SaintScan - sandboxed active validation, when passive is not enough.
Passive scanning answers whether something is exposed. SaintScan answers whether authorized evidence can be safely validated through a controlled gateway with allowlists, scope validation, argv sanitization, digest-pinned images, circuit breakers, and immutable audit logs.
Coverage with explainable detection technique.
Authorized active validation
SaintScan validates only approved scope and only after passive evidence justifies active confirmation. The gateway checks tenant tier, target scope, tool allowlist, argv safety, and execution budget before a process can start.
Curated tool execution
nuclei, sqlmap, naabu, httpx, katana, and related tooling are invoked through digest-pinned containers and policy-controlled arguments. No ad-hoc shell expansion or unreviewed binary path is allowed.
Circuit breakers and tenant isolation
Per-(scanId, tool) circuit breakers, rate limits, timeout budgets, and kill-switch records keep one validation workflow from turning into shared-fleet risk or noisy third-party traffic.
Immutable audit evidence
Every invocation records normalized argv, tenant context, scope decision, image digest, timestamps, result hash, and finalization state. The audit trail supports SOC 2, NIS2, DORA, and customer incident review.
A finding built for remediation, not screenshots.
Each module produces a structured evidence pack with severity, business impact, and a runbook excerpt that can be routed to Slack, Jira, Linear, ServiceNow, GitHub, webhook, or SIEM depending on tier.
PDF FINDING PREVIEW
Passive exposure validated as exploitable admin panel chain
Evidence pack
- Passive EASM finds staging admin panel on public hostname with weak security headers.
- Scope validator confirms hostname belongs to the authorized customer asset list.
- nuclei template validates exposed admin fingerprint through digest-pinned container.
- Audit log records allowlist decision, sanitized argv, result hash, and finalization row.
Business impact
The customer receives proof that an externally reachable admin surface is exploitable enough to require emergency remediation, with an audit trail showing exactly what was run and why.
Remediation runbook
1. Disable public access to the admin host. 2. Place the route behind VPN or identity-aware proxy. 3. Rotate exposed session secrets. 4. Re-run passive EASM after DNS changes. 5. Request SaintScan revalidation once scope is closed.
Included where the workflow needs it.
| Tier | Included | Asset limits |
|---|---|---|
| Community | Not included | Passive EASM only |
| Pulse | Not included | CI/CD Shield, no active validation |
| Shield | Not included | AgentGuard and WSCS, no SaintScan |
| Fortress | Included | 500 assets, scoped active validation |
| Sentinel | Included | Unlimited by engagement, managed validation program |
Ships findings into the systems that already own remediation.
READY FOR REVIEW
Run this module against authorized scope.
Start with a free scan or route an enterprise module review to sales.