Find it. Prove it. Report it.
SentryScan is a self-hosted web vulnerability scanner and VAPT platform for authorized security testing. It maps the attack surface, runs 64 detection modules across the OWASP Top 10, and actively proves real findings instead of just flagging them — it drops the noise, and writes the report.
The console
Proven findings with reproduction steps, severity and confidence — not a wall of maybes.
↑ Each finding carries the evidence that proves it.
What it detects
Six categories, 64 modules, driven from a JavaScript-aware crawl so it reaches modern single-page apps.
Injection & XSS
SQLi (error, blind, time, header, auth-bypass), reflected & DOM XSS, LFI, SSTI, NoSQL and CRLF — driven from a JS-aware crawl.
Misconfig & exposure
Security headers, CORS, clickjacking, open redirect, cache poisoning, and .git/.env source leaks.
API & auth
Swagger/OpenAPI exposure, GraphQL introspection, JWT weaknesses, plus full authenticated scanning for SPAs.
Proof, not guesses
Non-destructively reconstructs each exploitable finding to prove it, scores confidence, and drives false positives toward zero.
AI-assisted triage (optional)
An optional AI pass double-checks borderline findings to cut false positives even further before they reach your report.
Report-ready
Evidence, reproduction steps and working proofs, exported to HTML, PDF, Markdown, JSON or CSV.
Scanner capabilities
A sample of the checks that ship in the current build.
Related reading
Proof, Not Guesses: Why I Built SentryScan
The false-positive tax and the design principle behind SentryScan.
// blog · apiThe API Security Checklist I Run
How the mechanical API findings get automated so human time goes to logic.
// projectsOpen-source security tooling
The recon and automation tools that feed the same workflow.
Want SentryScan pointed at your product?
Early access is opening to a small group. If proof-based scanning fits your team, let's talk.
Request early access →