AppCheck was designed from the ground up to emulate the process of a professional penetration tester to ensure maximum coverage and accuracy

AppCheck takes a first principles approach to application vulnerability detection, and therefore is not bound to any platform or signature database.

Rather than use a database of static signatures, AppCheck approaches each test in the same way a hacker or penetration tester would and applies a testing methodology. The vast majority of application security flaws, such as SQL Injection and Cross-Site Scripting arise from insecure processing of input supplied by the client. AppCheck adopts a first principals approach when testing each input by examining the original expected value and the servers response when the value is modified. By adopting this methodology, AppCheck is able to determine how data may be being processed by the server and can then dynamically evolve each test to identify vulnerabilities. This approach results in more accurate testing and allows AppCheck to identify security flaws that may be masked by security filters and Intrusion Prevention Systems (IPS), but could still be exploited by a real-world attacker.

Start your free trial

Crawling and content discovery crawling

The AppCheck crawling engine uses a combination of application modelling techniques and subtle heuristical cues to automatically discover the complete attack surface of any given application in the shortest time possible. The algorithms are designed to model how a penetration tester or attacker would explore the application, utilising visual cues and ruling out equivalent instances of the attack surface if they have already been explored.

All of this means that for each target discovered we know its state at discovery and how to re-create that state to later attack it; and because the scanner is behaving in a more human way, it opens up attack vectors that are inaccessible to less sophisticated crawlers.

How our intelligent crawling works

Identify identical components

An ecommerce application may have several thousand product pages, with each one implementing the same code path within the application. AppCheck identifies these cases and avoids wasting time on identical components.

Identify & replicate behaviour

The application may have components that need to be accessed in a specific sequence, for example, navigating from a product page through a shopping basket flow. AppCheck is able to identify this behaviour and ensure the complete process is followed for each vulnerability check.

Choose a layer to explore

OSINT / Intelligence Gathering

Using multiple Open-Source Intelligence (OSINT) to gather information that can be seeded into the assessment process.


During the discovery phase, the scanner consults multiple open-source intelligence databases to learn as much about the target
system as possible. For example, host names registered to the target IP address, web components indexed by search engines, and
historical network data. Data that is in scope for the scan is then seeded into the scan configuration.

Gateway Layer

Scanning systems such as firewalls, remote access, and management solutions to identify security flaws.


AppCheck uses multiple dedicated infrastructure scanners to identify vulnerabilities on each accessible network device. The scan
begins by port scanning each IP address within the scope to identify accessible services. Each identified service is then probed for
vulnerabilities using tens of thousands of checks.

Network Delivery & Presentation Layer

Identifying vulnerabilities within hosting infrastructure used to manage and optimise network traffic to web application servers.


AppCheck combines infrastructure scanning with web application build review check to analyse the flow of data from the scanning
node to the target system. Identified systems are checked for known vulnerabilities using a regularly updated vulnerability database
that combines well know sources such as the National Vulnerability Database (NVD) with our own internally maintained vulnerability

Application Framework, CMS, and Hosting Layer

Identifying vulnerabilities within Application Frameworks such as ASP .NET, PHP, NodeJS, Java, Apache Tomcat/Struts, Spring,
WebLogic, Django, Ruby on Rails and many more.


The AppCheck Web Application scanning engine includes dedicated scanners for a wide range of popular CMS systems and
Application Servers and Frameworks. Each scanner is integrated with the Dynamic Security Testing engine so that it can be deployed
in the correct way as applicable systems are identified during web crawling and discovery.
Checks for known vulnerabilities, such as those with a CVE identifier, are deployed in the same way and are regularly updated based
via AppCheck’s own vulnerability database and several community driven vulnerability feeds (updated daily).
By integrating platform checks within the web application scanning engine, components enumerated during this phase can be passed
forward into other scanning layers for further scanning. For example, CMS plugins enumerated during forced browsing checks can
then be passed to the DAST scanning engine to discover previously undisclosed vulnerabilities (0day).

Application Code / Input Processing (DAST)

Detecting security flaws within application code through Dynamic Application Security Testing (DAST).


For each URL configured with the scan, AppCheck performs online reconnaissance to gather information pertaining to the site
that is publicly available in search engines and other online indexing services. Next AppCheck will map out the application using
a sophisticated crawling engine. The crawler combines traditional web scraping with a browser-based crawler which implements
artificial intelligence to mimic typical application user behaviour.

The “Mapped Attack Surface” enumerated during the initial phases of the scan is then subject to methodical security testing. Typically,
the assessment process works by taking each user supplied data component, such as a form field of query string parameter, then
modifies it to include a specific test case before submitting it to the server.

