Create your solution
Surface Monitoring
Test each and every asset across your attack surface
- Map your domains, IPs, ports, web apps, APIs and tech stack
- Test your attack surface for stateless vulnerabilities, like CVEs and DNS level vulnerabilities including over 600 DNS Takeover tests
- Get recommendations on which web application and APIs you should be scanning
Up to 25 subdomains starting from
Application Scanning
Run in-depth scanning of your web applications
- Run authenticated scanning
- Crawl your app and run our advanced proprietary fuzzing engine
- Extensive and continuously updated library of CVEs and non-CVE tests fuelled by our AI agent Alfred and our Crowdsource community
1 domain starting from
API Scanning
Run in-depth scanning of your APIs
- Go beyond static checks with a dynamic engine that randomizes payloads to find vulnerabilities others miss
- Test on a massive scale with quintillions of variations, designed to find real exploits, not flood your backlog
- Test your API attack surface with a unified view and broad, research-led vulnerability coverage
Limited offer: 20% off for early adopter
1 API starting from €90 / month
Detectify is enterprise ready
For organizations with large amounts of domains and subdomains, we offer a flexible, scalable, and customized offering. Contact our sales team to learn more.
Enterprise add-ons include:
SSO / SAML
Extended authentication control with SSO and SAML.
Custom pricing
Custom pricing based on your attack surface and needs.
Dedicated CSM
Dedicated Customer Success Manager ready to partner with you.
Smooth onboarding
Save time with domain verification and let us set things up for you.
Multi-team Setup
Multi-team setup is available for flexible organizing of assets, access levels, and results.
Bespoke integratons
Level up how you integrate Detectify using our versatile API and bespoke integrations.
Custom terms
Custom legal terms and security questionnaires.
Bring your own key (BYOK)
Increase control over your vulnerability data with our key management solution.
Testimonials
See what our customers think
Don't just take our word for it. We've helped several of the world's most popular digital product companies, organizations with many subsidiaries, and those with issues in third-party software and supply chains stay secure.
Read case studies
Marcin Hoppe
SENIOR ENGINEERING MANAGER
Auth0
“There are a lot of extremely noisy tools, and they generate a lot of findings, but to get to the true positives, you have to spend a lot of time analyzing the results. So we were very happy with the low rate of Detectify's false positives.”

Michelle Tolmay
DIRECTOR OF INFORMATION SECURITY
PHOTOBOX
“With Surface Monitoring, we found subdomains we didn’t know we had. Not only would we likely not have found these subdomains, but we also wouldn’t have known about them until someone did something really nasty on one of them and held us to ransom over it.”

Catalin Curelaru
SECURITY TRIAGE LEAD
Visma
“We used other tools before, but we chose Detectify because it helps us reduce false positives and gets much information from the availability perspective.”
Frequently asked questions
Here are some of the most frequently asked questions we receive and their answers, all gathered in one place.
-
Why combine all products?
When you combine all our products you get the full benefits from our AppSec platform. Discover, classify, and scan all assets across your attack surface with DAST methods. You will secure your domains, apps, and APIs with automatic continuous real-world, payload-based testing.
Although Surface Monitoring, Application Scanning, and API Scanning can be used separately, we recommend using them together to ensure you don't miss anything on your attack surface.
The products complement each other - Surface Monitoring gives you a comprehensive view of your attack surface, while also running lightweight testing across it. Application Scanning and API Scanning gives you deeper insights on your custom-built applications and APIs. We make use of insights from Surface Monitoring to improve Application Scanning and focus on providing you with ease of use and automation that isn’t offered by traditional DAST scanners. Solving the problem of knowing what to test and why.
-
Why should I pick Detectify?
Detectify is built for AppSec teams to confidently scale dynamic testing to every asset on their attack surface.
Surface Monitoring is a unique concept that runs not only discovery but also vulnerability testing at scale, across your entire attack surface. It is also the base for informing you where to scan in-depth by classifying assets on your attack surface. It recommends assets for further testing with Application Scanning and API Scanning. Both going deeper where it matters, utilizing stateful testing and advanced fuzzing.
The platform presents changes to your attack surface and guides you on where to use resources more effectively.
We know AppSec cannot forget about DNS security. One example are DNS takeovers, we invented the concept, and are the best at finding them.
All our tests are built in-house based on three sources:
- Using research from our internal team of security researchers, some being among the top ethical hackers in the world.
