Every finding mapped to the article that matters — GDPR, NIS2, KVKK, ISO 27001 Annex A — not just a CVSS score. Continuous external scanning with AI-drafted executive reports DPOs and CISOs can hand to a regulator.
Your CISO sees a "high severity HTTP-only cookie." Your DPO needs to know which article of GDPR that violates, the maximum fine, and how to defend it under audit. That translation layer is missing from every off-the-shelf scanner.
External web surface, autonomous verification, mobile applications, and continuous drift detection — all sharing the same compliance mapping engine and report format.
15+ modules covering DNS, email auth, TLS, web headers, exposed services, CVE intel, brand impersonation, and breach databases.
Upload an Android APK and get manifest, certificate, permissions, and content scan — mapped to the regulator's view of personal data risk.
Daily or weekly re-scan with diff reports. You hear about a new exposed admin panel or expiring certificate the day it appears — not at next audit.
The moment a scan starts, Aegis Brain roams your site like a hunter, dives into the riskiest endpoints, and proves every signal live — real vulnerability or false positive — then drills deeper. You get evidence, not noise.
Every finding carries the article reference, the supervisory authority's enforcement record, and a defensible remediation. Translate once, defend everywhere.
| Regulation | Article coverage | Enforcement context |
|---|---|---|
| GDPR EU 2016/679 |
Art. 5 Art. 25 Art. 30
Art. 32 Art. 33 — security of processing,
data protection by design, records, breach notification.
|
EDPB guidelines, national DPA precedents (CNIL, AEPD, Garante). |
| NIS2 EU 2022/2555 |
Art. 21(2)(a–j) — risk analysis, incident handling, supply
chain, vulnerability disclosure, cryptography, MFA. Art. 23
incident reporting timelines.
|
Member state transpositions, ENISA technical guidance. |
| KVKK Türkiye 6698 |
m.5 m.6 m.10
m.12 — data processing principles, special category data,
disclosure obligation, data security.
|
KVKK Kurulu precedent rulings, sector-specific guidance. |
| ISO 27001:2022 Annex A controls |
A.5 A.6 A.8 — organizational,
people, technological controls. Auto-mapping for cryptography, access
control, logging, supplier relationships.
|
Statement of Applicability ready, audit-trail aligned. |
Roadmap: SOC 2 Trust Services Criteria (Q3 2026) · UK DPA 2018 mapping (Q3 2026) · India DPDPA (Q4 2026).
No installation, no agent, no firewall rules. We never send a single packet to your infrastructure that an OSINT researcher couldn't.
Enter your apex domain. We discover subdomains automatically from certificate transparency and public DNS.
15 modules run in parallel — fully passive, only public sources. No login, no consent forms, no risk to your systems.
Findings translated into article-mapped, defensible-language English (or Turkish), with maximum fine context and remediation steps.
PDF executive summary + technical detail in your inbox. Optional: enable continuous monitoring with custom cadence.
No quotes, no procurement loops. Prices in USD for international customers; EUR + TRY supported at checkout.
For lean teams who need quick compliance visibility on one product.
For DPOs and CISOs managing multiple products, brands, or subsidiaries.
White-label for consultancies, on-premise option, dedicated CSM.
No. Vulnerability scanners (Tenable, Qualys, Nessus) answer "what's wrong technically?" — Aegis answers "what's wrong in the language of the people who'll fine us?" The wedge is the regulatory translation layer.
We're complementary to a SAST/DAST tool, not a replacement. We sit between your security team and your compliance/legal team.
Those tools help you prepare for a SOC 2 / ISO certification — they collect evidence from your SaaS stack. Aegis monitors what an attacker or regulator sees from outside your perimeter.
You'd run both: a compliance evidence tool inside, Aegis outside. They never overlap.
Yes — Enterprise plan includes a Docker Compose self-host package. Brings your own Anthropic API key, runs on your infrastructure. Required for some highly regulated banking / healthcare deployments.
For free scans: your email + domain + scan results, 90 days retention.
For paid plans: scan results, timestamped findings, generated PDFs. You can request deletion at any time (GDPR Art. 17 / KVKK m.11). We never scrape, profile, or sell.
Mobile APK files are deleted immediately after analysis — only hash + findings retained.
Aegis is built and operated from Istanbul, Türkiye. Data processed in Hetzner Falkenstein (EU). EU customers stay in EU jurisdiction. SCCs available for non-EU transfers.
Founded by a former Papara cybersecurity team member who saw Turkish SMBs and scale-ups go unprotected because global tools didn't speak their language. Now expanding the same value proposition globally.
Yes. White-label program available for consultancies, compliance firms, MSPs. 30% revenue share, your branded PDF, your customer relationship. Email us.
No catch. You get one full passive scan + PDF report. We send you the report and follow up once with a non-pushy email about paid plans. If you don't reply, we don't email again. Unsubscribe link in every email.
The free scan exists because most prospects need to see the depth of the report to understand what they're buying. It's our entire marketing strategy.
About 3 minutes to start. PDF report in your inbox. No credit card, no sales call required.