Supported Scanners

Engines empowering our platform

Gauntlet is not a scanner but an orchestrator of scanners. Through our platform it's possible to run different types of scanners, such as Application Scanners, Source Code Scanners and Network Scanners. Although we're more than an orchestrator, we're a continuous application security platform.

Application Scanners

Application Security Scanners test running applications, independently of their programming language, for multiple vulnerabilities that could lead to remote command execution, data leak, defacement and more. The main benefit of this dynamic testing is to test the behavior of the application and if it leads to vulnerabilities.

N-Stalker is a commercial Web Application Security Scanner that automatically scans websites for security vulnerabilities such as SQL Injection, XSS and more, independently of the language their were built. Learn more. This scanner requires a license that should be purchased apart.

Acunetix is a commercial Web Application Security Scanner that automatically crawls and scans off-the-shelf and custom-built websites and web applications for SQL Injection, XSS, XXE, SSRF, Host Header Attacks & over 3000 other web vulnerabilities. Learn more. This scanner requires a license that should be purchased apart.

Netsparker is a commercial Web Application Security Scanner that can find and report web application vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) and security issues on all web applications and websites regardless of the platform and the technology they are built on. Learn more. This scanner requires a license that should be purchased apart.

Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. Learn more.

W3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. More than 200 vulnerabilities are supported including SQL Injection, Cross-Site Scripting, CORS misconfiguration, Cross-Site Request Forgery (CSRF) and many more. Learn more.

ZAP: The OWASP Zed Attack Proxy (ZAP) is an award-winning security scanner and one of the world’s most popular open source security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. Learn more.

Wapiti is an open source security scanner that can detect multiple vulnerabilities, such as File disclosure, Database Injection, XSS (Cross Site Scripting) injection, Command Execution detection, CRLF Injection, XXE (XML eXternal Entity) injection, Use of know potentially dangerous files, Weak .htaccess configurations that can be bypassed and Presence of backup files giving sensitive information (source code disclosure). Learn more.

Knock is an information gathering tool to enumerate subdomains on a target domain through a wordlist. It's very useful to have all subdomains available in order to launch security tests against them to find vulnerabilities in either the application or the server. Learn more.

Source Code Scanners

Source Code Security Scanners looks for security vulnerabilities throughout the source code. That's the called white box approach. It's great to identify vulnerabilities that can't be easily found during a dynamic testing using an Application Scanner. On the other hand it's not possible to test the application behavior nor the underlying infrastructure.

RIPS is a static code analysis tool to automatically detect vulnerabilities in PHP applications. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Learn more. It has an open source and a commercial version. Both are supported by Gauntlet, but the commercial license must be purchased apart. Just get in touch with us in case ou want the commercial version.

Checkmarx is a commercial static code analysis tool to automatically detect vulnerabilities in applications written in 20 languages and counting (Java, C#, PHP, Python, Groovy, Ruby, Android, iOS, HTML5, Windows Mobile, C++, JavaScript, ASP.NET, VB.NET, Visual Basic, PL/SQL, Perl, Apex, Scala and Swift). It also covers the latest development technologies and doesn't require configuration to scan any language. Learn more. This scanner requires a license that should be purchased apart.

Network Devices Scanners

A secure application with an exposed database is a completely epic fail when it comes to security. That's why testing the underlying infrastructure is important. Infrastructure is foundation of those applications. Network Device Scanners test any asset that has an IP Address, such as servers or Internet of Things (IoT) devices.

Nmap ("Network Mapper") the most popular free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Learn more.

OpenVAS (Open Vulnerability Assessment System) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a regularly updated feed of Network Vulnerability Tests (NVTs), over 47,000 in total (as of June 2016). It's great to find vulnerabilities with a CVE attached in well known products such as Web Servers, SSH, FTP, Mail Servers, etc. Learn more.

Nessus is the world’s most widely deployed vulnerability scanner that looks for vulnerabilities that allow a remote hacker to control or access sensitive data on a system, misconfiguration, default passwords, etc. Learn more. This scanner requires a license that should be purchased apart.

Nexpose is a commercial vulnerability scanner from Rapid7 that looks for several vulnerabilities. It's also one of the leaders when it comes to security scanners. Learn more. This scanner requires a license that should be purchased apart.

Custom Scanners

Didn't find your scanner? No problem, we can integrate with any scanner that is open to integration. For being open to integration we mean having either a Command Line Interface (CLI) or a Web API (REST, SOAP). You can easily Bring Your Own Scanner or ask us to integrate an open source or a commercial scanner for you for free. Just get in touch.

So what would be?

Bring My Own Scanner    or    Get In Touch