Getting started
Is it safe to scan my domain? Will it cause downtime?
Yes. Olimpio runs passive, non-destructive checks only. We do not attempt to exploit anything we find, and our scans are rate-limited to avoid placing meaningful load on your services. In normal circumstances a scan will not cause downtime or affect performance.
Will my hosting provider or WAF flag the scan?
Possibly. Some aggressive web application firewalls rate-limit or block scanner traffic. If this happens you may see fewer findings than expected — not false positives. If your host flags the activity, you can point them to this page as documentation of what the scan does.
What is the difference between Standard and Deep scan?
Standard scans the 1,000 most common TCP ports and runs our core template set. Deep scans the top 5,000 ports and adds CVE-tagged vulnerability templates. Deep mode is available on the Professional plan and takes longer — typically 15–30 minutes vs 10–15 for Standard.
Scanning
Can I scan an IP address instead of a domain?
Yes. Enter a bare IP address as your scan target. You will get port and service coverage but no DNS hygiene results — SPF, DMARC, DKIM and other email security checks require a domain name and are skipped for IP targets.
Why did my IP scan return no findings?
A few reasons. If the IP belongs to a cloud provider (Google Cloud, AWS, Cloudflare) their network perimeter absorbs most scanner traffic before it reaches your service. If the IP has a WAF or DDoS protection in front of it, findings will be limited. For full coverage, scan the associated domain name instead.
Can I scan multiple domains?
Essential accounts scan one domain at a time with up to 4 scans per month. Professional accounts have unlimited scans and can schedule up to 3 domains on automatic weekly or monthly schedules.
How many subdomains do you scan?
Up to 20 subdomains per scan. We discover subdomains from three sources — a common prefix wordlist, passive DNS enumeration, and certificate transparency logs — then scan the first 20 found. Large organisations with many subdomains may see partial coverage.
Results
What does the security score mean?
The security score is a number from 0 to 100 representing your external security posture at the time of the scan. Higher is better. A score of 90–100 is Excellent, 70–89 is Good, 50–69 is Fair, below 50 is Poor.
How is the security score calculated?
Each open finding reduces the score based on severity: Critical −25, High −10, Medium −4, Low −1. The score is clamped at a minimum of 0. Informational findings do not affect the score.
What does persisting issues mean in the scan email?
Persisting issues are findings that were present in your previous scan and are still present in the latest one. They have not been resolved. New issues are findings that did not exist in the previous scan.
How do I know if a fix worked?
Run a new scan after making a change. If the finding no longer appears it has been resolved. The scan diff in your results email will show it as resolved. The remediation tracking page on Essential and Professional plans also tracks which findings have been marked fixed and confirmed by a subsequent scan.
Cyber Essentials
What is Cyber Essentials and why does it matter?
Cyber Essentials is a UK government-backed security certification scheme. It defines five baseline security controls that organisations should have in place. Many UK government contracts and insurance policies require Cyber Essentials certification. Olimpio maps every finding to the relevant CE control so you can see exactly where your gaps are before going through certification.
How does Olimpio help with Cyber Essentials certification?
Olimpio identifies external security gaps that would be flagged during a Cyber Essentials assessment — exposed ports, missing security headers, weak email authentication, and outdated software. Fixing these findings before your assessment improves your chances of passing. Olimpio does not conduct or guarantee the outcome of a Cyber Essentials assessment.
Features
Can I schedule automatic scans?
Yes, on Essential and Professional plans. Essential accounts can schedule one monthly scan. Professional accounts can schedule up to three scans on weekly or monthly schedules. You will receive an email after each scheduled scan comparing results to the previous scan.
How many scheduled scans can I have?
Essential: 1 scheduled scan, monthly frequency only. Professional: up to 3 scheduled scans, weekly or monthly frequency.
How do I set up the Secrets feature?
Go to the Secrets page and click Configure. You will need a GitHub Personal Access Token with read access to the repositories you want to scan. Once connected, run an exposure scan to check your repositories and domain for exposed credentials. The Secrets feature is available on the Professional plan only.
What is the difference between scan findings and the Secrets feature?
Every scan automatically checks for exposed secret files — .env files, .git/config, database dumps — sitting publicly accessible on your web server. The Secrets feature is separate and requires setup. It searches your GitHub repositories for actual credential values (API keys, tokens, connection strings) using pattern matching, and checks your domain for exposed files. Think of the scan as checking your front door, and Secrets as checking inside your codebase.
Can I share my results with a client or insurer?
Yes, in two ways. You can generate a clean PDF report from the Reports page and share it directly. You can also generate a shareable scorecard link from the Findings page — a read-only public URL showing your score, grade, and severity counts without exposing specific finding details.
Account
Does Olimpio replace a penetration test?
No. Olimpio is automated external reconnaissance and misconfiguration detection. A penetration test involves a human security professional actively attempting to exploit vulnerabilities, test business logic, and assess internal systems. Olimpio is a continuous monitoring tool that gives you visibility into your external attack surface — it works best alongside, not instead of, periodic penetration testing.
Is my data safe?
Scan findings are stored securely in an encrypted database. PDF reports are stored in private cloud storage and accessed via time-limited signed URLs. We never store full secret values — only masked versions showing the first and last four characters. All data is processed and stored in compliance with UK GDPR. You can delete your account and all associated data at any time from Settings.