Changelog
What's new
A running log of major OnScanner releases since launch. Newest first; routine fixes omitted.
-
AI agents & AI analysis
- MCP server for AI agents, run scans directly from Claude, Cursor, and any MCP-compatible agent over Streamable HTTP at mcp.onscanner.com, with full agent discovery (llms.txt, server card, agent skills).
- AI Findings, optional opt-in per-scan AI analysis that summarizes, explains, and remediates findings, correlates them into attack chains and a MITRE ATT&CK kill chain, and assesses compliance against SOC 2, ISO 27001, GDPR, PCI-DSS, and HIPAA. Deterministically grounded against your scan so it can't fabricate or deflate severity.
- Daily backups, automated database backups for data durability.
-
Smarter prioritization & monitoring
- End-of-life (EOL) detection, flag products and versions past end-of-life that no longer receive security support, distinct from individual CVEs.
- Monitoring overhaul, a current-posture scorecard, clearer change detection between scans, and reclassification of patched CVEs over time.
- Privacy-scanner precision, fewer false positives across consent gates, session recorders, and first-party scripts, with stricter evidence-based scoring.
-
Teams, billing & active checks
- Team accounts & RBAC, Owner, Member, and Viewer roles for shared accounts, with login history and audit context.
- Subscriptions & credits, plans, per-scan credits, one-time top-ups, and auto-refill.
- Active exploitation probes, safe, non-destructive, in-band verification of whether a known CVE is actually exploitable on authorized targets.
-
CVE intelligence
- EPSS & KEV prioritization, rank findings by exploit-prediction score and flag those on CISA's Known Exploited Vulnerabilities catalog.
- Patch-status detection, distinguish patched, unpatched, and won't-fix CVEs using vendor/distro data, so you act on what's actually fixable.
- Fingerprinting confidence, confidence scoring plus CPE/NVD correlation, CNAME and favicon-hash matching.
-
Automation & reporting
- REST API & API keys, create scans, retrieve results, and manage targets programmatically.
- Scheduled scans & monitoring, daily, weekly, or monthly automated scans with continuous change detection.
- Reporting, structured JSON, PDF export, and embeddable security badges.
-
OnScanner launches
- Core security scanning, OWASP Top 10 classes, exposed services, misconfigurations, and CVE/CPE version matching.
- Privacy scanning, 40+ categories of trackers, ad pixels, fingerprinting, cookies, and consent/CMP compliance, with a privacy score.
- Attack-surface & infrastructure, technology fingerprinting, WAF detection, DNS/TLS analysis, and email security (DMARC, DKIM, SPF).
- Live, never-cached results, every scan runs in real time against the target.