Methodology

How OnScanner detects what it reports

OnScanner is a deterministic scanner. Every finding comes from a specific engine, a specific signal, and, where applicable, an authoritative data source. This page explains how detection works, and how the optional AI Findings layer analyzes the results afterward.

Where AI fits in

The scan itself is fully deterministic and never calls an LLM. AI Findings is a separate, optional, opt-in layer that runs after a scan completes: it reads the results and writes an executive summary, prioritized risks, per-finding remediation, attack-chain correlation, a MITRE ATT&CK kill chain, and a multi-framework compliance assessment (SOC 2, ISO 27001, GDPR, PCI-DSS, HIPAA). Your findings are sent to a third-party AI provider only when you enable AI analysis or AI compliance for that scan, and the provider is contractually prohibited from training on your data.

How does OnScanner detect vulnerabilities?

Rather than one monolithic crawler, OnScanner runs purpose-built engines in parallel: security (OWASP Top 10 classes, exposed services, misconfigurations), privacy and trackers (40+ categories including pixels, fingerprinting, session recording, and consent/CMP compliance), technology fingerprinting, DNS/TLS and WAF posture, and email security (DMARC, DKIM, SPF). Each engine emits structured findings with the evidence it observed, so a result can be traced back to the response, header, or behaviour that produced it.

Where does the vulnerability data come from?

When OnScanner fingerprints a product and version, it matches against CVE data sourced from the National Vulnerability Database (NVD) and vendor/distribution advisories, not a hand-maintained list. Findings are prioritised with EPSS (exploit-prediction scoring) and flagged when they appear on CISA's Known Exploited Vulnerabilities (KEV) catalog. We also evaluate patch status and end-of-life (EOL) state, so you can tell a genuinely exploitable, unpatched issue from a CVE that does not apply to your build.

What does "zero-day heuristics" mean?

Some checks are behavioural rather than signature-based: they reason about what a response means (timing, reflected input, error semantics) instead of only matching a known fingerprint. This can surface anomalies before a CVE exists. To be clear about the claim, these are heuristics that flag suspicious behaviour for review; they are not a guarantee of discovering novel vulnerabilities, and we do not claim CVE credits we have not earned.

How do active exploitation probes stay safe?

Where OnScanner actively verifies whether a known CVE is exploitable, the probes are non-destructive and verify in-band, they read the response body, status, or timing of the target itself. They do not modify target state and do not rely on out-of-band DNS or callback listeners. Active probes only run against targets you own or are explicitly authorized to test; this is enforced at the account level.

Is scan data cached, and does it touch an LLM?

Every scan runs in real time against the target, nothing is served from a cache, and the scan itself never calls an LLM. If you turn on AI Findings or AI compliance for a scan, your findings are sent to a third-party AI provider that is contractually prohibited from training on your data. Leave AI features off and nothing is sent to any AI provider.