Changelog

What's new

A running log of major OnScanner releases since launch. Newest first; routine fixes omitted.

  1. AI agents & AI analysis

    • MCP server for AI agents, run scans directly from Claude, Cursor, and any MCP-compatible agent over Streamable HTTP at mcp.onscanner.com, with full agent discovery (llms.txt, server card, agent skills).
    • AI Findings, optional opt-in per-scan AI analysis that summarizes, explains, and remediates findings, correlates them into attack chains and a MITRE ATT&CK kill chain, and assesses compliance against SOC 2, ISO 27001, GDPR, PCI-DSS, and HIPAA. Deterministically grounded against your scan so it can't fabricate or deflate severity.
    • Daily backups, automated database backups for data durability.
  2. Smarter prioritization & monitoring

    • End-of-life (EOL) detection, flag products and versions past end-of-life that no longer receive security support, distinct from individual CVEs.
    • Monitoring overhaul, a current-posture scorecard, clearer change detection between scans, and reclassification of patched CVEs over time.
    • Privacy-scanner precision, fewer false positives across consent gates, session recorders, and first-party scripts, with stricter evidence-based scoring.
  3. Teams, billing & active checks

    • Team accounts & RBAC, Owner, Member, and Viewer roles for shared accounts, with login history and audit context.
    • Subscriptions & credits, plans, per-scan credits, one-time top-ups, and auto-refill.
    • Active exploitation probes, safe, non-destructive, in-band verification of whether a known CVE is actually exploitable on authorized targets.
  4. CVE intelligence

    • EPSS & KEV prioritization, rank findings by exploit-prediction score and flag those on CISA's Known Exploited Vulnerabilities catalog.
    • Patch-status detection, distinguish patched, unpatched, and won't-fix CVEs using vendor/distro data, so you act on what's actually fixable.
    • Fingerprinting confidence, confidence scoring plus CPE/NVD correlation, CNAME and favicon-hash matching.
  5. Automation & reporting

    • REST API & API keys, create scans, retrieve results, and manage targets programmatically.
    • Scheduled scans & monitoring, daily, weekly, or monthly automated scans with continuous change detection.
    • Reporting, structured JSON, PDF export, and embeddable security badges.
  6. OnScanner launches

    • Core security scanning, OWASP Top 10 classes, exposed services, misconfigurations, and CVE/CPE version matching.
    • Privacy scanning, 40+ categories of trackers, ad pixels, fingerprinting, cookies, and consent/CMP compliance, with a privacy score.
    • Attack-surface & infrastructure, technology fingerprinting, WAF detection, DNS/TLS analysis, and email security (DMARC, DKIM, SPF).
    • Live, never-cached results, every scan runs in real time against the target.