Question 1

What is Vuln0x?

Accepted Answer

Vuln0x is an AI-powered security scanning platform designed specifically for web applications built with AI-assisted coding tools like Replit, Bolt, Lovable, Cursor, and v0. It runs 40+ parallel scanner engines to detect vulnerabilities in headers, SSL/TLS, CORS, cookies, directories, DNS, ports, SQL injection, XSS, SSRF, and more — including framework-specific scanners for Next.js and React.

Question 2

What types of vulnerabilities can it detect?

Accepted Answer

Our 40+ scanners detect missing security headers (HSTS, CSP, X-Frame-Options), SSL/TLS certificate issues, CORS misconfigurations, insecure cookies, exposed files and directories (.env, .git, backups), DNS misconfigurations (SPF, DMARC, DNSSEC), open ports, technology fingerprinting, source map exposure, client-side secret leakage, SQL injection, XSS, command injection, path traversal, SSTI, SSRF, XXE, CSRF, IDOR, privilege escalation, JWT/OAuth flaws, and more.

Question 3

Does it support Next.js and React-specific issues?

Accepted Answer

Yes. We have dedicated scanners specifically designed for Next.js and React applications. These detect source map exposure, client-side secrets leaked in JavaScript bundles, authentication logic flaws, cross-site scripting (XSS), server-side request forgery (SSRF), and other framework-specific vulnerabilities that generic scanners miss.

Question 4

How does credit-based pricing work?

Accepted Answer

Every new account receives 200 free credits. A full scan costs 10 credits and a full deep scan costs 20 credits. Individual scanner types cost 1-10 credits each depending on complexity. You can purchase additional credits or upgrade to a plan with monthly credit allocations starting at 300 credits/month.

Question 5

Can I integrate it into my CI/CD pipeline?

Accepted Answer

Absolutely. Our REST API supports both Bearer token and API key authentication. You can trigger scans from GitHub Actions, GitLab CI, Bitbucket Pipelines, Jenkins, or any CI/CD system. SARIF reports integrate directly with GitHub Security tab, and JSON reports are optimized for automated pipelines.

Question 6

What report formats are available?

Accepted Answer

We support six export formats: SARIF (for GitHub Security tab integration), CSV (for spreadsheet analysis), PDF (professional reports with executive summary), HTML (shareable web reports), Markdown (for documentation), and JSON (structured data for CI/CD pipelines and custom integrations).

Question 7

Is my data safe during scanning?

Accepted Answer

We only perform non-invasive scanning — we never attempt to exploit vulnerabilities, modify your application, or store sensitive data. All scan results are encrypted at rest and in transit. You can delete your scan history at any time. We are committed to responsible security testing practices.

Question 8

What are scheduled scans?

Accepted Answer

Scheduled scans let you automate security monitoring. Set up daily, weekly, biweekly, or monthly scans for any verified domain. You will receive webhook notifications and optional email alerts when new vulnerabilities are found or your security score changes.

Question 9

Can I scan multiple URLs at once?

Accepted Answer

Yes. You can use our Projects feature to group multiple domains together and scan them all with a single command. You can also use the bulk scan API endpoint to submit multiple URLs simultaneously. Each URL is scanned independently and results are tracked per target.

Question 10

Do you offer a free tier?

Accepted Answer

Yes. Every new account receives 50 free credits — enough for 5 full scans or 50 individual scanner runs. No credit card is required to sign up. This lets you evaluate the platform and see exactly what vulnerabilities exist in your applications before committing to a paid plan.

Question 11

What is the difference between passive and active scanning?

Accepted Answer

Passive scanners analyze publicly visible information like HTTP headers, SSL certificates, DNS records, and exposed files without sending attack payloads. Active scanners test for exploitable vulnerabilities like SQL injection, XSS, and command injection by sending carefully crafted test payloads. Both types are available on Vuln0x.

Question 12

Do I need to verify my domain before scanning?

Accepted Answer

Yes. Vuln0x requires domain verification to ensure you have authorization to scan a target. You can verify ownership via DNS TXT record or HTML file upload. This prevents unauthorized scanning and ensures responsible use of the platform.

Meet Sentinel

29+ Kali Tools

Autonomous Agent

7-Phase Methodology

Detailed Reports

Everything you need to secure AI-generated code

Sentinel — AI Pentest Agent

40+ Parallel Scanners

Risk Scoring A+ to F

Next.js & React Deep Scan

Scheduled Scans & Webhooks

Reports: SARIF, CSV, PDF, HTML, MD

API & CI/CD Integration

Scan in 3 simple steps

Enter Your URL

Run the Scan

Fix & Track

Frequently asked questions

Start securing your vibe-coded projects today