Skip to main content
Products / Attesta
Beta

Attesta

Scan evidence your auditor won't reject.

Scheduled network scans, signed and timestamped, exported in the format your auditor needs — standalone or alongside Vanta and Drata.

Start free — no credit card → See how it works

Your auditor wants scan evidence.

Running scans is the easy part. Producing evidence your QSA or SOC2 auditor will actually accept — timestamped, reproducible, traceable to the exact tool invocation — is where most teams stall.

Vanta tracks controls. It doesn't run scans.

Compliance platforms map policies and collect screenshots. They rely on you to provide the underlying scan data. That's the gap.

A CSV export is not audit evidence.

OpenVAS and Nessus produce findings. Evidence is a signed, verifiable record that this exact scan ran on this exact target at this exact time, with a tamper-evident chain your auditor can independently verify.

Three steps to signed evidence.

01

Point it at your targets

Add IP ranges, hostnames, or CIDR blocks. Schedule scans or trigger via API. No agent installation required.

02

Scans run in isolated namespaces

Each scan runs in a bwrap-sandboxed Kali environment. The exact tool invocation — flags, targets, timing — is captured alongside the output.

03

Every result is sealed

The command record, scan digest, and runner attestation are bound into a tamper-evident evidence seal. Your auditor can verify it independently — no need to trust our infrastructure.

The differentiator

The evidence chain is the product.

Most scanning tools produce findings. We produce evidence. Every scan result carries verifiable chain of custody — the exact command, on which target, at which time, attested by the runner.

When your QSA asks "how do I know this scan ran when you say it did?" you point to a tamper-evident evidence chain, not a screenshot. Your auditor can verify independently — no need to trust our infrastructure.

Evidence chain structure
scan_job: nmap -sV -p- target
command_record a3f2b9c1d8e4f7a6…
scan_digest 8e4d7a2f5c1b9e3d…
runner_attestation 9c1b5e3a7d4f2c8b…
evidence_seal 4f7d2c8b… ✓ SEALED

Built for three situations.

SOC2 CC7.1

Vanta gap — vuln-scan evidence missing

Your Vanta implementation covers access reviews, change management, and HR controls. CC7 needs continuous vulnerability scan evidence. Drop this in as the scanning module and avoid the last-minute scramble when your auditor asks for scan history you don't have.

PCI DSS 11.3

Pass your QSA on the first request

Quarterly internal and external scans are mandatory. Signed, QSA-acceptable evidence records — scheduled automatically, exported in the format your assessment firm expects, with a verifiable chain your QSA can independently confirm.

MSP platform

Add scanning revenue without headcount

White-labeled dashboards, per-client isolation, API integration for your PSA or RMM. Add scanning-as-a-service to your offering without standing up your own scanning infrastructure.

Targets, not scan counts.

Signed evidence starts at Team — it's the core value, not a premium add-on.

Free
$0
1 target
  • 10 scans / month
  • 7-day retention
  • Community support
Get started
Solo
$79 /mo
5 targets
  • 100 scans / month
  • 30-day retention
  • CSV export
  • Email support
Get started
Most popular
Team
$399 /mo
25 targets
  • 1,000 scans / month
  • 90-day retention
  • Signed evidence — hash chain + JSON export
  • PCI DSS 11.3 · SOC2 CC7.1
  • API access
  • Email + Slack support
Start Team
Business
$1,499 /mo
100 targets
  • 10,000 scans / month
  • 1-year retention
  • Signed evidence + auditor PDF
  • All frameworks (PCI · SOC2 · HIPAA · CMMC L2)
  • Unlimited API access
  • Priority support — 4hr SLA
Start Business

Enterprise (SSO · on-prem · white-label · custom SLAs) — talk to us after Business.

First signed evidence record in under 10 minutes.

One target, free, no credit card. See the artifact your auditor would actually receive.

Start free →