How Vulny works
Vulny combines several specialised scanners into one safe, automated pipeline.
External vulnerability scanner
Vulny maps your internet-facing attack surface — open ports, running services and their versions — the same way an attacker’s reconnaissance would, then matches each service to known CVEs.
Web app scanner
Each web port is tested for OWASP-class issues, exposed sensitive files, missing security headers and weak configurations using continuously updated detection templates.
API & Shadow-API scanner
Vulny crawls your application to discover documented and undocumented API endpoints, then fuzzes them for authentication, authorization and injection flaws including SSRF, LFI, SSTI and path traversal.
TLS / SSL scanner
Certificates and TLS configuration are checked for expiry, self-signed or untrusted chains, deprecated protocol versions and weak ciphers.
CVE matching (NVD)
Discovered software and versions are matched against the full National Vulnerability Database, enriched with CVSS, CISA KEV, EPSS and public exploit data for accurate, prioritised results. The CVE database refreshes every two hours.
See it on your own site — free
Run a safe, instant security check and get a branded PDF report.
Scan my site — free →