Built for regulated industries

Compliance-grade
attack surface monitoring.

Every finding mapped to the article that matters — GDPR, NIS2, KVKK, ISO 27001 Annex A — not just a CVSS score. Continuous external scanning with AI-drafted executive reports DPOs and CISOs can hand to a regulator.

Run a free scan Download sample report
No installation No agent Passive scanning PDF in ~3 minutes
The problem

Generic scanners speak CVSS. Regulators speak articles.

Your CISO sees a "high severity HTTP-only cookie." Your DPO needs to know which article of GDPR that violates, the maximum fine, and how to defend it under audit. That translation layer is missing from every off-the-shelf scanner.

What incumbent tools give you

  • "Missing CSP header — severity high" with no business context
  • Jargon-heavy CVSS output that legal and compliance teams must re-interpret
  • No regulatory mapping — you bridge to GDPR / NIS2 / local law manually
  • One-off scans, not living posture — by the time you fix it, it's stale
  • Generic remediation — copy-paste from OWASP, not your stack
Aegis finding · sample
Cookie set without Secure flag on public-data API
→ GDPR Art. 32 · NIS2 Art. 21(2)(d) · ISO 27001 A.8.24
DMARC policy is p=none on customer-facing domain
→ GDPR Art. 32 · NIS2 Art. 21(2)(c) · ISO 27001 A.5.14
Subdomain CNAME points to deprovisioned cloud bucket
→ GDPR Art. 32, Art. 5(1)(f) · NIS2 Art. 21(2)(e)
Capabilities

Every layer. One platform.

External web surface, autonomous verification, mobile applications, and continuous drift detection — all sharing the same compliance mapping engine and report format.

01 · External

Web attack surface

15+ modules covering DNS, email auth, TLS, web headers, exposed services, CVE intel, brand impersonation, and breach databases.

  • Subdomain enumeration via CT logs + DNS
  • SPF / DKIM / DMARC strength scoring
  • Shodan, Censys, GreyNoise enrichment
  • CISA KEV + EPSS scoring for CVEs
  • HIBP breach-intel correlation
02 · Mobile

APK static analysis

Upload an Android APK and get manifest, certificate, permissions, and content scan — mapped to the regulator's view of personal data risk.

  • 22+ runtime permission catalog → article mapping
  • Manifest flags: debuggable, allowBackup, cleartext
  • Signing cert + debug.keystore detection
  • Hardcoded secret scan (AWS, Google, Stripe, Slack, GitHub)
  • Live backend/API test + AI remediation guide (OWASP MASVS/MASTG)
  • iOS IPA static analysis (Info.plist, ATS, URL schemes)
03 · Continuous

Drift monitoring

Daily or weekly re-scan with diff reports. You hear about a new exposed admin panel or expiring certificate the day it appears — not at next audit.

  • Configurable cadence (hourly to monthly)
  • Slack, Teams, email, WhatsApp notifications
  • Auto-generated weekly executive digest
  • Trend dashboard for DPO / CISO reviews
  • Audit-grade event log (every action timestamped)
04 · Autonomous

Aegis Brain

The moment a scan starts, Aegis Brain roams your site like a hunter, dives into the riskiest endpoints, and proves every signal live — real vulnerability or false positive — then drills deeper. You get evidence, not noise.

  • Attack-surface-first adaptive roaming (login, API, parameterized endpoints)
  • Live verification — eliminates false positives, proves the real ones
  • Deep drill-down across 6 classes: IDOR, SQLi, XSS, SSRF, traversal, redirect
  • First-person "hunt report": what it found, how it proved it, business impact
  • Exploit-chain mapping + coverage self-critique
Compliance coverage

One scan. Four regulatory views.

Every finding carries the article reference, the supervisory authority's enforcement record, and a defensible remediation. Translate once, defend everywhere.

Regulation Article coverage Enforcement context
GDPR EU 2016/679 Art. 5 Art. 25 Art. 30 Art. 32 Art. 33 — security of processing, data protection by design, records, breach notification. EDPB guidelines, national DPA precedents (CNIL, AEPD, Garante).
NIS2 EU 2022/2555 Art. 21(2)(a–j) — risk analysis, incident handling, supply chain, vulnerability disclosure, cryptography, MFA. Art. 23 incident reporting timelines. Member state transpositions, ENISA technical guidance.
KVKK Türkiye 6698 m.5 m.6 m.10 m.12 — data processing principles, special category data, disclosure obligation, data security. KVKK Kurulu precedent rulings, sector-specific guidance.
ISO 27001:2022 Annex A controls A.5 A.6 A.8 — organizational, people, technological controls. Auto-mapping for cryptography, access control, logging, supplier relationships. Statement of Applicability ready, audit-trail aligned.

