Skip to content
NANOTESTINGNANOTESTING

Sample report

What an auditor-ready NANOTESTING report looks like.

Multi-surface demo: 8 findings across web, API, repo, mobile, cloud, Kubernetes, and Web3, mapped to OWASP, ISO 27001:2022, SOC 2, NIST CSF 2.0, CIS Controls v8, and PCI DSS 4.0. Locked sections show the state before account creation and target verification.

NANOTESTING report
Demo preview

Automated security assessment · Multi-surface

acme-storefront

Scan completed 2026-05-29 at 09:14 UTC. Web + API + repo + mobile binary + cloud + Kubernetes + Web3, one run. Read-only by default, rate-limited active checks on verified targets.

Risk rating (v2)

41/ 100

Immutable snapshot · v1.2.0

Status

Fix before pentest

2 critical, 4 high

Surfaces scanned

7

Web, API, repo, mobile, cloud, K8s, Web3

Critical

2

High

4

Medium

4

Low

2

Info

1

Detailed findings

Some sections require account
  • API

    SQL injection in /api/v1/orders?customer_id parameter

    Injection

    OWASP A03ISO A.8.26ISO A.8.28SOC2 CC6.6
    Locked
  • Repo

    AWS access key committed in scripts/deploy.sh

    Secrets exposure

    OWASP A07ISO A.5.17ISO A.8.24SOC2 CC6.1
    Open
  • Web3

    Slither: reentrancy in withdraw() (Vault.sol:184)

    Smart contract

    ISO A.8.25SOC2 CC8.1
    Open
  • API

    Mass assignment: PATCH /api/me accepts is_admin

    Authorization

    OWASP A04ISO A.8.3SOC2 CC6.3
    Open
  • Mobile

    android:debuggable="true" in AndroidManifest.xml

    Mobile hardening

    ISO A.8.26SOC2 CC7.1
    Open
  • Cloud

    Public S3 bucket allows world read (acme-public-uploads)

    Cloud misconfiguration

    OWASP A05ISO A.5.10ISO A.8.9SOC2 CC6.1
    Open
  • K8s

    Kubescape NSA-1: hostPID enabled on api-gateway pod

    Kubernetes

    ISO A.8.22SOC2 CC6.6
    Open
  • Web

    Strict-Transport-Security header is missing

    Transport security

    OWASP A02ISO A.8.24SOC2 CC6.7
    Open

Compliance posture (6 frameworks)

Open findings per control

OWASP Top 10 (2021)

  • A02 Cryptographic1
  • A03 Injection1
  • A04 Insecure design1
  • A05 Misconfig4
  • A07 Auth failures1

ISO 27001:2022 Annex A

  • A.5.101
  • A.5.171
  • A.8.31
  • A.8.221
  • A.8.242
  • A.8.251
  • A.8.263

SOC 2 (Trust Services)

  • CC6.12
  • CC6.31
  • CC6.62
  • CC6.71
  • CC7.11
  • CC8.11

NIST CSF 2.0

  • ID.RA-13
  • PR.DS-12
  • PR.AC-42
  • PR.PT-31

CIS Controls v8

  • 3.3 Data access2
  • 4.1 Secure config4
  • 6.2 Access control2
  • 16.11 Leverage hardening1

PCI DSS 4.0

  • 1.4 Network controls1
  • 3.3 Storage1
  • 6.2 Secure dev3
  • 7.2 Least privilege2

Bundled scanners used (60+ check modules)

Web: nano-baseline + Nuclei (8000+) + ZAP active + host-calibrated FP suppression. API: Schemathesis + OWASP API (BOLA / BFLA / mass-assignment). Repo: osv-scanner + gitleaks + Trivy + Semgrep. Mobile: apktool / mobsfscan MASVS + CWE. Cloud: Prowler (AWS / Azure / GCP) + CloudFox. Kubernetes: Kubescape NSA + CIS benchmarks. Web3: Slither + Mythril + Echidna (EVM), Sui Move (Beta), Solana (Beta).

Evidence + remediation pack

Auditor-ready PDF (Executive / Developer / Compliance / Trend), per-finding screenshots, request-response captures, positive compliance-evidence rows, immutable risk-rating snapshot per scan. Bundled on Growth and Agency.

Download the auditor-ready sample PDF

Live-rendered Executive PDF, multi-surface findings, methodology footer, verify-QR cover sheet. No signup required.

What's at stake

207 days

Median time to identify a breach in 2024 (IBM)

What's at stake

$4.88M

Average cost of a breach last year (IBM)

What's at stake

$50,000+

Typical price tag for a manual penetration test (industry range)

Want an unlocked report on your own target?

Create an account, verify your target, and run a full scan to export a complete PDF report with evidence and remediation.

Start security check Run a public preview