Skip to content
NANOTESTINGNANOTESTING
Documentation

Quickstart

First scan in 10 minutes

The fastest path from zero to an auditor-ready PDF report. Pick a target you own or have written permission to test.

1. Create an account

Sign up at /signup. NANOTESTING uses magic-link authentication only - no password to remember. After you submit your email, click the link in the inbox and you land on the dashboard. The trial is automatic on any paid plan you pick later; the free tier needs no card.

If you plan to bring a teammate, you can invite them now from Settings > Members. Roles are owner, admin, analyst, viewer.

2. Add a target

Open Targets > Add target. Pick the surface: website, web application, API endpoint, or GitHub repository. Enter the URL (must be HTTPS, must resolve to a public IP). Risk profile + environment + scan frequency are metadata that drives prioritisation and scheduling later.

Bulk import: if you have a list of 5+ targets, use /targets/import to upload a CSV.

3. Verify ownership

Before any full scan runs, you have to prove control of the target. Open the target's detail page and the dashboard will give you a unique token to place. Pick whichever method is easiest:

  • DNS TXT record on the apex (most popular for production)
  • HTML file at /.well-known/nanotesting-verification.txt
  • HTML meta tag on the landing page
  • Domain email confirmation to webmaster@, security@, or admin@

Verification usually completes in seconds. See Verify a target for the exact records.

4. Run the first scan

On the target page click Run scan. The baseline takes a few minutes; deep CVE + active web scans on Growth+ take longer (typically 10-30 minutes). The Scans list shows live progress with one row per detector.

Don't have a real target to test yet? On the dashboard empty state click Show me with sample data and a synthetic target + 12 findings is loaded so you can explore the UI first.

5. Triage findings

Findings sort by priority score by default (severity + KEV bump + EPSS bump + confidence). The red KEV chip flags actively exploited CVEs. Open a finding to see evidence, remediation steps, and start a discussion thread with your team. See Read a scan report for the triage playbook.

6. Generate the PDF

From any completed scan click Generate report. We produce four auditor-ready PDFs:

  • Executive for board / CEO / vendor reviewers
  • Developer remediation with one ticket per finding
  • Compliance mapping against OWASP + ISO 27001 + SOC 2
  • Trend showing score history over the last 30 scans

Reports embed PNG screenshots of every web-facing finding so they're self-contained for offline review.

7. Schedule + alerts

Open the target's settings to flip scan frequency from manual to weekly or daily (Growth+). Configure Slack / Discord / generic webhook on Settings > Notifications to fire on every critical or high finding.

NextVerify a target