The world's most advanced web vulnerability scanner

Find vulnerabilities before hackers do

Heyhack Scan continuously scans and tests your web application to find web security vulnerabilities and help you patch them before they are exploited.

Customize scans to suit your flow

Heyhack Scan is based on strong set of default settings learned from millions of scans of a large variety of different web apps. This means that you don't have to configure anything whatsoever in order for Heyhack Scan to test your web application. 💪

Though, if you need to, you can change all of the settings that Heyhack relies on—including what browser to use for scanning (Chrome or Firefox), the User-Agent header, the frequency of scanning, the paths to include/ignore, the test cases Heyhack should run, and many others.

You decide whether to run Heyhack on your production site and/or to scan your staging site before approving a release. Heyhack is highly configurable and offers simple APIs that you can call from your CI/CD pipeline to fully control when and how Heyhack should conduct scans.

Support for multiple users

The number 1 vulnerability in web applications as of 2021 is Broken Access Control. In order to test for Broken Access Control issues, you can provide the credentials of one or more users.

Whether your web app is protected your own authentication system, an identity service like Auth0, or a third-party identity provider such as Google Workspace or Microsoft Azure Active Directory, you can configure Heyhack to log in as one or more users during scanning.

Heyhack can scan everything behind your login page and intelligently maintains user sessions throughout long scanning procedures without accidentally logging out. Doing so lets Heyhack test whether users can bypass access control checks, elevate their privileges, viewing or editing another user's data, manipulate metadata, and more.

Support for all kinds of web apps ✌️

Web development in 2022 is rather advanced and modern web apps make use of complex JavaScript frameworks such as React, Angular, or Vue to provide rich experiences to users. Heyhack is platform-independent and supports all types of web apps.

Headless Chrome/Firefox

Heyhack uses headless Chrome and/or Firefox to interact with your web app just like users (and hackers) would.

Real user simulation

Rather than programmatically invoking functionality, Heyhack interacts with elements like real users do.

React, Angular, and Vue

Heyhack supports every single JavaScript frontend framework out there, incl. React, Angular, and Vue.js.

Configurable schedules

Configure Heyhack to run periodically (daily, weekly, or monthly) and/or as a part of your CI/CD pipeline.

Multiple test modes

Run either full tests or light tests. Full tests include injection attacks while light tests only tests for issues passively.

Detect and attack

When scanning, Heyhack does not only detect vulnerabilities. It also attempts exploit them to assess their severity (CVSS 3.1).


Heyhack monitors lists of vulnerabilities published by CWE and OWASP to stay current with actual threats.

Vulnerability hashing

When a vulnerability has been found, Heyhack generates a unique hash for the finding so you can track it across scans.

Start your first automated penetration test today

Sign up for a free trial to Heyhack and start your first penetration test within a matter of minutes. You can also book a demo session with one of our security experts that will help you get started.