Getting Started

What is ScanTower?

ScanTower is an automated website security monitoring platform that continuously scans your websites for vulnerabilities, security misconfigurations, malware, and threats. Get instant alerts when issues are detected, with detailed reports and remediation guidance.

Quick Start

Run Your First Scan

Visit the homepage and enter your website URL. No account needed for instant scans!

https://example.com → Click "Scan Now"

Create an Account

Add Your Sites

Go to your Dashboard → Sites → Add Site to start monitoring your websites.

Configure Monitoring

Set up automated scans (hourly/daily/weekly) and configure notification channels (email, Slack, Discord, Teams, and custom webhooks).

Security Scanning Features

ScanTower performs comprehensive security checks on every scan. Here's what we analyze:

Vulnerability Detection

Automatically identifies your CMS, plugins, themes, and frameworks, then checks them against vulnerability databases to find known security issues.

Detects:

✓ WordPress, Joomla, Drupal versions and vulnerabilities
✓ Outdated plugins and themes with known CVEs
✓ JavaScript libraries with security issues (jQuery, React, etc.)
✓ Web frameworks and server software vulnerabilities
✓ Severity ratings (Critical, High, Medium, Low)

SSL/TLS Certificate Monitoring

Monitors your SSL certificates to ensure your site remains secure and trusted by browsers.

Checks:

✓ Certificate expiration dates (with advance warnings)
✓ Certificate chain validity
✓ TLS version support (TLS 1.2, 1.3)
✓ Security grade (A+ to F rating)
✓ HTTPS enforcement and redirects
✓ Mixed content warnings

Certificate Transparency Monitoring

Discovers subdomains and monitors certificate issuance through public CT logs.

Discovers:

✓ All subdomains with issued certificates
✓ Forgotten or shadow IT domains
✓ Unauthorized certificate issuance attempts
✓ Historical certificate records
✓ Wildcard certificate usage

Security Headers Analysis

Analyzes HTTP security headers to ensure your site is protected against common web attacks.

Analyzes:

✓ Content-Security-Policy (CSP)
✓ Strict-Transport-Security (HSTS)
✓ X-Frame-Options (clickjacking protection)
✓ X-Content-Type-Options
✓ X-XSS-Protection
✓ Referrer-Policy and Permissions-Policy

Malware & Malicious Script Detection

Scans your website's frontend for card skimmers, keyloggers, and suspicious third-party scripts.

Detects:

✓ Credit card skimmer patterns (Magecart)
✓ Keylogger and form hijacking scripts
✓ Suspicious third-party domains
✓ External script reputation checks
✓ Visual screenshot evidence
✓ Cryptomining scripts

Configuration Change Detection

Monitors critical configuration changes that could indicate security issues or misconfigurations.

Monitors:

✓ DNS record changes (A, MX, TXT records)
✓ Security header modifications
✓ SSL/TLS configuration changes
✓ Server software version changes
✓ Exposed configuration files

Automated Monitoring

Set up continuous security monitoring to automatically scan your sites on a schedule and get notified when issues are found.

Scan Schedules

Hourly Scans

Maximum protection for critical production sites. Detects issues within an hour of occurrence.

Daily Scans

Recommended for production sites, e-commerce stores, and high-traffic websites. Detects issues within 24 hours.

Weekly Scans

Suitable for low-traffic sites, staging environments, or portfolios. Good balance between coverage and usage.

Manual Scans

Run scans on-demand after deployments, updates, or when investigating specific issues.

Setting Up Monitoring

Navigate to Dashboard → Sites
Click on a site or add a new site
Go to the Settings tab
Enable Monitoring and select your schedule (daily/weekly)
Configure notification preferences
Save your settings

Pro Tip

Enable monitoring immediately after adding a site to establish a security baseline. This helps you track changes over time and catch new vulnerabilities as they're discovered.

Notifications & Alerts

Get instant notifications when vulnerabilities or security issues are detected. ScanTower supports multiple notification channels:

Email Notifications

Receive detailed email alerts with vulnerability summaries and remediation guidance.

Configure in: Dashboard → Settings → Notifications

Slack Integration

Post scan results and alerts directly to your Slack channels.

Webhook URL: https://hooks.slack.com/services/YOUR/WEBHOOK/URL

Configure in: Dashboard → Settings → Integrations

Discord Integration

Send scan alerts to Discord channels for team coordination.

Webhook URL: https://discord.com/api/webhooks/YOUR/WEBHOOK

Configure in: Dashboard → Settings → Integrations

Alert Thresholds

Configure which severity levels trigger notifications. You can choose to only be alerted for Critical/High issues, or receive all notifications including informational items.

