge enterprise prices for, and packages them into clear on-demand scans with predictable scope, normalized evidence, AI-driven analysis, and guided remediation.

You decide what you need. We run it, compare results against known vulnerability databases, and walk your team through the fix. Human security professionals are on call when you want a deeper second look.

PortWarden logo background

Start free, add scanners on demand, escalate to a human when it matters

Start Free