- Using crowdsourced research from our community of elite ethical hackers, Crowdsource.
- Alfred, our AI researcher, autonomously discover and build tests for CVEs that are relevant to our customers.
These sources allow us to have a well-distributed coverage across relevant technologies. We do not build in any and all CVE because we all know that all are not relevant and cannot be accurately tested for.
All our tests are payload-based as we understand how valueable a high signal-to-noise ratio is.
We do all this with high standards regarding ease of use, both in the tool and in collaboration with us.
-
How does Detectify help me prioritize and decide which of our web applications actually need in-depth testing?
Detectify uses a data-driven process to recommend which applications need in-depth scanning, moving beyond guesswork:
- Asset Discovery: Detectify first discovers your entire external attack surface using the Surface Monitoring product, identifying all subdomains and associated web assets.
- Asset Classification: Detectify then automatically classifies these discovered assets by analyzing their technical characteristics, mimicking an attacker's reconnaissance. It looks at attributes like the technologies used, the presence of login forms, and the configuration of security headers to determine if an asset is a simple static page or a complex, interactive web application.
- Scan Recommendations: Based on this classification, the platform provides intelligent Scan Recommendations, highlighting the complex applications that are most likely to be attractive targets for attackers and would benefit most from a deep DAST scan.
-
How do I get started?
Scheduling a short demo is the best way to get started if you have multiple domains, subdomains, and web applications you want to monitor. Our sales engineers will help you get the most out of your trial with a customized set-up based on your attack surface needs.
For covering a single or few assets, a 2-week free trial is the easiest way to get started. When you sign up for a trial, you'll have to add and verify ownership of the domain you would like to test to confirm that you're authorized to run security tests on it. Once your domain is verified, you're ready to start using Detectify. Simply 'toggle on' Surface Monitoring to begin continuous monitoring and run your first scan with Application Scanning.
Read more about getting started and domain verification.
-
What’s included in a 2-week free trial?
You’ll get access to both Surface Monitoring and Application Scanning during your 2-week free trial.
Surface Monitoring: During your free trial, you can add up to 2 apex domains and will get continuous monitoring of these for the whole trial period.
Application Scanning: During your free trial, you can add up to 5 domains or subdomains as separate scan profiles, with an unlimited number of scans per scan profile.
This ensures that you can explore both the breadth and depth of your attack surface and maximize product use during the trial.
-
What happens after my trial has ended?
You’ll still be able to log in to the tool and access old results, but you’ll no longer be able to monitor your assets or run new scans. If you delete your Team, this will remove any data. To continue using either or both products, you need to become a paying customer.
-
How quickly will I start seeing results with Detectify?
Detectify is designed to be easy to set up and start seeing results. The process is straightforward :
Start by connecting Detectify to your cloud or DNS providers (like AWS, Azure, or Cloudflare) for fully automated asset discovery. Alternatively, you can manually add your main domains.
Once the root assets are configured, enable Surface Monitoring with one click to begin the discovery of your attack surface. Straight away Surface Monitoring initiates automatic classification of your assets and intelligent recommendations for critical applications and APIs to scan more in-depth.
Most business critical assets need authenticated scanning. You can easily provide credentials or use a Chrome plugin to record a login sequence.
You will start seeing findings from Surface Monitoring, Application Scanning, and API Scanning within minutes.
For quick remediation and workflow integrations, make use of our no-code platform via Workato or our versatile API.
-
What are Scan Profiles and Assets?
A Scan Profile can be a domain, subdomain, or IP address you own, which can be configured and customized to suit your needs. It represents the application or part of the application you would like to run in-depth scans on.
Assets are domains that you want to monitor or scan. We recommend adding apex or root level domains to get maximum coverage of your attack surface when adding assets.
-
Does Detectify integrate with my existing workflow?
Yes! We believe security should be part of your everyday workflow, which is why we love integrations that allow us to push Detectify notifications to the channels you're using.
Don't see a service you utilize among our integrations? We work with our customers to continuously update the list of integrations. Reach out to us.
-
What forms of payment do you accept?
We accept credit cards (Visa, MasterCard, American Express, Diners Club) and annual invoices (The minimum order value for an invoice is $1650/€1500).
-
Can I purchase Detectify on AWS Marketplace?
Yes - Our complete solution is available on AWS Marketplace through private offer.
-
I still have questions; who can I reach out to?
You can contact us if you need further help, or check out Knowledge Base for tips on getting started, configurations, settings, and more.