Notes from the scanner
Web security, privacy, and vulnerability scanning: practical guides from the team behind OnScanner.
We write about what we build and what we see in real scans: how attackers map a website from the outside, which CVEs actually get exploited and how EPSS and CISA KEV separate them from the noise, why trackers and consent banners fail privacy audits, and what SPF, DKIM, DMARC, TLS and security headers reveal about a domain before anyone logs in. No fluff, no recycled press releases; each post explains a technique, shows the evidence a scanner collects, and ends with fixes you can apply the same day.
RSS feedSecurity Scanning for AI Agents: How the OnScanner MCP Server Works
How AI agents run live security scans through the OnScanner MCP server: seven tools, one API key, and a create, scan, poll, results workflow.
Live Scans vs Cached Results: Why Freshness Changes Everything
How live scanning works, what changes between crawls, and the few places caching is legitimate. Why OnScanner never serves stale scan results.
Authenticated vs Unauthenticated Scanning: Which Do You Need?
Unauthenticated scans show the attacker's view; authenticated scans test behind login. What each finds, what each misses, and when you need both.
How to Scan a Website for Vulnerabilities (Step by Step)
A practical six-step guide to scanning a website: scope, authorization, scan type, EPSS and KEV triage, fixing, rescanning, and monitoring.
What Can an Attacker See on Your Website Right Now?
DNS, TLS, headers, tech stack, email records, trackers: everything an attacker can map on your site without logging in, and how to see it first.