Externally / Blackbox options would be Nessus, Nuclei, OWASP ZAP (as you mentioned), and Burp Suite. The two latter only work well when used in combination with manual methods though, as they won't pick up business logic, auth bypass, MFLAC/IDOR, etc. on their own.

A lot of scanning templates / rulesets won't be 100% accurate or up-to-date, and will easily miss a lot of big things, so having it pentested by an actual person is always important.

From the source code side of things, Semgrep / CodeQL, Veracode / Snyk, Burp Enterprise (CI/CD), etc. are good options. But again, most places shouldn't get just scans, there should be a manual component involving a security professional who knows what they're doing.

XBOW is making some pretty cool strides in the meantime from a blackbox perspective though.

I use HetrixTools for uptime monitoring for both websites and servers (with their agent).

I don't use anything that scans for generic "vulns" (like "you're missing this header") and just use a WAF like Cloudflare for most stuff.

Do you mean https://penzen.app/ ? The .io domain doesn't resolve for me.

• lukejkwarren

  04/02/2025

  That’s the one! Apologies.

  Using any other security scanning tools?

Shodan (with account, not just talking about the public search page)

[dead]