Rwanda Law No. 60/2018 compliant · OWASP standards
Full SIEM · Threat Intelligence · ATT&CK Mapping
Find vulnerabilities
before attackers do.
Professional VAPT platform for East African businesses — web, API, network, SSL scanning with AI-powered remediation. Built by Heptadev, Kigali.
Recon & OSINTWeb/PT ScanAPI Audit
LIVE0+
Vulnerabilities found
0+
Scans completed
0.9%
Uptime SLA
0 min
Time to first finding
Methodology
How a real VAPT engagement works
Click each phase to explore what Heptasec does under the hood
PHASE 01
Reconnaissance
OSINT gathering, DNS enumeration, subdomain discovery via certificate transparency logs, WHOIS analysis, and attack surface mapping.
Tools used
crt.sh
nmap
dig
whois
What we find
Exposed admin panels, forgotten subdomains, leaked credentials
1/5
Sample Output
Every finding, fully documented
CVSS score, evidence, and AI remediation in one view
CRITICALSQL Injection in /api/auth/login
CVSS 9.8Vector
CVSS:3.1/AV:N/AC:L/PR:N
Status
OPENDiscovered
2026-03-10 · 14:32 UTC
Description
The login endpoint is vulnerable to SQL injection via the username parameter. Payload ' OR SLEEP(5)-- confirmed a 5-second delay — unauthenticated database access possible.
Evidence
POST /api/auth/login HTTP/1.1
{ "email": "admin' OR SLEEP(5)--", "password": "x" }
→ Response delayed 5.02s — VULNERABLE
AI Remediation (Claude Opus 4.6)
Use parameterized queries: prisma.user.findUnique({ where: { email } }). Under Rwanda Law No. 60/2018 Article 14, failure to implement basic injection prevention is considered negligence.
Coverage
Your entire attack surface — covered
Hover a card to simulate a live scan
ZAP + Burp-compat
Web Application
OWASP ZAP active scan + Burp Suite-compatible — SQLi, XSS, CSRF, IDOR, clickjacking, missing security headers
hover to simulate →
Nmap + ZAP + Hydra
Penetration Test
Full PT: Nmap enumeration → ZAP exploitation → Gobuster dir scan → credential testing → brute-force. PoC included.
hover to simulate →
Nmap + NSE scripts
Network & CIDR Scan
Nmap service/version detection, OS fingerprinting, NSE vuln scripts — single IPs or full CIDR ranges (e.g. 192.168.1.0/24)
hover to simulate →
ZAP + OpenAPI
API Security
REST & GraphQL — BOLA, broken auth, mass assignment, rate limits, injection. OpenAPI/Swagger spec support.
hover to simulate →
GitHub API
GitHub Repository
GitHub API: secret scanning alerts, Dependabot CVEs, workflow security, branch protection, exposed .env commits
hover to simulate →
OpenSSL + testssl.sh
SSL/TLS Audit
Certificate validity, weak ciphers (RC4, DES, NULL), TLS 1.0/1.1, BEAST, POODLE, HSTS, OCSP stapling
hover to simulate →
Custom scripts
Credential Exposure
Default credential testing · exposed /.env & /wp-config.php · HaveIBeenPwned domain breach check · git credential leaks
hover to simulate →
crt.sh + DNS
Subdomain Discovery
DNS brute-force · certificate transparency (crt.sh) · subdomain takeover risk · OSINT recon
hover to simulate →
Semgrep + Trivy
DevSecOps
Semgrep SAST · Trivy CVEs · secret scanning · Dockerfile analysis · CI/CD pipeline audit · git history
hover to simulate →
All scans require written authorization — Rwanda Law No. 60/2018 compliant · Tools: Nmap · OWASP ZAP · Gobuster · Hydra · Semgrep · Trivy · GitHub API
Threat Intelligence
Know your enemy
before they strike
Live IOC feeds, MITRE ATT&CK mapping, and AI-powered enrichment — so your team acts on signal, not noise.
IOC Library
Ingest IPs, domains, hashes, CIDRs, user-agents from AbuseIPDB, AlienVault OTX, and Emerging Threats — auto-updated every 6 hours.
MITRE ATT&CK Mapping
Every detected threat is automatically mapped to ATT&CK techniques and tactics. See your real-world coverage across the 12-tactic framework.
Behavioral Analytics
Statistical baselines across 20 metrics. Z-score anomaly detection fires from day 1 — cold-start industry averages cover new orgs immediately.
OSINT Enrichment
Passive reconnaissance powered by Claude Opus — domain age, WHOIS, certificate history, geolocation, and reputation scoring.
Live Provider Feeds
VirusTotal, Shodan, GreyNoise, and AlienVault OTX queried in real time. AI synthesizes scores across providers into a single verdict.
Community Sharing
Share TLP:WHITE IOCs across the Heptasec network. Every org's telemetry strengthens defenses for the entire East African ecosystem.
AlienVault OTXAbuseIPDBVirusTotalShodanGreyNoiseEmerging ThreatsMITRE ATT&CK
LIVE IOC MATCH STREAM8 active feeds
Connecting to feeds...
