Detectify is a web application security platform that combines automated vulnerability scanning with crowdsourced intelligence from a global network of ethical hackers.
The platform identifies security vulnerabilities in web applications and provides External Attack Surface Management (EASM) to discover and monitor internet-facing assets.
What is Detectify?
Detectify stands apart from traditional DAST tools through its crowdsourced approach to vulnerability research.
Over 400 ethical hackers continuously contribute new vulnerability modules to the platform, with findings integrated within 15 minutes of validation.
This model keeps detection capabilities current with emerging threats rather than relying solely on in-house research teams.
The platform has processed research leading to the discovery of over 240,000 vulnerabilities across customer assets.
Key Features
Surface Monitoring
Surface Monitoring provides continuous visibility into your external attack surface.
The module discovers subdomains, identifies exposed services, and monitors for configuration changes that could introduce security risks.
It detects exposed files, sensitive data leakage, and infrastructure misconfigurations across all internet-facing assets.
Discovered Assets:
├── api.example.com (Active)
├── staging.example.com (Exposed credentials)
├── legacy.example.com (Outdated SSL)
└── internal-dev.example.com (Publicly accessible)
Application Scanning
The application scanner crawls and tests web applications for security vulnerabilities.
The crawler handles modern JavaScript frameworks including React, Angular, and Vue.js, exploring single-page applications that traditional scanners struggle with.
Key scanning capabilities:
- Advanced Crawling: Navigates complex application states and AJAX-heavy interfaces
- Fuzzing Engine: Discovers injection vulnerabilities through intelligent payload mutation
- Authenticated Scanning: Tests protected application areas using recorded login sequences, basic auth, or session cookies
- API Testing: Scans REST and GraphQL endpoints for security weaknesses
Crowdsource Community
The Crowdsource research network forms the foundation of Detectify’s detection capabilities.
Ethical hackers from around the world submit vulnerability modules through the Crowdsource platform, earning bounties for accepted research.
This community-driven approach provides several advantages:
- New vulnerability types detected within days of public disclosure
- Real-world attack techniques from active security researchers
- Continuous expansion of detection coverage without waiting for scheduled updates
Compliance and Reporting
Detectify generates reports mapped to compliance frameworks including PCI DSS, OWASP Top 10, and SOC 2.
Executive summaries provide high-level security posture views while technical reports include detailed remediation guidance for development teams.
How to Use Detectify
Initial Setup
- Create a Detectify account and verify domain ownership
- Add scan profiles for your web applications
- Configure authentication settings for protected areas
- Schedule scans or run on-demand
Recording Login Sequences
For applications requiring authentication, record login flows using the browser extension:
// Example recorded sequence
1. Navigate to https://app.example.com/login
2. Enter username in #email field
3. Enter password in #password field
4. Click #login-button
5. Wait for dashboard redirect
API Integration
Detectify provides a REST API for programmatic access to scan management and results.
# Start a new scan
curl -X POST "https://api.detectify.com/rest/v2/scans/start" \
-H "X-Detectify-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"scan_profile_token": "abc123"}'
# Get scan status
curl "https://api.detectify.com/rest/v2/scans/abc123/status" \
-H "X-Detectify-Key: YOUR_API_KEY"
Integration
GitHub Actions
name: Detectify Security Scan
on:
push:
branches: [main]
schedule:
- cron: '0 2 * * 1' # Weekly Monday 2 AM
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Trigger Detectify Scan
run: |
curl -X POST "https://api.detectify.com/rest/v2/scans/start" \
-H "X-Detectify-Key: ${{ secrets.DETECTIFY_API_KEY }}" \
-H "Content-Type: application/json" \
-d '{"scan_profile_token": "${{ secrets.DETECTIFY_SCAN_TOKEN }}"}'
- name: Wait for scan completion
run: |
# Poll for scan completion
while true; do
STATUS=$(curl -s "https://api.detectify.com/rest/v2/scans/$SCAN_TOKEN/status" \
-H "X-Detectify-Key: ${{ secrets.DETECTIFY_API_KEY }}" | jq -r '.status')
if [ "$STATUS" = "completed" ]; then break; fi
sleep 60
done
GitLab CI
detectify-scan:
stage: security
script:
- |
SCAN_ID=$(curl -X POST "https://api.detectify.com/rest/v2/scans/start" \
-H "X-Detectify-Key: $DETECTIFY_API_KEY" \
-H "Content-Type: application/json" \
-d '{"scan_profile_token": "'$DETECTIFY_PROFILE'"}' | jq -r '.scan_id')
echo "Started scan: $SCAN_ID"
only:
- main
allow_failure: true
When to Use Detectify
Detectify excels at external attack surface management and web application security testing for organizations that want access to cutting-edge vulnerability research.
The crowdsourced model provides faster coverage of emerging threats compared to vendors relying solely on internal research.
Consider Detectify when you need:
- Continuous monitoring of external assets and subdomains
- Detection of novel vulnerability types through crowdsourced research
- Testing of modern JavaScript-heavy web applications
- Compliance reporting for PCI DSS or SOC 2 audits
Organizations with large numbers of internal applications or those requiring agent-based testing may want to combine Detectify with complementary DAST or IAST tools.
The platform focuses on external-facing assets and may not suit teams primarily concerned with internal application security.