Hall of FameProjectsBlogContact
SentryScan ENTERPRISE
◎ product · built by Abhishek Bhaskar (Abhi HackZ)

Find it. Prove it. Report it.

SentryScan is a self-hosted web vulnerability scanner and VAPT platform for authorized security testing. It maps the attack surface, runs 64 detection modules across the OWASP Top 10, and actively proves real findings instead of just flagging them — it drops the noise, and writes the report.

Request early access → Read the philosophy
Python · FastAPI · SQLite · runs local · authorized testing only
64detection modules
6categories
OWASPTop 10 coverage
10k+Nuclei templates
AIfalse-positive check

The console

Proven findings with reproduction steps, severity and confidence — not a wall of maybes.

localhost:8000 — SentryScan console
SentryScan console showing proven SQL injection and XSS findings with reproduction steps

↑ Each finding carries the evidence that proves it.

What it detects

Six categories, 64 modules, driven from a JavaScript-aware crawl so it reaches modern single-page apps.

Injection & XSS

SQLi (error, blind, time, header, auth-bypass), reflected & DOM XSS, LFI, SSTI, NoSQL and CRLF — driven from a JS-aware crawl.

Misconfig & exposure

Security headers, CORS, clickjacking, open redirect, cache poisoning, and .git/.env source leaks.

API & auth

Swagger/OpenAPI exposure, GraphQL introspection, JWT weaknesses, plus full authenticated scanning for SPAs.

Proof, not guesses

Non-destructively reconstructs each exploitable finding to prove it, scores confidence, and drives false positives toward zero.

AI-assisted triage (optional)

An optional AI pass double-checks borderline findings to cut false positives even further before they reach your report.

Report-ready

Evidence, reproduction steps and working proofs, exported to HTML, PDF, Markdown, JSON or CSV.

Scanner capabilities

A sample of the checks that ship in the current build.

SQL injectionReflected XSSDOM XSSLFISSTINoSQL injectionCRLFSecurity headersCORS misconfigClickjackingOpen redirectCache poisoning.git / .env leaksSwagger exposureGraphQL introspectionJWT weaknessesAuthenticated scanNuclei (10k+)nmapsqlmapdalfoxffufhttpxAI false-positive checkProof-based verify
⚠ Built for authorized testing only — every scan confirms authorization and scope is enforced centrally, so a check can't reach a host you didn't put in scope. Only scan systems you own or have written permission to test.

Related reading

// blog · web

Proof, Not Guesses: Why I Built SentryScan

The false-positive tax and the design principle behind SentryScan.

// blog · api

The API Security Checklist I Run

How the mechanical API findings get automated so human time goes to logic.

// projects

Open-source security tooling

The recon and automation tools that feed the same workflow.

Want SentryScan pointed at your product?

Early access is opening to a small group. If proof-based scanning fits your team, let's talk.

Request early access →