Enterprise security

Security is not a feature —
it's our foundation

Every component of PenScan is designed with security-first principles. Here's exactly how we protect your data and your customers.

Security & trust

Enterprise-grade security, by design

We hold our own platform to the same standards we help you achieve for yours.

Ownership-only scanning
PenScan never scans a target until DNS ownership is cryptographically verified. No third-party domains can be scanned without consent.
Data isolation per organization
Multi-tenant architecture ensures complete data isolation. Each organization's targets, scans, and reports are inaccessible to other tenants.
Role-based access control
Granular RBAC with Owner, Analyst, and Viewer roles. Ensure team members can only access the functionality their role requires.
Immutable audit logs
Every scan, target verification, and configuration change is logged with full attribution. Audit logs support compliance requirements and incident investigation.
Encrypted in transit & at rest
All data is encrypted in transit via TLS 1.3 and at rest. Scan results, credentials, and API tokens are never stored in plaintext.
Legal disclaimer enforcement
Users must acknowledge a legal disclaimer before initiating scans. PenScan's Terms of Service prohibit unauthorized testing, backed by verification enforcement.
Target Guard

You can only scan what you own

PenScan's Target Guard is an enforcement layer that prevents scanning of any domain without proven ownership. There are no exceptions — not even for administrators.

DNS TXT record verification
PenScan generates a unique cryptographic token per target. You add it as a DNS TXT record on your domain. We verify it before any scan can begin.
Per-target unique tokens
Each target receives its own unique verification token. A token for one domain cannot be reused to verify another — ever.
Legal acknowledgement required
Before any scan, users must explicitly acknowledge the legal disclaimer confirming authorization to test the target. This is enforced in the UI, not just the Terms of Service.
Verification flow
1
Add your target domain
PenScan generates a unique TXT record token immediately.
2
Add the TXT record in your DNS
Takes 1–5 minutes with most DNS providers.
3
PenScan verifies ownership
DNS lookup confirms the token matches your domain.
Scanning unlocked
Full scan capabilities available. Asset discovery already complete.
Trust certificates

Show your customers you're secure

After scanning, generate a verifiable security certificate and an embeddable widget to display on your website. Build customer confidence visibly.

Verifiable certificates

Each certificate is cryptographically tied to a completed scan. Anyone can verify it's genuine by checking the certificate ID.

Embeddable widgets

Add a security badge to your website with a single line of HTML. The widget always reflects your most recent scan status.

Customer-facing proof

Win enterprise deals by showing prospects a current, verifiable security posture — not a year-old PDF from an external auditor.

Get started today

Your next scan is
minutes away

Add a target, verify ownership with a DNS record, and run your first full security scan. No setup, no infrastructure, no waiting.

Start scanning free Talk to our team

No credit card required  ·  Credits never expire  ·  Cancel any time