Every scan type in Vornin, with what it finds, what it misses, and when to reach for it.
TCP/UDP port discovery with service fingerprinting. Identifies listening services, exposed admin interfaces, and firewall misconfigurations. Optional Nmap depth mode for OS and version detection.
Comprehensive certificate and protocol audit. Tests cipher strength, protocol versions, certificate chains, and known-vulnerability signatures. Watches for upcoming expiries.
Crawls your site (authenticated or anonymous), then tests each endpoint for OWASP Top 10 issues. Configurable crawler depth, confidence thresholds, and authentication headers.
REST API-specific checks. Enumerates endpoints, tests CORS, probes for auth bypass, and looks for information disclosure in error responses.
Runs the full Nuclei corpus on demand — thousands of community-maintained templates for CVEs, misconfigurations, and technology-specific signatures. Opt-in per scan; requires the Nuclei binary.
Email authentication, zone-transfer probes, DNSSEC validation. Catches the misconfigurations attackers love — missing SPF, permissive DMARC policies, leaky zone transfers.
Enumerates subdomains via DNS brute force, certificate-transparency crawl, and search-engine queries. Surfaces the staging servers and abandoned services IT forgot.
Semgrep-backed analysis of source repositories connected via Azure DevOps, GitHub, or GitLab. Runs on commits, pull requests, or on demand. Finds the bugs your linter won't.
Gitleaks-powered sweep of repository history for API keys, tokens, and passwords. 100+ default patterns, plus custom regex rules per tenant.
Trivy-backed software composition analysis. Parses lockfiles across ecosystems, cross-references NVD, and surfaces what's in CISA's Known Exploited Vulnerabilities catalog. Emits a CycloneDX SBOM for every scan.
Combines DNS records with HTTP fingerprinting to flag abandoned DNS entries pointing at unclaimed cloud resources. Twenty-five provider signatures and climbing — GitHub Pages, S3, Heroku, Azure, Fastly, and more.
WPScan-grade enumeration for WordPress sites: core version, plugin and theme inventory, and cross-reference against the WPScan vulnerability database. For the one-third of the web that still runs on WordPress.
Trivy-backed image analysis for Docker / OCI images — OS packages, application dependencies, and known exploit markers. Scan private registries with your own credentials; public images by name and tag.
Trivy-powered Kubernetes cluster scan using a stored kubeconfig. Targets either the whole cluster (k8s://cluster) or a single namespace (k8s://namespace). Surfaces pod-level CVEs, baseline security gaps, RBAC drift, and admission-controller blind spots in one pass.
Multi-cloud CIS posture assessment using stored credentials. AWS: 15 live checks across IAM, S3, EC2, RDS, CloudTrail, KMS, Lambda, Config. Azure: 11 live (NSGs, storage, Key Vault, SQL, VM exposure, Defender, ACR). GCP: 15 live — 100% coverage (IAM, GCS, firewall, Compute, Cloud SQL, audit logging, KMS, GKE).
Vornin does not run Nessus or OpenVAS for you — our fifteen built-in engines are shown above. If you already run them elsewhere, upload the XML / JSON / CSV export and Vornin drops the findings into the same deduplication, compliance mapping, evidence chain, and SLA pipeline as native scans. Fingerprinted, enriched, tracked.
Scanner engines aren't held hostage. Every tier — Free included — ships all fifteen. The wedge is compliance breadth, retention, and auditor-pack export. See the breakdown →