Cloud and Third-Party Trust Layer

Identify third-party components and trust relationships and identify vulnerabilities that arise through the use of vulnerable
components and Cloud Service configuration vulnerabilities.


AppCheck audits all third-party trust relationships for subdomain takeover and related flaws.
AppCheck Identifies known vulnerabilities within deployed JavaScript libraries.
AppCheck assesses Amazon Simple Storage Service (S3) buckets for misconfigurations. This includes insecure permissions and bucket
takeover vulnerabilities.
Some vulnerabilities such as Server-Side Request Forgery (SSRF) can have a greater impact when hosted within a cloud environment.
AppCheck includes several cloud specific checks to detect and safely exploit vulnerabilities in cloud systems.
AppCheck identifies JavaScript malware, Card Skimmers and Crypto Mining software. It will also provide a domain report of third-party
software including domain age, geolocation and susceptibility to domain takeover.

Open source intelligence gathering

Whilst the AppCheck crawling engine does an excellent job of enumerating the visible attack surface, it can sometimes be the hidden components that are the Achilles’ heel.

Temporary components such as micro-sites and marketing landing pages can become forgotten and unmaintained. These no-longer linked components may hide a critical security flaw and therefore it is important we test every component an attacker may target. AppCheck queries search engines such as Google and other online indexing services to gather a list of URLS both past and present to factor into the attack discovery phase.

Our approach to testing

Web Application scans can be started in just a few seconds by entering a list of URLs into the AppCheck user interface and either selecting one of our extensive pre-configured profiles or by building your own scan configuration. Once started, AppCheck combines open source intelligence gathering and a sophisticated browser based crawling engine to identify application components that could be vulnerable to attack.

Application Scanning

For each URL configured with the scan, AppCheck performs online reconnaissance to gather information pertaining to the site that is publicly available in search engines and other online indexing services.

Next AppCheck will map out the application using a sophisticated crawling engine. The crawler combines traditional web scraping with a browser-based crawler which implements artificial intelligence to mimic typical application user behaviour.

The “Mapped Attack Surface” enumerated during the initial phases of the scan, is then subject to methodical security testing. Typically, the assessment process works by taking each user supplied data component, such as a form field of query string parameter, then modifies it to include a specific test case before submitting it to the server. Based on the applications response, further test cases are then submitted through the same method to confirm the vulnerability.

Common vulnerabilities detected during the web application scan include; Injection flaws such as SQL, NoSQL, XML, Code, and Command injection, Cross-Site Scripting and hundreds of other vulnerability classes arising from insecure code.

Infrastructure scanning

In this context, “Infrastructure” includes all components that are not covered within the application scanning phase. The infrastructure scan beings by port scanning each host to identified accessible services. Each service is then probed for vulnerabilities such as missing security patches, configuration weaknesses and information disclosure vulnerabilities.

Common vulnerabilities detected during the infrastructure scanning phase include; missing operating system patches, weak administrative passwords and access control vulnerabilities.

If the target system is hosted within Amazon Web Services, Google Cloud or Azure, specific configuration assessment modules are launched to identify common configuration weaknesses.


At completion, AppCheck provides a detailed report listing the potential impact, a technical narrative detailing how the flaw was detected and detailed remediation advice. Where possible, proof of concept examples are provided so that the flaw can be easily recreated and demonstrated to the relevant stakeholders.

Users can either manage all vulnerabilities through the vulnerability management dashboard, or at the click of a button download custom filtered results and view via HTML, Docx or CSV. AppCheck includes a simple JSON data API for retrieving, aggregating, processing and reporting raw vulnerability data for use in third party applications.

Additionally, multiple (unlimited) user accounts can be created to allow team collaboration. AppCheck includes workflow management allowing you to assign and prioritise each vulnerability’s remediation to nominated members of your team.

AppCheck at Frost and Sullivan

We tested multiple DAST solutions and AppCheck stood out as the tool to tick all of the boxes. We needed a scanner that allowed simple yet granular configuration, a dashboard that enabled multiple departments to manage any discovered vulnerabilities, would give us great vulnerability detection coverage and that came within our budget. AppCheck did this and more and their support team offer useful guidance on getting the best out of the tool, as well as keeping us updated with the latest threats and security news.

Dan, European IT Director
AppCheck at ESP Group

When we compared AppCheck against a team of manual penetration testers, AppCheck identified all of the same vulnerabilities, plus an additional three critical vulnerabilities and did so in under half the time. This demonstrated how advanced AppCheck was as a web application security scanner and how cost effective it is compared with manual testing. We see AppCheck being a long term tool in our security management system.

