Frequently Asked Questions
What does Vuldoo actually scan?
Vuldoo continuously monitors your external attack surface: subdomains, APIs, open ports, exposed services, misconfigured databases, and leaked credentials across the public internet. We scan from the attacker's perspective so you see what they see.
How do you avoid overloading our infrastructure or causing DDoS?
Besides using distributed and active scanners, we run an idempotency registry system so we can guarantee fast scanning without causing DDoS-style damage to your assets. We use logic to select the right scanner for each explorable finding, and a heritage method that prevents duplicate scanners while enriching results through cross-references.
How is this different from a pentest?
Pentests are snapshots. Vuldoo is continuous. We detect new exposures within hours of deployment, not weeks after an audit cycle. Your last pentest was weeks ago—new services deploy daily. We close that gap.
Do I need to install anything?
No. Vuldoo works externally, scanning from the attacker's perspective. No agents, no integrations, no firewall changes required. Add your domain, complete validation, and scanning begins.
What happens when you find something?
You get an instant alert with full context: what's exposed, severity level, potential impact, and remediation steps. You can optionally auto-create Jira or Linear tickets from findings.
How is generative AI used?
Generative AI is used only to translate findings into C-level executive language and to provide recommendations for vulnerabilities and exposures. All of this runs with privacy protection inside our own AWS infrastructure, speeding report delivery to the board and putting a professional, up-to-date report in your hands. Because of concerns about secure AI usage, we keep doing recon with recon software automation and enrichment—not AI—so the actual scanning and discovery remain traditional, reliable, and secure.
How can I run scans?
You have three options: manual scans (trigger a scan on demand from the Vuldoo app), scheduled scans (set a date and time for a scan to run automatically), and CI/CD integration (trigger scans from your pipeline—e.g. after deploy—using our REST API with GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins, or AWS CodePipeline). See our Documentation for API details.
What is CI/CD integration?
CI/CD integration lets you trigger Vuldoo scans from your build or deployment pipeline. Create an API key in Project Settings → API Access Control, get your Domain ID from the app, and call our POST /cicd/scan endpoint from your pipeline. We support GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins, and AWS CodePipeline. Full setup guides are in our Documentation.
How does pricing work?
Vuldoo uses a subscription model. We offer several plans (Freemium, Starter, Standard, Plus, Enterprise) with pricing based on subdomains, scan frequency, and features like scheduled scans and CI/CD integration. All plans include unlimited seats. For full details—including price per month (billed annually), subdomain limits, and scanner cooldowns—see the Pricing section on our homepage.
Is there a free plan?
Yes. Our Freemium plan is free forever—no time limit. It's ideal for small sites: 1 subdomain, 1 free report per quarter, unlimited domains and seats. You can run manual scans and see results without committing. Upgrade when you need more subdomains, more frequent reports, scheduled scans, or CI/CD integration.
Who can scan domains?
You may only scan domains you own, control, or have explicit written authorization to test. Vuldoo requires domain ownership validation before any scan can proceed. This ensures all security assessments are authorized and legitimate. Unauthorized scanning is strictly prohibited and violates our Terms of Service.
How does domain validation work?
We support multiple validation methods: email verification (to administrative contacts), DNS validation (TXT record), website validation (file upload or meta tag), and contract validation (for enterprise customers with signed agreements). Validation must be completed before scanning can begin. This is a security and legal requirement to ensure you have authorization to test the domain.
Can I scan domains I don't own or manage?
No. Scanning domains without ownership or explicit authorization is prohibited and may violate computer fraud laws. Vuldoo's domain validation system prevents unauthorized scanning. You must prove ownership or have written authorization before any scan can proceed.
Do I need AWS approval to run the domain scan?
No. Our scanners match the eligibility of an authorized pentest under AWS requirements, so you don't need separate AWS approval to run Vuldoo against your AWS-hosted domains.
Can I run Vuldoo against AWS infrastructure?
Absolutely—you should. Some misconfigurations are only caught from an external perspective and attacker mindset. Running Vuldoo against your AWS infrastructure gives you that visibility before someone else does.