Your automated recon and vulnerability platform
Hassle-free. No limits. Create your own vulnerability scanner workflow.
Spend less time. Find more security vulnerabilities.
For Builders and Breakers
Security solutions tailored to you.
- Map out and Protect all your web assets.
24/7. - Track changes, scan assets for security vulnerabilities, and get notified. A seamless and simple automated workflow that simplifies everything for you.
- Spend less time and find more security vulnerabilities.
- Your own platform that automates most of your work for you. From reconnaissance to actual vulnerability scanning. Allowing you to broader your attack surface, and help you find even more security vulnerabilities.
Never be scared of web security ever again
Automated Web & API Vulnerability Scanning
- CI/CD Integration
- Spot security risks early on in your development cycle with our integrated API and transform your DevOps team into DevSecOps.
- Ease of use
- We simplified the whole process. From gathering intel, to detecting and resolving vulnerabilities. Even the scanner is cloud-based so you don't have to spend time setting it up.
- Instant Notifications
- Receive instant notifications on found vulnerabilities via Webhook, Email, Slack or Discord.
- Privacy
- Your data is yours and will stay yours. We do not collect any of your scanning data for our own use.
Join our waitlist to be the first to get notified.
Become an automation king
Without having to manage your own platform.
- API
- Initiate scans, schedule them or even query scan data using the built-in API. Take 0-day and 1-day hunting to a whole new level.
- Instant Notifications
- Receive instant notifications on found vulnerabilities via Slack, Discord, Email or Telegram.
- Daily fresh intel
- Daily fresh intel to keep up with the latest changes. Available on your dashboard whenever you want.
- Privacy
- Your data is yours and will stay yours. We do not collect any of your scanning data for our own use.
Solutions
Access to highly-reliable tools.
XSScannerCross-Site Scripting Scanner
Highly reliable cross-site scripting tool that can find basic to advanced reflected XSS vulnerabilities, for now. You only get notified once a valid issue has been found.
Spider XContent Discovery
All-in-one cloud-based solution to gather data around a target. We implemented a lot of methods so the "hidden content" reveals itself.
Redirect XOpen Redirect Scanner
Advanced open redirect scanner that is capable of scanning server-side & DOM-based open redirect vulnerabilities. Your customers can fall for phishing attacks, it's time to take action.
CNAME XSubdomain Takeovers
Scan & identify subdomain takeover vulnerabilities on your domains before they get used by bad actors to target your customers.
BirdWatchWeb Asset Monitor
Powerful yet a simple cloud-based solution to gather as many intel of your target & monitor for daily or hourly changes.
CWE-79
XSScanner
XSScanner imitates a real-world penetration tester. From identifying a potential injection point to providing a detailed, well-written report.
Whether you're a defender or attacker, you want this tool as your co-pilot.
- Simulate a pentester
- Simulate a penetration tester's behaviour by performing a series of tests to identify and exploit a cross-site scripting vulnerability.
- Latest WAF bypasses
- A payload set that includes XSS payloads ranging from basic to advanced to the recently discovered web application firewall bypasses.
- Instant Notifications
- Receive notifications immediately once XSScanner discovers a cross-site scripting vulnerability. Even when your vulnerability scan is still running.


CWE-601
Redirect X
Like the XSScanner, Redirect X simulates an actual penetration tester's testing procedure. And it shows.
Redirect X is capable of finding context-based, multi-step, Server-side, POST-based and DOM-based redirects. With low to zero false positive results (as all our tools are).
- Simulate a pentester
- Simulate a penetration tester's testing procedure by performing a series of tests to identify and exploit a cross-site scripting vulnerability.
- Advanced payload set
- Evade strict, context-based filters with our personalised wordlist generated for each new scan.
- Instant Notifications
- Receive notifications immediately once Redirect X discovers an open redirect vulnerability. Even when your vulnerability scan is still running.
Reconnaissance
ASM Platform

Fully Automated
A seamless automated experience that requires little to no input from you. But does uncover security anomalies.
Technology Fingerprinting
Map out and filter hosts based on technologies. Making monitoring for new CVEs as easy as it can get.
Daily Notifications
Track changes and receive daily updates to stay on top of everything. From new hosts to response changes.
CLI
API Access
Our extensive async API is capable of performing, retrieving and deleting scans.
curl -s https://api.novasec.io/api/hosts -H 'X-API-Key: $API_KEY' | jq -r '.data[]'
novasec.io
app.novasec.io
docs.novasec.io
...
FAQ
Got questions? We're here to help.
What is vulnerability scanning?
Vulnerability scanning is a process where an automated program is looking for vulnerabilities and security misconfigurations in your web application or network.
Usually, vulnerability scanners execute a predefined workflow to identify any exploitable vulnerability type.
Once a vulnerability scanner has found and verified a valid security flaw, it creates an alert and reports the finding accordingly.
How long does a full website security scan take with Nova Security?
This truly depends on how big and complex your web application or API is and your scan configuration.
How often should I run a scan?
You can scan your web application as many times as you want.
However, we do recommend you at least scan your web application each time you push new code.
How does the scanner compare to other scanners on the market?
Throughout our years of experience as web app penetration testers and bug bounty hunters
We sometimes used third-party vulnerability scanners to automate some of our workflows, and it didn't work out well for us.
We had times when we found vulnerabilities while some vulnerability scanners just couldn't, even after pointing out where to scan.
This never allowed us to put our trust in vulnerability scanners. And we found that this should change.
Today, Nova Security is capable of finding vulnerabilities in various contexts, vulnerabilities that otherwise would've been left undetected by other scanners.
That is one key element that sets us apart from our competitors. It's our unfair advantage.
Will the scanner integrate with my current workflow and tools?
Nova Security provides an API in place for you to use in your development cycle.
This will allow your team to fully automate the vulnerability scanning process.
Is Nova Security capable of scanning authenticated parts of my website?
Yes, we even encourage you to do so to uncover any hidden security flaws that may have had devastating effects if they're left untouched.
Will the scanner cause any disruption to my website or web application?
No. We give you the option to set a rate limit to not put excessive load on your server.
How much will a subscription cost?
As we are still in the early private beta phase, it is not yet possible for us to provide an accurate price for our services.
If you've signed up for our waitlist, you should receive more details and get notified once we launch.
What happens with my scan data?
If you have signed up as a security researcher or bug bounty hunter, by default, when you enable monitoring for a project. We save the data to track changes and to notify you accordingly.
This is necessary as else, we won't be able to know what new assets have been added.
However, you always get the option to permanently delete any project data from our database.
If you registered as a business, we provide you with a pre-set timeframe to export your scan results.
After the timeframe has elapsed, we permanently delete any data on our databases to keep your online business safe.
In general, we do not collect any data as we run our own scans to provide you with our services.
If this happens to change in the future, we will anonymise any data and will always include the option to allow you to opt out at any time.