For compliance & security teams
Teams using AppCheck, Qualys, or Tenable for monthly SOC2 and ISO 27001 evidence pay thousands per year for reports that still need a pentester to interpret. Decloak maps findings to compliance controls, tracks remediation, and adds Enterprise-tier active security testing (DAST) - at a fraction of the cost.
Security Score
Good - board-ready
client-portal.com
just now
CORS misconfiguration - reflects arbitrary origin
ISO 27001 A.8.20 · SOC2 CC6.6
Content-Security-Policy header missing
ISO 27001 A.8.20 · SOC2 CC6.6
2 findings marked "In Progress" since last scan
Remediation tracking · assigned to dev team
AI Summary
Overall posture is strong with two open items. Both are mapped to ISO 27001 Annex A controls and already assigned for remediation - export the evidence package when ready.
Features for compliance & security teams
Scanning
Web server software disclosed in response headers (Apache, nginx, IIS, PHP, and more) is matched against the National Vulnerability Database, with the exact version and CVE ID shown for anything found.
Scanning
Detects the CMS or e-commerce platform a site runs on - WordPress, Joomla, Drupal, Magento, Shopify, Wix, Squarespace, Webflow, and more - and checks any self-hosted, version-disclosed platform against the National Vulnerability Database.
Active Testing
Enterprise scans go beyond passive observation with safe, non-destructive active probes - forced browsing, reflected-input canaries, CORS and HTTP-method checks, postMessage handler auditing, and more.
Active Testing
Active-testing checks are scored separately from your overall report - a dedicated grade for what was actively probed, alongside your regular security score.
Active Testing
Capture a logged-in session via our browser extension and the agent crawls behind your login - the only mechanism that works for passkey/WebAuthn auth, since there is no credential to script or store.
Active Testing
A standalone, boardroom-ready PDF scoped to Active Testing results only - severity donut, a full "what we tested" checklist, and remediation excerpts.
Reports
Timestamped, formatted PDF with your scan details, findings, and an attestation block. Accepted by auditors for SOC2 and ISO 27001 evidence.
Reports
Side-by-side diff between any two scans of the same site. See exactly what findings are new, what has been resolved, and what has changed severity.
Reports
Export a date-range ZIP of all scan history - formatted for auditor handoff. Includes all PDFs, finding logs, and scan attestation metadata.
Compliance
Every finding is automatically tagged to the relevant ISO 27001 Annex A controls. Filter your report to show only findings relevant to a specific control.
Compliance
Findings tagged to SOC2 Trust Services Criteria (Security, Availability, Confidentiality). Makes it straightforward to respond to auditor questions by control.
Compliance
Mark each finding as Open, In Progress, Resolved, or Accepted Risk. Auditors need to see that findings are being acted on - this closes that loop.
Compliance
Every scan is stamped with who triggered it, when, from where, and with which configuration. Full chain of custody for compliance evidence.
Compliance
A per-domain log of every scan, deletion, and finding change - who did it and when. Recorded from day one, so it’s already there the moment you upgrade to Pro.
Pricing
Both at a fraction of what AppCheck, Qualys, or Tenable charge for the same evidence.