Skip to content
All posts

Run your first NANOTESTING scan in 5 minutes

2 min readtutorial · onboarding · scan

Most security scanners spend an hour on onboarding before they fire a single request. NANOTESTING ships you to the first scan in five minutes, end to end. Here is exactly how.

1. Sign up (magic link, no password)

We do not use passwords. Drop your email at nanotesting.com/signup, open the magic link, and you land on the dashboard. The free plan includes one limited preview scan per day, which is enough to walk through this guide.

2. Add a target

Click Add target, paste the URL of a site, web app, or API you own. NANOTESTING refuses to scan private IPs, localhost, or cloud metadata endpoints; we resolve the host server-side and bounce anything that does not point at a public address.

The target lands in unverified state. Unverified targets only get a passive, read-only preview. Full scans require ownership proof.

3. Verify ownership

Two options: a TXT record on the domain, or a small HTML file at a fixed path. The dashboard shows the exact value to paste in and a one-click recheck. Verification usually clears within a minute of the DNS propagation.

4. Run a full external baseline scan

Once verified, hit Run scan. The Go worker executes Nuclei + osv-scanner + Trivy + gitleaks + ZAP passive + DNS + TLS + cookie audits + API endpoint discovery, all in parallel, against your target. A typical baseline finishes in 2-4 minutes. You watch progress live - the scan-detail page ticks the duration second-by-second and shows each sub-step as it succeeds.

5. Read the report

When the scan completes you get four PDFs in one click: Executive (board audience, severity strip + top 5 risks), Developer remediation (engineering audience, per-finding patch guidance), Compliance mapping (OWASP Top 10 + ISO 27001 Annex A + SOC 2 TSC), and Trend (score over time). Every PDF carries the same SHA-256 fingerprint and a sequential NT-REP-YYYY-NNNNNN number so auditors can confirm it came from us.

That is the whole loop. From an empty inbox to a signed compliance PDF in the time it would take you to schedule a kickoff call with a manual pentest vendor. Open the dashboard and try it.