How does the scan work?
We perform our Web Application Scan (WAS) with QualysGuard. Our scans are prepared manually and after the scan we perform a manual check before sending the report. This is not a pentest. A pentest is partly performed manually and is many times more extensive.
Our scanner searches for known vulnerabilities (including the OWASP Top10) by trying out different pieces of code on forms and pages. These codes can result in actions that can be abused by hackers to steal or manipulate data. Our scanner does not execute any malicious actions, but will report these as a vulnerability. We will only test the software of the web application on the submitted domain, including subdomains.
Our security scan can cause more network traffic than normal, but it is usually only noticeable when using a shared server. The scan can run up to 25 hours and the increased traffic can be noticed mostly in the beginning of the scan when our scanner is indexing the pages.
If you would like to monitor the scan you can request a specific date/start time with us. We can start a scan 24/7. If there are any performance problems, please contact us directly so that we can stop the scan. You can also block our IP address in that case, but please inform us if you choose to do this.