Roadmap: SOC 2 Trust Services Criteria (Q3 2026) · UK DPA 2018 mapping (Q3 2026) · India DPDPA (Q4 2026).

How it works

From signup to first report in ~3 minutes.

No installation, no agent, no firewall rules. We never send a single packet to your infrastructure that an OSINT researcher couldn't.

Add your domain

Enter your apex domain. We discover subdomains automatically from certificate transparency and public DNS.

30 seconds

Passive enumeration

15 modules run in parallel — fully passive, only public sources. No login, no consent forms, no risk to your systems.

~2 minutes

AI compliance mapping

Findings translated into article-mapped, defensible-language English (or Turkish), with maximum fine context and remediation steps.

~60 seconds

Receive your report

PDF executive summary + technical detail in your inbox. Optional: enable continuous monitoring with custom cadence.

Instant delivery
Pricing

Transparent. Annual or month-to-month.

No quotes, no procurement loops. Prices in USD for international customers; EUR + TRY supported at checkout.

Starter

Single domain

For lean teams who need quick compliance visibility on one product.

$49/month
or $490 annual · save 16%
  • 1 apex domain + all subdomains
  • Weekly scan cadence
  • Email reports (PDF)
  • GDPR + ISO 27001 mapping
  • Mobile APK scan (3 per month)
Start with free scan
Enterprise

Custom

White-label for consultancies, on-premise option, dedicated CSM.

Let's talk
From $999/month
  • Unlimited domains
  • White-label PDF reports
  • Single sign-on (SAML)
  • Custom regulatory frameworks
  • API + webhook access
  • Dedicated customer success
  • SLA-backed support
Book a call
FAQ

Questions we hear before signing.

Is this another vulnerability scanner?

No. Vulnerability scanners (Tenable, Qualys, Nessus) answer "what's wrong technically?" — Aegis answers "what's wrong in the language of the people who'll fine us?" The wedge is the regulatory translation layer.

We're complementary to a SAST/DAST tool, not a replacement. We sit between your security team and your compliance/legal team.

What makes you different from Vanta, Drata, Secureframe?

Those tools help you prepare for a SOC 2 / ISO certification — they collect evidence from your SaaS stack. Aegis monitors what an attacker or regulator sees from outside your perimeter.

You'd run both: a compliance evidence tool inside, Aegis outside. They never overlap.

Can we self-host?

Yes — Enterprise plan includes a Docker Compose self-host package. Brings your own Anthropic API key, runs on your infrastructure. Required for some highly regulated banking / healthcare deployments.

What data do you store?

For free scans: your email + domain + scan results, 90 days retention.

For paid plans: scan results, timestamped findings, generated PDFs. You can request deletion at any time (GDPR Art. 17 / KVKK m.11). We never scrape, profile, or sell.

Mobile APK files are deleted immediately after analysis — only hash + findings retained.

Where are you based?

Aegis is built and operated from Istanbul, Türkiye. Data processed in Hetzner Falkenstein (EU). EU customers stay in EU jurisdiction. SCCs available for non-EU transfers.

Founded by a former Papara cybersecurity team member who saw Turkish SMBs and scale-ups go unprotected because global tools didn't speak their language. Now expanding the same value proposition globally.

Do you have a referral / partner program?

Yes. White-label program available for consultancies, compliance firms, MSPs. 30% revenue share, your branded PDF, your customer relationship. Email us.

Free scan — what's the catch?

No catch. You get one full passive scan + PDF report. We send you the report and follow up once with a non-pushy email about paid plans. If you don't reply, we don't email again. Unsubscribe link in every email.

The free scan exists because most prospects need to see the depth of the report to understand what they're buying. It's our entire marketing strategy.

Your first scan is free
and tells you more than a year of generic alerts.

About 3 minutes to start. PDF report in your inbox. No credit card, no sales call required.

Run free scan Book 15-min call