If you're a bug bounty hunter, security researcher, pentester, or website owner, you should check out OnScanner.
I've been using it regularly, and one thing that stands out is that it doesn't stop at fingerprinting services and matching CVEs.
For each discovered host, it runs a large number of validation checks and exploit-based tests to determine whether vulnerabilities are actually present and whether security fixes have been properly applied.
A few things I like:
• Attack surface mapping (domains, subdomains, IPs, DNS, ASN, SSL/TLS)
• Deep technology fingerprinting with version and CPE/CVE correlation
• OWASP Top 10 and infrastructure vulnerability detection
• Exploit validation to reduce false positives
• Vulnerability chaining and attack-path analysis
• Privacy intelligence (trackers, fingerprinting, session recorders, cookie analysis)
• Email security checks (SPF, DKIM, DMARC)
• API access and automated reporting
What I find most useful is the validation approach. A lot of scanners simply say "this version may be vulnerable." OnScanner goes further by testing whether the vulnerability can actually be triggered and whether the target appears to be patched.
That helps separate theoretical findings from issues that represent real risk.
The attack-path and vulnerability-chaining capabilities are also interesting because many real-world compromises don't come from a single critical finding. They're often the result of multiple lower-severity issues being combined.
No automated scanner replaces manual testing, but for reconnaissance, attack-surface discovery, vulnerability validation, and security posture reviews, it's become a useful part of my workflow.
Has anyone else here tried it? How does it compare with the tools you're using for attack surface management and vulnerability assessment?
Top comments (0)