Ask HN: What do you use to monitor website security (vulns, uptime, etc.)?
3 points - last Wednesday at 1:01 PM
I recently built [PenZen](https://penzen.app). It scans websites for real vulnerabilities (not just SSL checks) using OWASP Zap under the hood and sends prioritized alerts with AI-powered remediation suggestions.
I made it because I was tired of tools that alert me about issues I don't understand or canβt do anything about. Curious: What are you using to monitor website security?
And more importantly: What actually makes you trust a report or take action on it?
alp1n3_eth
last Wednesday at 11:40 PM
Externally / Blackbox options would be Nessus, Nuclei, OWASP ZAP (as you mentioned), and Burp Suite. The two latter only work well when used in combination with manual methods though, as they won't pick up business logic, auth bypass, MFLAC/IDOR, etc. on their own.
A lot of scanning templates / rulesets won't be 100% accurate or up-to-date, and will easily miss a lot of big things, so having it pentested by an actual person is always important.
From the source code side of things, Semgrep / CodeQL, Veracode / Snyk, Burp Enterprise (CI/CD), etc. are good options. But again, most places shouldn't get just scans, there should be a manual component involving a security professional who knows what they're doing.
XBOW is making some pretty cool strides in the meantime from a blackbox perspective though.
KomoD
last Wednesday at 6:43 PM
I use HetrixTools for uptime monitoring for both websites and servers (with their agent).
I don't use anything that scans for generic "vulns" (like "you're missing this header") and just use a WAF like Cloudflare for most stuff.
mtmail
last Wednesday at 1:03 PM
Do you mean https://penzen.app/ ? The .io domain doesn't resolve for me.
lukejkwarren
last Wednesday at 2:04 PM
Thatβs the one! Apologies.
Using any other security scanning tools?
andrew-jack
last Wednesday at 7:03 PM
[dead]