VulnScanners Logo

Help Center

Everything you need to scan with confidence.

Getting started, the scanners, reading your reports, credits, scheduling, troubleshooting, and how we handle your data.

Getting started

VulnScanners is fully hosted — there's nothing to install. From sign-up to your first report is a few minutes:

  1. 1

    Create your account

    Sign up with email or Google. Your account is created instantly.

  2. 2

    Buy scan credits

    From the dashboard, choose a pack (Essential, Pro, or Scale). Credits work across all three scanners and never expire.

  3. 3

    Add a target

    Save targets you scan often under Targets, or enter an ad-hoc target when you launch a scan. A target is a URL, IP address, or domain you own or are authorized to test.

  4. 4

    Launch a scan

    Go to Launch Scan, pick a scanner (Nmap, Nuclei, or OWASP ZAP) and a target, then submit. Scans run in the background — you don't have to keep the console open.

  5. 5

    Review results

    Track progress on your dashboard and in Scan History. When a scan completes, download the raw output or a branded PDF report.

The scanners

Each scan consumes one credit of that scanner type and produces its own findings and PDF report. The three engines are complementary — use whichever fits the target.

Nmap — network & open ports

Discovers open TCP ports and the services and versions running on them, flagging exposed or insecurely configured services. Host discovery is disabled so firewalled or CDN-fronted hosts still get scanned. Typically finishes in 1–10 minutes.

Nuclei — vulnerabilities & exposures

A fast, template-driven scanner that runs thousands of community templates to detect CVEs, misconfigurations, exposed files/APIs, and security issues across web apps and infrastructure. Typically 5–15 minutes against a single target.

OWASP ZAP — web application

A full active scan that spiders a web application and actively tests it for issues like cross-site scripting (XSS), SQL injection, missing security headers, and insecure cookies (OWASP Top 10). The most thorough — and the slowest — from several minutes to a couple of hours on a large app.

Reports & results

Severity levels

Findings are classified Critical, High, Medium, Low, and Info (plus Accepted for findings you've triaged). Higher severity indicates a greater risk to the confidentiality, integrity, or availability of the target — evaluate Critical and High first.

PDF report

Every completed scan generates a branded, client-ready PDF — executive summary, severity distribution, a master findings table, and detailed findings with description, business impact, and remediation. Download it from Scan History → Report.

Raw output

Download the exact tool output for any scan — Nmap XML, Nuclei JSONL, or ZAP JSON — from Scan History → Raw output. It's the same data you'd get running the tool yourself.

Combined report

From the Reports page, select multiple completed scans to generate one consolidated PDF across targets — useful for handing a client or auditor a single document.

Deleting scans

You can permanently delete any scan — including its raw output — from Scan History. Deletion can't be undone.

Credits & billing

  • Each scan uses one credit of that scanner type. Credits are tracked separately per scanner — Nmap, Nuclei, and ZAP.
  • Packs add credits to all three scanners: Essential (10 each), Pro (100 each), and Scale (1,000 each).
  • Credits never expire — they stay on your account until you use them.
  • Failed scans are automatically refunded, so you're never charged for a scan that didn't complete.
  • First purchase is covered by a 7-day, no-questions-asked refund; after that we handle issues case by case.
  • Buy more anytime from the dashboard with “Buy Credits.”

Scheduled scans

Set up recurring scans from the Scheduled Scans page: pick a saved target, a scanner, and a cadence (daily, weekly, or monthly). Each run consumes one credit and emails you the report when it finishes — handy for continuous monitoring of an asset.

Troubleshooting

A scan failed

The credit is automatically refunded. The most common cause is a target that isn't reachable from the public internet — confirm the host is up and try again.

“Target unreachable”

The host didn't respond on any scanned port, or returned only server errors. That usually means it's down, firewalled, or blocking the scanner. Verify the target resolves and responds publicly, then re-run.

No findings

Either the target is genuinely clean for that scanner, or it was unreachable during the scan. Download the raw output to see exactly what the tool observed.

A scan seems stuck

Scans that don't report back within about an hour are automatically marked failed and the credit refunded — you won't have a scan hanging indefinitely.

A ZAP scan is taking a long time

A full active scan on a large web app can legitimately take a while. It runs in the background, so you can close the console and come back — the report and an email will be waiting.

Trust & safety

Data protection & privacy

Scan results, target information, and account data are encrypted in transit (TLS) and at rest. Your results are private to your account — we never share, sell, or distribute your scan data. You can export any scan to PDF or permanently delete it, including the raw output, at any time.

Ethical use

VulnScanners is for authorized security testing only. You may scan only systems you own or have explicit written permission to test. Unauthorized scanning of third-party systems is prohibited and may be illegal under laws such as the Computer Fraud and Abuse Act (CFAA) and similar legislation. We may suspend accounts that violate this policy.

Compliance

Our infrastructure follows OWASP best practices and implements controls aligned with SOC 2 Type II. For customers subject to GDPR, HIPAA, or PCI DSS, we can provide documentation of our security controls and data-handling practices on request.

Incident response

We maintain an incident response plan to contain, investigate, and remediate security issues, and we will notify affected users within 72 hours of confirming a breach that compromises their data. If you believe you've found a vulnerability in VulnScanners itself, report it via the support page using the “Security concern” category.

Your responsibilities

Use a strong, unique password; confirm you're authorized before scanning any target; review your scan history and targets periodically; and use scan results to remediate, not exploit. Report anything suspicious to support right away.

Still need a hand?

Can't find what you're looking for, or need to report a security concern? Our team is here to help.

Contact support

Last updated July 12, 2026