Vulnerability Scanning Built for Speed and Depth

98+ scanner modules, dependency-aware module ordering, and sandboxed tool isolation. AI correlation runs across every finding.

Launch a Scan in Seconds

Enter a target, select modules, and launch. The pipeline handles dependency resolution, sandboxed execution, and live progress.

metrictower.com/scans/new
Target
acme-corp.com
DOMAIN
Est. duration: 12m 45s 24 modules selected 4 phases Cost: 0.24 credits
Modules
Recon (11)
Discovery (7)
Crawling (3)
Enumeration (5)
Vulnerability (13)
Web App (5)
Audit (11)
AI Analysis (3)
Launch Scan

8 Scanner Categories, One Pipeline

Every category covers a different stage of the attack surface -- from subdomain discovery to AI-powered correlation.

Reconnaissance

11 modules

Subdomain enumeration, DNS brute-force, certificate transparency, typosquatting detection.

Discovery

7 modules

Port scanning, HTTP probing, technology fingerprinting, WAF detection.

Crawling

3 modules

JS-aware spidering, historical URL discovery from Wayback Machine and Common Crawl.

Enumeration

5 modules

Directory fuzzing, API endpoint discovery, hidden parameter detection, OpenAPI spec analysis.

Vulnerability

13 modules

XSS, SQL injection, command injection, SSRF, SSTI, CORS misconfig, subdomain takeover.

Web App

5 modules

Full application scanning with OWASP ZAP, Wapiti, and CMS-specific scanners for WordPress, Drupal, Joomla.

Audit

11 modules

Security headers, TLS/SSL config, secret detection, email security (SPF/DKIM/DMARC), JWT analysis.

AI Analysis

3 modules

Attack chain correlation, false positive detection, confidence scoring, CVE identification from banners.

Actionable Results, Not Noise

Severity breakdown, deduplication, AI-powered false positive detection, and export to 5 formats.

metrictower.com/scans/a1b2c3/results
acme-corp.com
Completed 3 minutes ago -- 24 modules -- 47 findings
Compare Export Share
3
Critical
8
High
14
Medium
16
Low
6
Info
Severity Finding Module Status
Critical SQL Injection in /api/v1/users Sqlmap New
High Reflected XSS via search parameter Dalfox New
High Missing HSTS header HTTP Headers Repeated
Medium CORS misconfiguration on /api/* Corsy New
Medium TLS 1.0 still enabled Testssl Repeated

Six-Phase Pipeline, One Scan

Each phase hands results to the next. Subdomains feed port scans. Port scans feed vulnerability checks. You just pick targets.

1

Reconnaissance

Subfinder, Amass, CrtSh, Httpx, Katana, Gau

2

Resolution

Alterx, Arjun, Ffuf, Wapiti, ZAP, WpScan

3

Exploitation

Dalfox, Sqlmap, Commix, Dnsx, Nomore403

4

Port Scanning

Naabu deep port scan across resolved hosts

5

Vuln Scanning

Nuclei templates, TLS analysis across all ports

6

AI Correlation

Attack chain analysis, false positive detection

Results flow between phases automatically. Subdomains from Phase 1 feed into resolution in Phase 2. Discovered endpoints feed into vulnerability scanners in Phase 3. The AI correlator in Phase 6 analyzes everything.

Built for Serious Scanning

Sandboxed Tool Isolation

Every scanner runs inside its own isolated environment. No dependency conflicts, no shared state. Workloads start on-demand and shut down when idle to conserve resources.

Real-Time WebSocket Progress

Watch every module complete in real time. Progress bars, phase transitions, and finding counts update live over a persistent WebSocket stream. No refresh needed.

Scan Intensity Levels

Choose Light for quick assessments (small wordlists, fast modules), Medium for thorough coverage, or Deep for maximum depth with 400K+ directory wordlists and extended timeouts.

Blind Vulnerability Detection (OAST)

Self-hosted Interactsh server enables out-of-band testing. Nuclei, Dalfox, and Sqlmap automatically use OOB callbacks to detect blind SSRF, stored XSS, and blind SQL injection.

Data Pipelines Between Scanners

Findings from upstream scanners feed downstream ones automatically. Subdomains from Subfinder flow to Dnsx, resolved hosts feed Naabu, open ports go to Nuclei -- 20+ active data pipelines.

5 Export Formats

Export results as PDF reports for stakeholders, JSON for automation, CSV for spreadsheets, SARIF for CI/CD integration, or Markdown for documentation. One-click copy to clipboard included.

Daily Security Health Checks

Opt-in automated daily scans using 5 lightweight scanners: HTTP headers, email security, sensitive files, DNS service detection, and JavaScript secrets. Zero infrastructure overhead. Detect regressions like removed security headers or newly exposed .env files before attackers find them.

Vulnerability Scanning at Scale

98 scanner modules run in a six-phase dependency-aware pipeline across 6 execution phases. Every tool runs in its own sandbox. Results from one phase feed into the next. Real-time progress via WebSockets. AI-powered analysis. Export to PDF, JSON, CSV, SARIF, or Markdown.

Start Scanning View Plans