Rwanda Law No. 60/2018 compliant · OWASP standards

Find vulnerabilities
before attackers do.

Professional VAPT platform for East African businesses — web, API, network, SSL scanning with AI-powered remediation. Built by Heptadev, Kigali.

Start scanning free →Sign in

Recon & OSINTWeb ScanAPI Audit

LIVE

Vulnerabilities found

Scans completed

0.9%

Uptime SLA

0 min

Time to first finding

Methodology

How a real VAPT engagement works

Click each phase to explore what Heptasec does under the hood

🔭

PHASE 01

Reconnaissance

OSINT gathering, DNS enumeration, subdomain discovery via certificate transparency logs, WHOIS analysis, and attack surface mapping.

Tools used

crt.sh

nmap

dig

whois

What we find

Exposed admin panels, forgotten subdomains, leaked credentials

1/5

Sample Output

Every finding, fully documented

CVSS score, evidence, and AI remediation in one view

CRITICALSQL Injection in /api/auth/login

CVSS 9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N

Status

OPEN

Discovered

2026-03-10 · 14:32 UTC

Description

The login endpoint is vulnerable to SQL injection via the username parameter. Payload ' OR SLEEP(5)-- confirmed a 5-second delay — unauthenticated database access possible.

Evidence

POST /api/auth/login HTTP/1.1

{ "email": "admin' OR SLEEP(5)--", "password": "x" }

→ Response delayed 5.02s — VULNERABLE

🤖AI Remediation (Claude Opus 4.6)

Use parameterized queries: prisma.user.findUnique({ where: { email } }). Under Rwanda Law No. 60/2018 Article 14, failure to implement basic injection prevention is considered negligence.

Coverage

Your entire attack surface — covered

Hover a card to simulate a live scan

🌐ZAP Engine

Web Application

OWASP Top 10 · XSS · SQLi · CSRF · Open Redirects · Security Headers

hover to simulate →

🔌OpenAPI/GraphQL

API Security

REST & GraphQL · BOLA · Broken Auth · Mass Assignment · Rate Limiting

hover to simulate →

🔍Nmap Engine

Network Scan

Open Ports · Service Versions · CVE Matching · Firewall Bypass

hover to simulate →

🔒TLS Inspector

SSL/TLS Audit

Weak Ciphers · Certificate Validity · HSTS · Protocol Version

hover to simulate →

🗺️crt.sh + DNS

Subdomain Discovery

DNS Brute-force · Cert Transparency · Takeover Risk · OSINT

hover to simulate →

⚙️CI/CD Integration

DevSecOps

Secret Scanning · Dependency CVEs · Dockerfile Analysis · SBOM

hover to simulate →

Platform

Built for professionals, not amateurs

🤖

AI Remediation

Claude Opus 4.6 writes detailed, Rwanda-context-aware fix guidance for every finding.

⚖️

Law 60/2018 Compliant

Authorization doc upload required before every scan. Legal checkbox. 90-day data expiry.

🔐

Strict Multi-Tenancy

Your org's data is completely isolated — zero cross-tenant data leakage by architecture.

📄

PDF Reports

Executive summary + full technical report with CVSS scores, evidence, and remediation roadmap.

📡

Real-Time Progress

Live finding stream via Redis pub/sub — watch vulnerabilities appear as ZAP discovers them.

🔗

CI/CD Integration

Trigger scans from GitHub Actions or GitLab CI. Block deployments on critical findings.

⚖️ Legal Compliance

Scanning without authorization is illegal in Rwanda

Rwanda Law No. 60/2018 mandates written authorization before any security testing. Heptasec enforces this at code level — no authorization document, no scan.

✓Authorization PDF upload required before first scan

✓Law 60/2018 consent checkbox on every scan wizard

✓Reports auto-expire at 90 days (Law 058/2021)

✓Evidence purged — no personal data retained beyond 90 days

✓NCSA-aligned incident reporting workflow

Law No. 60/2018

Prevention & Punishment of Cybercrime

Enforced

Law No. 058/2021

Protection of Personal Data & Privacy

Enforced

OWASP Top 10 2021

Web Application Security Standard

Enforced

OWASP API Top 10

API Security Standard

Enforced

Pricing

Simple, transparent pricing

MTN MoMo accepted · Stripe for international customers

Free

0 RWF / month

✓1 scan/month

✓1 user

✓PDF reports

Get started

Common questions

Get started today

Find your vulnerabilities
before attackers do.

Join authorized security professionals across East Africa. First scan free — no credit card required.

Create free account →Sign in

Find vulnerabilitiesbefore attackers do.

How a real VAPT engagement works

Reconnaissance

Every finding, fully documented

Your entire attack surface — covered

Built for professionals, not amateurs

Scanning without authorization is illegal in Rwanda

Simple, transparent pricing

Common questions

Find your vulnerabilitiesbefore attackers do.

Find vulnerabilities
before attackers do.

Find your vulnerabilities
before attackers do.