Webhooks & Custom Integrations

ScanTower supports advanced webhook integrations for sending real-time security alerts to your custom endpoints. Perfect for integrating with your existing monitoring infrastructure or building custom automation workflows.

Flexible Webhook System

Configure up to 2 webhooks per integration type (Slack, Discord, Teams, or custom webhooks). Each webhook can be configured globally for all sites or per-site for specific monitoring needs.

Supported Webhook Types

Slack Webhooks

Send beautifully formatted security alerts directly to your Slack channels with rich message formatting, severity indicators, and direct links to your dashboard.

Setup: Create an Incoming Webhook in Slack and paste the URL into ScanTower

Severity filtering: Configure which severity levels trigger notifications (Critical, High, Medium, Low)

Discord Webhooks

Post security alerts to Discord channels with color-coded embeds based on severity, perfect for DevOps teams using Discord for collaboration.

Setup: Create a Discord webhook in your server settings and add it to ScanTower

Features: Rich embeds, severity color coding, clickable dashboard links

Microsoft Teams Webhooks

Integrate with Microsoft Teams using Adaptive Cards for professional security notifications in your enterprise communication platform.

Setup: Configure an Incoming Webhook connector in Teams

Format: Adaptive Cards with structured data and actionable buttons

Generic Webhooks

Send security alerts to any HTTPS endpoint with a flexible JSON payload. Perfect for custom integrations, SIEM systems, ticketing platforms, or automation workflows.

Example Payload (Click to expand)

{
  "event": "security_detection",
  "timestamp": "2025-12-04T18:00:00Z",
  "site": {
    "name": "example.com",
    "url": "https://example.com"
  },
  "detections": [
    {
      "id": "uuid",
      "severity": "critical",
      "title": "SQL Injection Vulnerability",
      "description": "...",
      "type": "vulnerability"
    }
  ],
  "summary": {
    "total": 3,
    "critical": 1,
    "high": 2,
    "medium": 0,
    "low": 0
  },
  "dashboardUrl": "https://scantower.io/..."
}

Custom Headers: Add authentication tokens, API keys, or custom headers

Use cases: PagerDuty, Jira, ServiceNow, custom dashboards, automation tools

Webhook Configuration

Global vs Site-Specific Webhooks

Global Webhooks

Apply to all sites in your account. Perfect for organization-wide security monitoring channels where all alerts should be centralized.

Site-Specific Webhooks

Apply to specific sites only. Ideal for client-specific channels, project-based notifications, or when different teams manage different sites.

Severity Filtering

Each webhook can be configured to only receive notifications for specific severity levels:

✓ Critical: Immediate action required (default: enabled)
✓ High: Serious security issues (default: enabled)
✓ Medium: Moderate security concerns (default: disabled)
✓ Low/Info: Informational findings (default: disabled)

Webhook Health Monitoring

ScanTower automatically monitors webhook health and reliability:

• Track last successful delivery timestamp
• Monitor failed delivery attempts with error messages
• Automatic webhook disabling after 10 consecutive failures
• Test webhook functionality before going live
• 5-second timeout per webhook request

Managing Webhooks

Navigate to Dashboard → Settings → Webhooks (global) or Site Settings → Webhooks (site-specific)
Click Add Webhook
Select webhook type (Slack, Discord, Teams, or Generic)
Enter your webhook URL
Configure severity filters and notification preferences
For generic webhooks, optionally add custom headers
Click Test Webhook to verify it's working
Save your webhook configuration

Pro Tip: Redundancy

Configure 2 webhooks per type for redundancy. If one fails, alerts will still reach your team through the backup webhook. Perfect for mission-critical monitoring.

Agency Plan & Team Collaboration

The Agency plan is designed for security professionals, agencies, and enterprises managing multiple client websites or large portfolios of sites requiring comprehensive security monitoring.

Enterprise-Grade Security Monitoring

Monitor up to 200 websites with unlimited team members, perfect for agencies managing client portfolios or enterprises with extensive web properties.

Agency Plan Features

Monitoring Capacity

• 200 websites monitored simultaneously
• 2,000 ad-hoc scans per month
• Unlimited scan history retention
• Hourly, daily, and weekly scan schedules
• Custom scan intervals available

Team Collaboration

• Unlimited team members
• Role-based access control
• Per-site access management
• Team member invitation system
• Activity logging and audit trails

Advanced Notifications

• Email, Slack, Discord, Teams webhooks
• Custom webhook integrations
• Up to 2 webhooks per type
• Per-site notification routing
• Severity-based filtering

White-Label Reports

• Customizable PDF reports with your branding
• Remove ScanTower branding
• Perfect for client deliverables
• Executive summary reports
• Automated report generation

Priority Support

• Dedicated account manager
• Priority email support
• Faster response times
• Custom integration assistance
• Onboarding and training sessions

API Access

• Full REST API access
• Programmatic scan triggering
• Automated report generation
• Integration with CI/CD pipelines
• Custom automation workflows

Team Management

The Agency plan includes powerful team collaboration features:

Invite Team Members

Add unlimited team members to your organization. Each member gets their own login and can be assigned specific sites to manage.