ATT&CK Tactic Coverage
4
Recon
2
Resource
7
Init. Access
3
Execution
5
Persistence
2
Priv. Esc.
1
Defense
6
Cred. Acc.
4
Discovery
1
Lateral
3
Collection
2
Exfil
SIEM & Threat Hunting
Full SIEM — hunt threats,
not false positives
Cross-event correlation, kill chain reconstruction, and AI-guided hunt campaigns built for security analysts.
20+
Behavioral metrics tracked
7
Kill chain stages modelled
37
MITRE techniques covered
< 1s
Correlation latency
Kill Chain ReconstructionLIVE CAMPAIGN
STAGE 1/7
Reconnaissance
Passive + active OSINT, port scanning, subdomain enum
THREAT HUNT QUERYSIGMA · REGEX · KEYWORD
# Hunt: Webshell Upload Attempt
title: Suspicious PHP File Upload via POST
detection:
keywords: ['.php', 'multipart', '/upload']
condition: keywords
✓ 3 matches found · 2 across 1 source IP · AI: "Likely webshell staging — investigate /tmp/uploads"
Cross-Event Correlation
Threat events from the same source IP are automatically grouped into campaigns within a 24-hour window. The kill chain stage is advanced as new TTPs are detected.
Behavioral Anomaly Detection
Z-score analysis fires alerts when any metric deviates beyond your configurable threshold. New organizations get day-1 detection via industry-average cold-start baselines.
AI-Powered Hunt Campaigns
Describe a threat hypothesis — Claude Opus builds a full hunt plan with Sigma rules, query targets, and success criteria. Results are auto-analyzed for significance.
MITRE ATT&CK Auto-Tagging
Every ThreatEvent and campaign is tagged with ATT&CK technique IDs. The heatmap shows observed vs. undetected techniques so you can close coverage gaps.
Real-Time Threat Stream
Redis pub/sub delivers IOC matches, anomalies, and campaign escalations to your dashboard in under a second. No polling — true real-time.
Campaign Auto-Resolution
Stale campaigns (48h no activity) are automatically resolved. AI generates a final attacker profile at key milestones — 3, 5, 10, and 20 events.
Platform
Built for professionals, not amateurs
Expert Remediation
Detailed, Rwanda-context-aware remediation guidance for every finding — CVSS scored, prioritized, with code-level fix examples.
Law 60/2018 Compliant
Authorization doc upload required before every scan. Legal checkbox. 90-day data expiry.
Strict Multi-Tenancy
Your org's data is completely isolated — zero cross-tenant data leakage by architecture.
PDF Reports
Executive summary + full technical report with CVSS scores, evidence, and remediation roadmap.
Real-Time Progress
Live finding stream via Redis pub/sub — watch vulnerabilities appear as ZAP discovers them.
CI/CD Integration
Trigger scans from GitHub Actions or GitLab CI. Block deployments on critical findings.
Legal Compliance
Scanning without authorization is illegal in Rwanda
Rwanda Law No. 60/2018 mandates written authorization before any security testing. Heptasec enforces this at code level — no authorization document, no scan.
✓Authorization PDF upload required before first scan
✓Law 60/2018 consent checkbox on every scan wizard
✓Reports auto-expire at 90 days (Law 058/2021)
✓Evidence purged — no personal data retained beyond 90 days
✓NCSA-aligned incident reporting workflow
Law No. 60/2018
Prevention & Punishment of Cybercrime
Law No. 058/2021
Protection of Personal Data & Privacy
OWASP Top 10 2021
Web Application Security Standard
OWASP API Top 10
API Security Standard
Pricing
Simple, transparent pricing
MTN MoMo accepted · Stripe for international customers
Free
$0
forever · no card required
≈ 0 RWF
- 5 scans / month
- 1 team member
- 1 target
- Web & SSL scanning
- Basic results
- API scanning
- Network scanning
- PDF reports
- AI remediation
- CI/CD webhooks
Starter
$800
per 3 months
≈ ~1,100,000 RWF
- 20 scans / month
- 3 team members
- 5 targets
- Web, SSL & API scanning
- PDF reports
- MTN MoMo payment
- Email support
- Network scanning
- AI remediation
- CI/CD webhooks
- Dedicated SLA
Most popular
Business
$1,200
per 3 months
≈ ~1,650,000 RWF
- 60 scans / month
- 10 team members
- 20 targets
- All scan types
- AI remediation (Claude Opus)
- PDF + DOCX reports
- CI/CD webhooks
- Priority support
- API access
- Dedicated SLA
Enterprise
From $4,000
per 3 months · custom scope
≈ ~5,500,000 RWF
- Unlimited scans
- Unlimited team members
- Unlimited targets
- All scan types
- AI remediation (Claude Opus)
- PDF + DOCX reports
- API access
- CI/CD webhooks
- Dedicated support + SLA
- Custom integrations
FAQ
Common questions
Get started today
Find your vulnerabilities
before attackers do.
Join authorized security professionals across East Africa. First scan free — no credit card required.