Frequently Asked Questions

VigilFlux is built specifically for startups and indie hackers who need automated security testing without a dedicated security team. It deploys 7 AI-powered agents — port scanning, subdomain enumeration, technology fingerprinting, SQL injection, XSS, Nuclei, and Nikto — in an intelligent pipeline that adapts to your app's tech stack. The free tier includes 3 scans per month with all 7 agents. Setup takes under 5 minutes, no credit card required.

Add your domain in VigilFlux, verify ownership (DNS TXT record, HTML meta tag, or file upload), then launch a scan. VigilFlux runs port scanning, subdomain discovery, technology fingerprinting, SQL injection testing, XSS testing, and CVE checks in parallel using 7 AI agents. Results include a 0–100 risk score, severity-ranked findings, and actionable fix recommendations. For production apps, the default safe mode avoids destructive testing.

VigilFlux has two pricing models. Pay Per Scan: buy credit packs starting at $25 for 5 scans ($5/scan) or $45 for 10 scans ($4.50/scan) — credits never expire. Subscription: Free plan (3 scans/month, 1 domain, 3 GitHub repos), Pro at $29/month or $278/year (30 scans/month, 5 domains, unlimited GitHub repos, priority queue, PDF/JSON export, scheduled scans), and Enterprise with custom pricing (unlimited scans, SSO/SAML, dedicated security engineer, SLA). All plans include all 7 AI agents.

VigilFlux is the only tool that combines SAST, DAST, network scanning, and AI-powered exploit verification in a single platform starting at $0/month. Snyk starts at $25/dev/month (minimum 5 devs) but has no DAST or network scanning. GitHub CodeQL is free for public repos but GitHub-only and SAST-only. Semgrep starts at $40/contributor/month with no DAST. Aikido starts at ~$250/month for 10 users. GitLab SAST requires Ultimate at ~$99/user/month. See the comparison table below for the full breakdown.

VigilFlux tests for SQL injection, cross-site scripting (XSS), open ports and exposed services, outdated software with known CVEs, server misconfigurations, default credentials, directory traversal, SSRF, and more. The Nuclei agent alone covers thousands of community-maintained vulnerability templates. With white-box scanning enabled, VigilFlux also analyzes your source code for authentication bypasses, hardcoded secrets, and insecure database queries.

VigilFlux deploys 7 AI-powered security agents in a coordinated pipeline. First, 3 reconnaissance agents (port scanner, subdomain enumerator, technology fingerprinter) run in parallel to map your attack surface. An AI supervisor powered by Claude analyzes the recon results and routes to the relevant specialist agents (SQL injection, XSS, Nuclei, Nikto) for targeted testing. If white-box mode is enabled, a code indexer analyzes your source code before scanning. Finally, an exploit verifier attempts to confirm findings with proof-of-exploit evidence. Results are aggregated into a scored security report.

White-box scanning gives VigilFlux access to your source code for deeper analysis. When you provide a repository URL, the code indexer agent performs a shallow clone and extracts routes, authentication patterns, and database queries using regex and AI summarization. This context is fed to the scanning agents so they can target real endpoints and test actual code paths instead of guessing. White-box mode is available on all plans and significantly reduces false positives.

Unlike most scanners that only flag potential vulnerabilities, VigilFlux includes an exploit verifier agent that attempts to confirm each finding is actually exploitable. It generates safe payloads, fires them against your application, and records the response as proof. Verified findings include a PoC curl command and response snippet. This eliminates false positives and gives you confidence that flagged issues are real, not theoretical.

Yes. For every vulnerability found during a PR scan, VigilFlux generates AI-powered fix suggestions using Claude. Fixes are posted as inline code suggestions directly in your GitHub pull request or GitLab merge request — you can apply them with one click. Pro plans include up to 5 AI fix suggestions per scan. You can also use the /vigilflux fix command to generate a full remediation pull request.

Yes. Install the VigilFlux GitHub App to automatically scan every pull request for vulnerabilities — findings appear as inline PR comments with severity ratings and fix suggestions. For GitLab, connect via OAuth to scan merge requests. Both integrations support the /vigilflux fix command for one-click remediation PRs. Pro and Enterprise plans include API tokens for custom CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins), allowing you to trigger scans programmatically and gate deployments on security results.

Yes. VigilFlux requires domain ownership verification before scanning, preventing unauthorized use. Scan aggression levels are configurable — the default safe mode avoids destructive testing. The AI supervisor filters out potentially dangerous test cases that could impact availability. Exploit verification uses safe, non-destructive payloads designed to confirm vulnerabilities without causing damage.

No. You can only scan domains you own and have verified through one of three methods: DNS TXT record, HTML meta tag, or file upload verification. This ensures ethical scanning practices and prevents abuse. VigilFlux is designed for testing your own applications, not for unauthorized scanning of third-party sites.

The risk score is a 0–100 health score where 100 means no vulnerabilities found and 0 means critical issues detected. It is calculated based on the number, severity, and type of findings. Scores are categorized as: Safe (90–100), Low Risk (70–89), Medium Risk (40–69), High Risk (20–39), and Critical (0–19). The score updates in real time as agents complete their scans.

A quick scan completes in under 5 minutes. Full scans with all agents enabled typically take 10–20 minutes depending on the size of your application, number of endpoints, and subdomains discovered during reconnaissance. White-box scans with exploit verification may take slightly longer due to the additional code analysis and payload verification steps.

VigilFlux complements manual penetration testing by providing continuous, automated coverage. It excels at finding known vulnerability patterns quickly and affordably — a single scan covers what would take a manual pentester hours. For high-security applications, we recommend using VigilFlux for continuous monitoring alongside periodic manual pentesting for business logic flaws and complex attack chain analysis.

Pay-per-scan credits are ideal for indie hackers and small teams who scan occasionally — buy 5 credits for $25 or 10 for $45, and they never expire. Subscriptions are better for teams scanning regularly — the Pro plan at $29/month includes 30 scans, 5 domains, scheduled recurring scans, and priority support. Both options include all 7 AI agents and the full feature set. The free tier (3 scans/month) requires no payment at all.