Location: Dashboard → Team → Invite Member

Site Access Control

Grant team members access to all sites or specific sites only. Perfect for agencies where different team members manage different clients.

• Full Access: View and manage all sites in the organization
• Limited Access: Only view and manage assigned sites
• Flexible Permissions: Easy to update as team structure changes

Role-Based Access

Control what team members can do within the platform:

• Owner: Full access to all features and billing
• Admin: Manage sites, scans, and team members
• Member: View sites and scan results for assigned sites

Use Case: Digital Agencies

Perfect for digital agencies managing 20-200 client websites. Assign specific team members to specific clients, generate white-label reports for client deliverables, and route notifications to client-specific channels. All while maintaining a centralized view of security across your entire client portfolio.

Frequently Asked Questions

How often should I scan my website?

For production websites and e-commerce stores, we recommend daily scans. For less critical sites, weekly scans are usually sufficient. You should also run a manual scan after any major updates or deployments.

Do I need to install anything on my server?

No! ScanTower scans your website from the outside, just like a visitor or attacker would. No plugins, agents, or server access required. Just provide your website URL.

Will scanning impact my website performance?

ScanTower uses responsible scanning techniques with rate limiting to avoid impacting your site's performance. Our scans typically load only a few pages and check headers and certificates, similar to normal visitor traffic.

What happens when a vulnerability is found?

You'll receive an immediate notification via your configured channels (email, Slack, Discord). The vulnerability will be displayed in your dashboard with severity rating, description, and remediation steps. We also track when it was first detected and when it's resolved.

Can I scan password-protected or staging sites?

Currently, ScanTower scans publicly accessible websites. For password-protected or private staging sites, you'll need to temporarily allow our scanner IPs or set up a public staging URL. Contact support for our scanner IP addresses.

How accurate are the vulnerability detections?

We use multiple vulnerability databases and actively maintained detection rules. While we strive for high accuracy, some detections may be false positives (e.g., if you've patched a vulnerability manually). Always verify findings in your environment.

Can I export scan results?

Yes! You can generate and download PDF reports for any scan. These are great for sharing with clients, management, or compliance requirements. Premium plans also support API access for programmatic export.

What's the difference between free and paid plans?

Free plans include basic instant scans and limited monitoring. Paid plans offer more frequent scans, increased site limits, priority support, advanced integrations, team features, and detailed historical analytics. See our pricing page for complete feature comparison.

How do webhooks work?

Webhooks allow ScanTower to send real-time security alerts to your preferred communication platforms or custom endpoints. When a vulnerability is detected, we send an HTTP POST request to your webhook URL with details about the detection. You can configure up to 2 webhooks per type (Slack, Discord, Teams, or generic webhooks), and set them to trigger only for specific severity levels. Each webhook can be global (all sites) or site-specific.

Can I integrate ScanTower with my existing monitoring tools?

Yes! Use our generic webhook feature to send security alerts to any HTTPS endpoint. This works with popular tools like PagerDuty, Jira, ServiceNow, Datadog, and custom internal systems. You can add custom headers for authentication and receive a structured JSON payload with all detection details. Pro and Agency plans also include full REST API access for deeper integrations.

What is the Agency plan and who is it for?

The Agency plan is designed for digital agencies, security consultancies, and enterprises managing multiple client websites or large site portfolios. It includes monitoring for up to 200 websites, unlimited team members, white-label reports, advanced webhooks, per-site access control, and a dedicated account manager. Perfect for agencies needing to manage client sites separately while maintaining centralized oversight.

Can team members access only specific sites?

Yes! With the Agency plan, you can grant team members access to all sites or limit them to specific sites only. This is perfect for agencies where different team members manage different clients, or enterprises with separate teams for different web properties. Access permissions can be easily updated as your team structure changes.

How often are hourly scans performed?

Hourly scans are available on Pro and Agency plans. When enabled, your site will be scanned approximately once every hour (up to 24 times per day). This provides near real-time security monitoring, ensuring you're alerted to new vulnerabilities, SSL issues, or security configuration changes within an hour of them occurring. Ideal for production e-commerce sites and critical business applications.

Need More Help?

Can't find what you're looking for? Our support team is here to help.

ScanTower Documentation

Quick Navigation