[jvehent]

I doubt you rewrote a vulnerability scanner from scratch, since it takes years and a lot of efforts to do, so why don't you tell us a bit more about the technology behind it. Does it use ZAP? Arachni? W3AF? OpenVAS? SQLMap? All of them?

Also, I'd be careful about such claims:

> Our scans are secure and non-intrusive.

Because you never know what will happen in the backend when you hit that "GET /article/delete/1" endpoint while spidering the home page. Tons of poorly coded webapps have that kind of trap, and you should scan staging/test instances whenever possible to avoid dropping a production DB whenever you hit one of those.

[LarkaUZ_]

Hi. Indeed we did not write a vulnerability scanner from scratch. We run a few major vulnerability scanners like OpenVAS on the target website, configured in a way to be non-intrusive. We do not communicate on the exact tools that we launch and how we compile the results since this is our secret sauce ...

Fair point about the "GET /article/delete/1" issue, unfortunately a lot of SMB do not have staging/test instances ...

[GordonS]

> We do not communicate on the exact tools

Honestly, you're not communicating much. Serious question: why would anyone give you their card details for a complete unknown? Your site doesn't provide free scans, sample reports (or even partial ones), or even say anything about who 'ScannerSec' is.

[raesene9]

It would be relatively straightforward to announce the scanners you use without disclosing your analysis/correlation tools (which presumably is where you're looking to add value here?)

I'd echo the other comments about being very careful with language like "non-intrusive", I've taken systems down with a single ' character in a login box before or by carrying out basic port scans.

Now obviously you could say that a system that fragile has bigger problems, but customers tend not to feel that way if something bad has happened to their site on the day you're scanning them...

[jvehent]

Your secret sauce is purely based on the hard work of open source developers. Pardon me if I don't support your obscurantism.

[newsat13]

Granted OP is obscure but this is a very harsh assessment. Such comments can be hurtful to hear when you launch. Why not give some positive and constructive feedback?

[kapauldo]

Just like wordpress

[codingdave]

To be fair, if a scanning tool running anonymously can muck up your webapp by hitting "GET /article/delete/1" then they did successfully find a problem with your SaaS app.

[ifoundthetao]

You're missing the "non-intrusive" point that he was bringing up. While they did find a vulnerability, they went beyond the scope the had agreed to, which is the issue he's describing.