How Vezraa Works
A step-by-step walkthrough of how Vezraa scans, analyzes, and reports on your application's production readiness. From submitting a URL to receiving a prioritized fix plan with AI-generated remediation.
Step 1: Submit Your URL
Start by pasting any public-facing URL into the Vezraa scan input. No sign-up, no credit card, no credentials required. You can scan a production URL, staging environment, or even a local development URL if it's publicly accessible. Vezraa accepts standard HTTP and HTTPS URLs. The platform is designed to be zero-friction — the first scan result is ready in under 30 seconds, giving you immediate insight into your application's security posture without any setup overhead.
Step 2: Scan Execution
Once submitted, Vezraa orchestrates a comprehensive analysis of your application. The scan engine dispatches multiple parallel probes to collect data across all 16 categories. It fetches your pages and analyzes the full HTTP response including security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), evaluates TLS configuration and certificate validity, renders your HTML in a headless browser to detect DOM-level vulnerabilities like XSS sinks and client-side injection points, extracts and inspects JavaScript bundles for embedded API keys, database URLs, and hardcoded secrets, checks DNS records including SPF, DKIM, and DMARC for email security, probes public API endpoints for CORS misconfiguration and proper HTTP method handling, and analyzes rendered content for accessibility violations, SEO gaps, and legal compliance signals. Each check is documented with evidence, severity classification, and remediation guidance.
Step 3: Results Review
Scan results are presented in a dashboard organized by severity and category. The summary view shows your overall production readiness score (0–100), a breakdown by category, and the total number of findings at each severity level. Each finding includes the exact issue detected, evidence (the specific header, code snippet, or response that triggered the check), an impact assessment explaining why the issue matters for production, and a ready-to-use fix prompt designed to be pasted directly into AI coding tools like Cursor, Claude, or Lovable. The dashboard also includes a historical comparison view that shows how your score has changed over time, making it easy to track improvement and detect regressions.
Step 4: Autonomous Pentesting (Optional)
For deeper security analysis, enable autonomous AI pentesting from the scan report. With explicit user consent, Vezraa dispatches an AI agent that actively probes your application. The agent follows the VAPF 6-phase methodology: mapping the full attack surface, enumerating vulnerabilities, constructing multi-step attack chains, executing real exploit attempts, verifying each finding with proof-of-concept evidence, and flagging complex findings for human review. This is the step where Vezraa goes beyond passive scanning to actively validate whether vulnerabilities are actually exploitable. Results include reproduction scripts and exact HTTP request/response pairs so your team can independently verify each finding.
Step 5: Fix & Re-scan
After applying fixes — either manually or using the AI-generated fix prompts — re-scan your application to verify the issues are resolved. Vezraa compares the new scan results against the previous scan and shows which findings have been fixed, which remain open, and whether any new issues have been introduced. Continuous monitoring subscribers receive automatic weekly re-scans with email notifications when new issues are detected or when previously reported issues have been resolved. This creates a closed feedback loop: scan, fix, verify, monitor.
Architecture Overview
Vezraa runs on a serverless architecture with the scan engine deployed as a Cloudflare Worker for edge-level execution. When a scan is initiated, the request is routed to the scanner engine which orchestrates the scan across multiple specialized modules. The scanner evaluates 2,100+ automated checks organized into 80+ modular check files covering security, performance, SEO, accessibility, AI safety, payments, email, legal, infrastructure, breach history, supply chain, authentication, API design, mobile readiness, and documentation. Results are stored in a Neon PostgreSQL database with Prisma ORM, and the dashboard is served through Next.js 15 with the App Router. Authentication is handled through Supabase Auth with support for email magic links, Google OAuth, and GitHub OAuth. The platform uses Upstash Redis for rate limiting and queue management, ensuring reliable scan execution even under high load.
What Happens During a Scan
When you initiate a scan, Vezraa executes the following sequence: DNS resolution and record analysis (A, AAAA, MX, TXT, SPF, DKIM, DMARC), HTTP request to the target URL with response header capture, TLS certificate chain validation, HTML document parsing and structure analysis, JavaScript bundle extraction and secret scanning, headless browser rendering for DOM-level analysis, public route discovery through link crawling and sitemap parsing, Core Web Vitals measurement if the page is publicly accessible, third-party resource enumeration and supply chain analysis, and breach database lookup for the domain and associated emails. Each step produces structured findings that feed into the scoring algorithm, which calculates the category-level and overall production readiness score based on weighted severity deductions.
Ready to see how your app scores?
Start Free Scan →