We scan internally managed web applications, including WordPress websites, Pepper applications and commercial applications like REDCap. Third-party hosted applications are excluded.

Scan duration varies depending on the application size and complexity. Most scans are scheduled and completed within a few days of the request.

• Basic scans: minutes to complete
• Comprehensive scans: hours

Reports are generally delivered within a few days of the request.

No, this service is only for internally managed applications. It is the responsibility of third-party application owners to request vulnerability assessment (VA) or penetration test (PT) results from other vendors as needed.

Yes. Our current license allows 50 scans per quarter. A scan request may consume multiple licenses depending on the number of hosts scanned. The number of scans a single stakeholder can request may be limited based on demand. Prioritization is based on application criticality.

No. This service identifies common vulnerabilities but does not replace comprehensive penetration testing or manual security reviews.