Documentation
Everything you need to operate AssurePort — from your first scan to white-label MSSP deployment. The documentation tracks what is in production; nothing here is theoretical.
Quick start
- Visit app.assureport.com and request a magic link with your email. Your tenant is created on first click.
- Enable two-factor authentication (TOTP) from the Settings tab — strongly recommended, takes 60 seconds.
- Purchase a Starter scan ($99) or subscribe to Pro ($299/month) on the pricing page.
- Register an asset in the Assets & DCV tab. We currently accept
domain-type assets andrepositoryfor GitHub SAST. - Verify ownership via DNS TXT, HTTP file, or meta tag — see Domain verification.
- Upload a signed Rules of Engagement document — see RoE.
- Dispatch a scan from the Scans tab. The platform reserves your tier's per-scan price up front and emails a PDF report when the pipeline completes.
Scan engines
Four live engines today. Two more in active development.
| Engine | Status | Reservation | Typical duration |
|---|---|---|---|
| Web Pentest | Live | $99 | 30–45 min |
| API (REST / GraphQL) | Live | $49 | 15–25 min |
| Mobile APK | Live | $50 | 15–25 min |
| GitHub Repo SAST | Live | $30 | 10–20 min |
| Network / Real-IP | Coming soon | $49 | — |
| Cloud Misconfig | Coming soon | $69 | — |
Each engine is a sequenced pipeline of AI agents covering reconnaissance, analysis, exploitation with proof-of-concept evidence, and a remediation-aware report. Output is a markdown findings list plus a branded PDF, with CVSS v3.1 scores and OWASP Top 10 (or OWASP API Top 10 2023, or MASVS for mobile) mapping.
Domain verification
No scan starts without proof that you control the target — full stop. Pick any one method.
Method 1: DNS TXT record
_assureport.example.com. IN TXT "assureport-verification=YOUR_TOKEN"Method 2: meta tag in HTML head
<meta name="assureport-verification" content="YOUR_TOKEN">Method 3: HTTP file
Place at /.well-known/assureport-challenge.txt with body containing your token.
Tokens are unique per asset and verification attempt. Failed dispatch attempts without verification return HTTP 412 Precondition Failed.
Rules of Engagement
Upload a signed RoE PDF in the console. The document must contain:
- Authorising party (your legal entity name)
- In-scope hostnames or IPv4 ranges
- Out-of-scope endpoints (authentication flows, payment processors, third-party integrations)
- Test window (start and end dates)
- Signature (a typed name plus date is sufficient for digital signing; wet signatures accepted but not required)
An AI validator reads the PDF and assigns a confidence score. Below the threshold, the dispatch is blocked and we email you the gaps so you can re-upload a corrected document.
Pricing
Flat per-scan pricing. No per-character surcharges. No "credits".
| Tier | Price | Web scans / month | Effective per scan |
|---|---|---|---|
| Starter | $99 one-time | 1 | $99 |
| Pro | $299/month | 6 (rollover up to 12) | $49.83 |
| Business | $799/month | 15 (rollover up to 30) | $53.27 |
Reservations are charged on success only — failed scans release the reservation automatically. Overage scans: $69 each on Pro, $59 each on Business. Billing is handled by Polar.sh as Merchant of Record; VAT is collected and remitted in 47 jurisdictions at no extra cost to you.
Public API reference
Base URL: https://api.assureport.com
Authentication header: Authorization: Bearer aprt_… — issue from the API Keys tab in the console.
Public endpoints (no auth)
| Endpoint | Description |
|---|---|
GET /api/health | Service liveness + version |
GET /api/intel/dns?host=… | DNS lookup (multiple record types) |
GET /api/intel/reverse-dns?ip=… | PTR lookup |
GET /api/intel/headers?url=… | HTTP security headers grade |
GET /api/intel/ssl?host=… | TLS certificate transparency search |
GET /api/intel/tech?url=… | Technology stack detector |
POST /api/feedback | Public feedback / contact form |
POST /api/auth/magic-link | Issue magic-link sign-in |
Tenant endpoints (Bearer auth)
| Endpoint | Description |
|---|---|
GET /api/balance | Token snapshot |
GET /api/assets | List registered assets |
POST /api/assets | Register a new asset |
POST /api/assets/:id/verify | Trigger DCV check |
POST /api/scans | Dispatch a scan |
GET /api/scans/:id | Get scan status |
GET /api/scans/:id/findings | Parsed findings list |
GET /api/scans/:id/report.md | Markdown report |
GET /api/scans/:id/report.pdf | Branded PDF report |
GET /api/billing/ledger | Transaction history |
GET /api/billing/usage | Per-day usage breakdown |
GET /api/activity | Audit log |
GET /api/members | List tenant members |
POST /api/invitations | Invite a teammate |
Polar webhooks
AssurePort receives Polar's Standard Webhooks v1 events. Signature verification uses HMAC-SHA256 over the raw request body, and replays are dropped via idempotency keys carried in the webhook-id header.
Accepted event families:
- Order events:
order.created,order.paid,order.refunded - Subscription events:
subscription.created,subscription.active,subscription.updated,subscription.canceled,subscription.revoked
Authentication
Magic link (interactive)
Email-only. Cookie session, 30-day TTL. Optional TOTP 2FA gate after first login. Sessions are revocable from the Settings tab.
API key (programmatic)
Format aprt_…. SHA-256 hash stored server-side; raw keys are never persisted. Issue from the console; rotate at any time.
Data residency
Personal data and scan artefacts stay in the European Union by design. Compute, storage, vector indexes, and AI inference all route through EU regions. The platform has no US data leg and no cross-border processing path for customer data.
GDPR posture
AssurePort acts as a data processor for scan artefacts. We meet Article 32 technical and organisational measures: TLS 1.3 in transit, encrypted secrets at rest, an append-only audit log, tenant isolation enforced at the data layer, 2FA available to every account, and EU-only data residency. DSAR responses are answered within 30 days — write to dpo@assureport.com.
Data Processing Agreement
Email legal@assureport.com with your legal-entity name and we countersign within one business day. A public DPA template is on the v1.3 roadmap.
Vulnerability disclosure
We follow RFC 9116. Report findings to abuse@assureport.com or via /.well-known/security.txt. We triage within 24 hours and communicate remediation timelines back to the reporter.
MSSP white-label
Business tier ($799/mo) unlocks:
- White-label subdomain (
your-name.assureport.com) - Branded PDF report template (your logo and colours)
- Sub-tenant management — invite client tenants under your master organisation
- Auditor read-only portal — share findings with external auditors without exposing your console
- Custom DPA and custom SLA
SLAs
Default uptime target: 99.5% measured end-to-end. Business tier upgrades to 99.9% with a credit-back clause for outages exceeding four hours per month. Live status: /status.html.
Found something missing or out of date? Send us feedback — we update docs the same week.