James, Network Security Technician
AppCheck at The Royal College of Emergency Medicine

We have worked with AppCheck for over 3 years and in that time we have found Appcheck personnel to be professional and knowledgeable. The system is very easy to use and penetration testing is decisive with results produced in a very precise format that is visibly and textually informative.

Pam, IT Manager
AppCheck at Cartrefi Cymuneol Gwynedd (Adra)

AppCheck has taken the stress out of penetration testing, gone are the weeks of liaising with vendors and honing scan profiles to produce a once a year report, regular automated scheduled scans means we can relax while AppCheck does the heavy lifting.

Richard, Infrastructure Manager
AppCheck at Saint Gobain

We are very pleased to have AppCheck as part of our toolkit and it plays a key role in securing our 90+ websites. It has become a fundamental part of our website deployment process, with all new releases being scanned prior to going live which has enabled us to identify zero day vulnerabilities and delay releases until they have been resolved. AppCheck is very easy to use, with the reports generated being very easy to read and interpret, enabling us to be able to forward vulnerabilities on to our various development teams and partners for a swift resolution. The best thing is that I know we have only scratched the surface in terms of AppCheck’s capabilities, yet already it has proved to be a valuable addition so hopefully we can continue to get more out of the platform.

Jason, IS Security Officer & Integration Manager
AppCheck at Queens University Belfast

The main benefit of Appcheck for us is the speed with which we can spin up a test. The application compares well with manual testing and indeed has found significant vulnerabilities on a number of occasions. The reports are well structured and ready for presentation to senior management with minimal editing.

Chris, Data Security Manager
AppCheck at East Ayrshire Council

We use AppCheck as part of our security strategy, due to its ease of use and clear and concise reporting functions. Compared to manual pen-testing we find AppCheck much easier and more cost effective and feel confident vulnerabilities are being picked up all year round. Their support team are always on hand for any queries we may have. I would definitely recommend AppCheck if you're looking for a market leading solution that covers all bases.

Ian, ICT Security Manager
AppCheck at Leeds Credit Union

Leeds Credit Union have been using AppCheck’s services for some time now and we have found their staff to be friendly and very helpful in getting the product to do exactly what we want. The process is quite straight forward and the staff at AppCheck are always eager to answer any questions we may have. We have tried other products that have been way more expensive as well as onsite penetration testing but found that AppCheck easily beat them both in terms of costs, depth of coverage and the ability to re-test at no extra cost when any vulnerabilities are resolved. We would have absolutely no problem in recommending them to any company.

IT Manager
AppCheck at University of Derby

In short the AppCheck penetration security tool has eased our security woes considerably and made us into happy people! We trust the beautiful reports it produces which are comprehensive yet concise, which enables us to prioritise and actioning the identified vulnerabilities is a breeze. The impressive penetration solution is cloud-hosted offering zero-day protection, and is easy to use with a good user-friendly interface. The support, when required, have all been knowledgeable, professional and resolve calls in a timely manner. You can probably tell we like AppCheck!

Sandra, Business Systems Manager
AppCheck at BVG Group

Appcheck is an essential part of our security planning. Simple to use and easy to get started, but scratch the surface and the depth of the service quickly becomes apparent. After using the product for a number of years, I don’t think I’d be comfortable without it. The results are very accurate even when compared to manual penetration testing. The team are fantastic, always available and listen to requirements and suggestions. Penetration testing is no longer the headache it was and I’m definitely sleeping easier at night!

Simon, Head of Group IT
AppCheck at The Health Informatics Service

We needed an all-encompassing testing solution providing maximum coverage across our services. AppCheck’s ability to schedule assessments has enabled us to run regular repeated scans giving us peace of mind that our Infrastructure is secure and our patient data is not compromised, with the benefit of rapid remediation and re-testing. One click reporting means we can instantly provide clear and concise information on our security posture in an easy to read format which is able to be digested by all departments and stakeholders across multiple services within both our own organisation and our customer base. The support offered is second to none, not that this is needed often. The platform is so easy to use and once potential vulnerabilities are found the simple remediation advice means we can resolve them quickly. We took the time to review multiple platforms and found AppCheck to be the most cost-effective, especially when compared to the potential fines now in place for data breaches. In short, AppCheck enables us to take a pro-active approach to security testing and gives us the comfort in knowing our systems are being constantly monitored.

Jason, IT Security Manager
AppCheck at Cantarus Digital Agency

I highly recommend this for anyone not currently using automated vulnerability scanning – or is not confident they’re using a best-in-class solution as part of their strategy.

Lee, CEO

Put us to the test.
Try AppCheck for free.

No software to download or install.
Contact us or call us 0113 887 8380
Start your free trial