A credit is the atomic unit of scanning usage. Most scanner modules cost 0.01 credits per run. Resource-heavy scanners (for example OpenVAS network scans) cost 0.05. You see the total before you launch a scan.
Answers
Frequently Asked Questions
Common questions about pricing, scanning, security, and teams. Missing something? Reach out from your account.
Pricing & plans
Plan credits (the monthly allotment on your subscription) reset at the start of each billing cycle. Credits you purchase separately as one-time top-ups never expire.
Credit checks happen before the scan is queued, so you cannot accidentally start a scan you cannot pay for. If you run low between scans, the app prompts you to top up or upgrade before the next run.
Yes. Credit packs are available as one-time purchases to any team, including teams on the Free plan. Purchased credits stack with any plan credits you have.
Yes. The public tools at /tools/* run without an account. Some are rate-limited by IP to prevent abuse, but there is no payment, signup, or account linkage.
Scanning
Domains, subdomains, IP addresses, URLs, and web apps. The platform orchestrates dozens of open-source scanning tools across reconnaissance, discovery, crawling, enumeration, vulnerability, webapp, audit, and analysis phases.
Each module wraps a specific scanning tool (for example nmap, nuclei, testssl). You pick which modules to run on a target. Modules declare dependencies and run in parallel as soon as their inputs are ready -- no rigid phase gates.
Not as a drop-in today. The platform is designed around a sidecar container pattern, so adding a tool currently requires adding a module class and a Docker image. Enterprise customers can discuss custom module work with our team.
Yes. A scan:ci Artisan command exists for scripted pipelines, and the REST API exposes full scan lifecycle endpoints. Findings export as SARIF, JSON, CSV, PDF, and Markdown.
Scan intensity (light / medium / deep) controls wordlist sizes, tool timeouts, and dictionary depth. Light scans finish in minutes and suit PR-gate workflows; deep scans are exhaustive and suit scheduled overnight runs.
Security & privacy
Not today. SOC 2 Type I is on our roadmap and our controls are aligned with the framework, but we have not completed a formal audit. See the Trust page for our current posture.
Your data is stored in the region of your chosen deployment. For the hosted product, that is our primary cloud region today; contact sales if data residency in a specific region is a requirement.
Self-hosting is on the roadmap. The product is architected to be cloud-agnostic and runs on Docker Compose today. A Kubernetes reference deployment is planned. Enterprise teams can contact sales for early access.
Google OAuth 2.0 is supported today for all tiers. Enterprise SAML/OIDC is on the roadmap. Every user can enable TOTP and WebAuthn/FIDO2 security keys regardless of SSO.
No. We never have, and we never will. No third-party ad networks, no analytics data brokers, no tracking pixels. See the Trust page for the full list of vendors we use.
Teams & onboarding
Teams are the unit of billing and data scoping. You can belong to multiple teams and switch between them from the sidebar. Every scan, finding, and integration is scoped to a specific team.
Yes. Team admins send email invitations with role assignments. Unregistered invitees can accept via a signed link and create an account as part of the flow. Each invitation expires after 30 days.
Roles are super-admin, admin, analyst, viewer, and trainee. Admins manage settings, scans, and phishing campaigns. Analysts run scans and manage findings. Viewers get read-only access. Trainees only see training courses.
No credit card required. You get a time-limited Pro plan trial (configurable per install) and downgrade to Free when it ends unless you upgrade. We send reminder emails before expiry.
Yes. MetricTower includes a phishing simulator with training modules that can be assigned to team members. Trainees get a scoped login and see only the training area.
Still have questions?
The Trust page covers security and privacy in depth, and the pricing page lays out every plan limit.