
Vulnerability Scanning & Web Security
Detect, track and resolve vulnerabilities across your organization’s internet-facing attack surface using Netcraft’s PCI ASV automated vulnerability scanning solution
Vulnerability scanning
The Audited by Netcraft service scans your internet-facing attack surface to detect, triage, and fix network vulnerabilities. Daily, weekly, or monthly scans can be used alongside the optional quarterly PCI ASV attestation process, providing confidence that your network and all accessible hosts are protected.
All scans are conducted using Netcraft’s automated scanning tool, which is created, developed and maintained by our in-house security experts. This means we’re able to accommodate our clients’ specific needs, and can rapidly respond to emerging technologies and new vulnerabilities. All whilst providing the best support possible.

PCI Approved Scanning Vendor
The Payment Card Industry Data Security Standard (PCI DSS) was created in 2004 with the aim of specifying security measures for merchants with an online presence. Netcraft has been a PCI Approved Scanning Vendor (PCI ASV) since 2008.
Merchants can use Netcraft’s services to fulfill the regular external vulnerability scanning requirements of PCI compliance (specifically requirements 11.2.2 and 11.2.3). Netcraft customers can be secure in the knowledge that the Audited by Netcraft assurance service is itself independently tested annually to meet the ASV standards.

Web & mobile app security testing
With a precise scope, Netcraft’s in-house security experts will assume the role of a determined hacker looking to exploit weaknesses in your web or mobile application’s security in order to gain access to your data, platform, or customers’ details.
A key feature of the service – and one which cannot be covered by relying solely on automated testing – is application testing. The service, which is carried out by Netcraft’s experienced security professionals, is designed to rigorously push the defenses of applications (and the internet services powering them).

Vulnerability Scanning
Netcraft’s automated vulnerability scanning service regularly tests your internet infrastructure and supplies you with the information you need to maintain your security and eliminate vulnerabilities.
Netcraft Seal
Give your customers confidence with our dynamically generated seal which certifies that Netcraft has audited your network.
The Netcraft seal shows the date of the last test on which no serious vulnerabilities were detected. As Netcraft updates its scanning suite regularly, adding new tests for the latest security exploits as they are discovered, your customers can be confident in the security of a site with a Netcraft seal.
Regular Scans
Schedule scans of your network as frequently as needed – daily, weekly or monthly. Even on-demand for individual hosts.
The IP address range scanned can be modified part-way through the duration of your contract, making it a good option for ensuring new deployments are carried out securely.
PCI Compliance
As a PCI Approved Scanning Vendor (PCI ASV), we can help fulfill the regular scanning requirement of PCI Compliance.
PCI customers can submit evidence of false positives which is thoroughly checked by the Netcraft team, ensuring that the correct fixes are indeed in place. Other customers are able to annotate such issues. Vulnerabilities marked as false positives can then be filtered out from the report, allowing you to focus on vulnerabilities you know are applicable.
Full Support
Our experienced security professionals are here to help by email or phone.
Support and development staff work closely together to ensure any queries that you have will be answered by people with the knowledge and experience necessary to provide the best support possible.
Growing Database
New tests and advisories are added daily from public security advisories and our own research gained from testing thousands of networks.
Our team keeps track of recently disclosed vulnerabilities, carefully examining each one and adding tests for the ones that can be detected remotely. Where possible, we write proof of concept-based tests which can report vulnerabilities with confidence and zero risk.
TLS Configuration
Thanks to our team’s significant experience with TLS/SSL and the data gathered from the Netcraft SSL Server Survey (which has been running since 1996), we are able to detect and report many security issues concerning your TLS configuration.
We have also written our own PoC-based tests for TLS-related vulnerabilities, including more popular ones such as Heartbleed, BEAST and DROWN, allowing us to report them with confidence.
Reports
Descriptive severity grading and categorization of each exploit’s risk is available in a web report, whilst differential reporting highlights security changes between scans.
We provide multiple report types, including interactive web-based reports, print-friendly PDFs, and machine-readable CSV files.
Exploit It
Safe example exploits are embedded into the reports, where possible, for easy ‘click to test’ self-verification of fixes.
Fix It
Clear and concise remediation advice in the form of a web accessible database of fixes and resources for mitigating discovered vulnerabilities.
Frequently Asked Questions
The Web Application Testing service is suitable for commissioning, third-party assurance, post-attack analysis, audit, and regulatory purposes where independence and quality of service are important requirements.
The Netcraft team of analysts assume the role of a determined hacker looking to exploit weaknesses in your security, and gain access to your application or network.
Once complete, we provide a final written report with guidance and recommendations, with links to relevant advisories that allow you implement effective mitigations.
Your web servers are crawled using modern technology to determine software used, and then further tests are executed to identify misconfigurations, vulnerabilities, and indicators of compromise such as backdoors and shopping site skimmers.
No. Denial-of-service and other high-impact exploits are reported (based on version numbers and fingerprints) but not executed, and the test load is controlled.
No. By definition, a testing service can only find vulnerabilities (and cannot prove the absence of vulnerabilities). That said, our reports clearly show our methods and test scope, so a person with reasonable security experience can gauge the thoroughness of the tests.
Some vulnerabilities cannot be directly tested without server disruption. For example, denial-of-service vulnerabilities and some buffer overflows can be very damaging to a server. In order to avoid negative effects, Netcraft detects the possible presence of such vulnerabilities via indirect methods.
Due to the nature of remote scanning, Netcraft cannot definitively confirm the presence or absence of certain types of vulnerability, leading to false positives. All customers can add annotations to vulnerabilities, and PCI and seal customers are able to submit evidence which is thoroughly checked by our security team. Customers can use the display filters to hide vulnerabilities that have already been addressed.
Insights

Blog
September 2023 Web Server Survey
In the September 2023 survey we received responses from 1,085,035,470 sites across 254,776,456 domains and 12,274,854 web-facing computers. This reflects … Read More
Learn More

Blog
Phone scams conducted using PayPal’s own invoicing service
Phishing attacks often start with an email or text message that links to a malicious web site designed to steal … Read More
Learn More

Blog
August 2023 Web Server Survey
In the August 2023 survey we received responses from 1,093,748,332 sites across 255,459,417 domains and 12,162,471 web-facing computers. This reflects … Read More
Learn More
Schedule time with us
Learn more about Netcraft’s powerful brand protection, external threat intelligence and digital risk protection platform