// FREE · LOCAL · NO ACCOUNT · AI OPTIONAL

One local scanner for the whole pen test — and it verifies every finding.

Point NewScan at a target you're authorized to test. It sweeps the engagement — APIs, web apps, network & infrastructure, Wi-Fi, and segmentation — then re-runs every hit to confirm it's real before it reports it. A live console explains every step; SARIF / Markdown / JSON output with a CI gate. Pen testers cover more in less time; internal teams verify their coverage or run their own pen test — without a human ever losing the call.

  • One tool, five surfaces — API, web, network, Wi-Fi, and segmentation, results shared across modes.
  • Verified findings — re-run and confirmed, so you chase what's real, not false positives.
  • No account to run — a quick sign-in gets you the download, then it runs on your box; your traffic and keys never leave it.
  • AI optional, BYOK — runs fully deterministic with no key, or add OpenAI / Anthropic / Gemini / Ollama for deeper reach.

// GET NEWSCAN — FREE

STATUS: sign in to download…

Sign in once to get the download — it keeps bots and spam out. That's all the sign-in does: NewScan still runs locally on your own box with no account, and your traffic and keys never leave it.

The source is private — there's no public repo. A quick SSO sign-in gets you the download; that's still not an account to run it — there's nothing to log into to use NewScan. Only scan systems you own or are authorized to test; NewScan is scope-locked to the target you give it.

Overview

// free · local · verifies every finding

NewScan is a free, self-hosted scanner that sweeps your whole engagement — APIs, web apps, network & infrastructure, Wi-Fi, and segmentation — and re-runs every hit to confirm it's real before reporting it. A deterministic floor runs with no key; an optional AI layer (BYOK) goes deeper. Everything runs on your box.

  • Completely free to self-host — no license, seat fees, or demo call.
  • Local-first — target traffic, findings, and AI keys never leave your machine.
  • Zero false positives by design — every finding is re-run and confirmed before it's recorded.
  • AI optional, BYOK — fully deterministic with no key; add OpenAI / Anthropic / Gemini / Ollama for deeper reach.
  • CI-ready — SARIF 2.1.0 plus a severity exit-code gate for any pipeline.
  • Compliance-calibrated — one score mapped to PCI DSS, SOC 2, ISO 27001, HITRUST, and FedRAMP.
newscan — console · live 
$ newscan https://acme.internal
[net   ] 12 live hosts · TLS 1.0 on :8443 · SMBv1 on .14
[recon ] 42 endpoints · 3 undocumented (API9)
[think ] /v2/users/{id} looks like an object ref
[fuzz  ] swapping id → 1001, 1002, 1003 …
[verify] re-running with victim token…
[✓ FIND] BOLA · /v2/users/{id}      HIGH
[✓ FIND] SSRF · /v2/webhooks        CRIT
[drop  ] /login broken-access → false positive
→ 3 confirmed · 0 false positives
→ report.sarif · gate: FAIL (exit 1)

Verification is the whole point — what ships is a confirmed finding.

Scan types

// five surfaces, one tool

API

REST · GraphQL · gRPC · SOAP · MCP · WebSocket

WEB

SPA crawl (Playwright) · XSS · SSTI · CSRF

NETWORK

hosts · ports · TLS · DNS · SMB/SNMP · CVE

WI-FI

nearby networks & posture

SEGMENTATION

cross-VLAN reachability · PCI CDE

Findings are shared across modes — a network scan hands discovered web services straight to the API scanner, so nothing falls between tools.

Detections covered

// high level · OWASP API / Web / LLM Top 10

ACCESS CONTROL

BOLA / IDOR · function-level · business-flow abuse

AUTHENTICATION

JWT inspection · weak-secret cracking

INJECTION

SQLi · cmdi · SSTI · XSS · NoSQL · XXE

SSRF

server-side request forgery

DATA EXPOSURE

secrets / PII · mass assignment (BOPLA)

NETWORK & INFRA

TLS / cert · DNS & email · SMB/SNMP · CVE cross-ref

AI / LLM

LLM01 prompt injection · MCP tool poisoning

Plus open redirect, CRLF, security-header & CORS checks, file-upload and cloud-storage exposure, and cross-finding attack-chain correlation. Out-of-band classes (blind SSRF, OOB SQLi/XXE, blind XSS) unlock with the optional paid pack.

Protocols

// tested natively, not just REST

REST

HTTP / HTTPS APIs

OpenAPI / Postman / HAR import · full injection & auth testing

GRAPHQL

Dedicated GraphQL pack

engine fingerprinting · introspection abuse · batching / DoS · CSRF & injection

gRPC

HTTP/2 + protobuf

reflection discovery · mTLS transport audit · per-field fuzzing

WEBSOCKET

Live channel testing

CSWSH · origin validation · authenticated message-level fuzzing

MCP

AI tool servers

tool poisoning · unauthenticated exposure · indirect prompt injection

SOAP

Auto-detected

classified by content-type / WSDL, tested through the injection engine

Authentication schemes

// scan authenticated, as a real user

BEARER / JWT

bare tokens auto-prefixed; JWTs inspected for weak signing

API KEY

custom header (default X-API-Key) on every request

HTTP BASIC

username : password, Base64 Authorization header

OAUTH2

client-credentials & password grants, token auto-installed

FORM / SPA LOGIN

API login or browser-driven (Playwright) session capture

HMAC SIGNING

per-request HMAC-SHA256/512 with a shared secret

On the roadmap: session cookie · mTLS client certificates · OAuth2 authorization-code + PKCE.

Paid upgrade

// optional · everything local stays free

A whole class of bugs — blind and reflection vulnerabilities — never show up in any response the scanner can see. Confirming them means making the target call back to a listener you control. Everything NewScan verifies in-band stays fully local and free; the optional Out-of-Band Detections Pack is the NewNormal-hosted listener that triggers and verifies the rest end to end. Only the callback interactions touch the hosted service — your target traffic, findings, and AI keys still never leave your machine. This is the one capability that needs an account; the scanner itself never does.

// NEWSCAN

The scanner

  • Download to your laptop or repo — one license per user
  • No limit on targets analyzed
  • Every in-band detection, including AI — no tier gating

PRICING

Free

Get NewScan (FREE) →

// OUT-OF-BAND DETECTIONS PACK

The hosted listener

  • NewNormal-hosted service paired with one NewScan instance
  • One detector pack per license
  • No limit on use within the license period

PRICING

One-month license$495
One-year license (paid up front)$1,985

Enterprise licenses available — contact sales for volume, multi-seat, and custom terms.

See pack details →

// OUT-OF-BAND CLASSES THE PACK UNLOCKS

Blind SSRF

HTTP / DNS callback confirmation

Out-of-band SQLi

DNS / HTTP exfil channels

Blind XSS

fires when an admin views it later

OOB XXE

external-entity callback

DNS exfiltration

data-over-DNS detection

Email / SMTP spoofing

inbound message reception

NewScan correlates each callback to the request that triggered it and records a verified, true-positive finding.

▸ Get NewScan (FREE)

Already ran it? Tell us what to sharpen → · Want a say in what's next? Vote on the roadmap →