Web Iron Shield is a professional website security scanner with 150+ checks, live exploit verification, and a dedicated 0-day anomaly hunter that finds what rule-based tools miss. Run locally. Keep your data. Pay once.
Every scan passes through four distinct phases. Each phase builds on the last so you don't just get a list of warnings — you get working proof-of-concept exploits and the code to close them.
Deep-crawls up to 500 pages. Maps forms, parameters, technologies, and hidden endpoints.
SQLi, XSS, CSRF, CORS, security headers, cookie flags, CVEs, sensitive files, API key leaks.
Authorized exploit attempts: XXE, JWT weakness, IDOR, RCE, SSRF. Real payloads, safe canaries.
10 hunters look for the unusual — stack traces, timing oracles, reflection surfaces, debug endpoints.
One-click exploit verification. See the actual request, response, evidence, and attacker walkthrough.
Watch payloads fire, responses come back, and findings appear live. Not a polling dashboard — a live packet trace.
SQL injection, XSS, CSRF, CORS, SSRF, SSTI, XXE, IDOR, open redirect, path traversal, JWT weakness, and more.
9 category-specific verifiers produce verdicts with confidence scores, HTTP evidence, and attacker walkthroughs.
10 independent hunters catch what rule-based scanners miss: debug leaks, timing oracles, reflection surfaces, version leaks.
Estimated payout ranges per finding. Pre-built reports ready for HackerOne, Bugcrowd, and Intigriti submissions.
Optional Claude integration scans business logic, authentication flows, and novel patterns no static rule can describe.
Version-fingerprints your target and matches against known CVEs — see CVE-2021-41773 before writing the exploit.
Probes 120+ paths: .env, .git, .DS_Store, wp-config, backup dumps, debug endpoints, admin panels.
Every scan stored locally. Double-click any past scan and the full findings rebuild exactly as they were.
Route all traffic through your proxy or Tor for anonymity during bug bounty research. IP leak detection built in.
Desktop app. No cloud uploads. Your targets and findings never leave your machine. Works offline after activation.
SHA-256 verified updates. Zip-Slip protection. Your scanner stays current — but never at the cost of security.
Rule-based scanners miss novel bugs because they only look for what they were told to look for. Web Iron Shield's anomaly engine runs ten independent hunters that flag anything unusual — the same instinct that makes a human pentester go, "wait, why is that header here?"
Get v2.8 with anomaly hunter →Click Verify Now on any finding. The scanner sends category-specific payloads, analyzes the response with multiple detection channels, and produces a complete attack walkthrough plus the remediation code to close it.
// ❌ VULNERABLE
$output = shell_exec("grep $cat items.txt");
// ✅ SAFE — argv array, no shell
$proc = proc_open(
['grep', $cat, 'items.txt'],
[1 => ['pipe','w']], $pipes);
Both modes share the same 150+ rule-based checks and the 10 anomaly hunters. The AI mode adds a Claude-powered reasoning layer that reads your site the way a human pentester does — understanding business logic, chaining weaknesses, and noticing what rules can't describe.
Scripted checks run against known patterns. Same inputs always produce same outputs. No API calls. No extra cost.
Runs everything a Normal scan does, then adds a Claude reasoning layer that reads your app, understands its purpose, and finds what rules can't express.
role param. No server-side check against current user's role. Chained with cookie flaw from #3 → account takeover. Bounty: $2,000–$5,000.No subscriptions. No per-scan fees. No cloud lock-in. Use it on as many targets as you have authorization for.
Try all features on 3 target scans.
Everything. Forever. No recurring fees.
Yes — on targets you own or have written authorization to test. The scanner requires you to confirm ownership and supply an owner email before every active scan, and logs every authorization for your audit trail. Running it against sites you don't own, without permission, is illegal under computer-fraud laws almost everywhere. We don't help with that.
No. Web Iron Shield is a desktop app. All scanning, all findings, and all history live on your machine. The only network traffic is (a) the scanner connecting to the target you chose, (b) one-time license activation, and (c) checking for updates. No telemetry, no analytics, no cloud reporting.
The Anomaly Hunter runs during every scan — it flags suspicious behaviour across 10 independent categories. Verify Now runs on a single finding when you double-click it, and attempts real (but safe) exploitation with category-specific payloads to give a high-confidence verdict plus attacker walkthrough.
By looking for anomalies, not signatures. If a parameter reflects user input, that's a potential XSS surface — even if the param name isn't in any rule. If a login endpoint takes 400ms longer for known usernames, that's a timing oracle — even though no rule says "check admin login latency". The hunter finds what looks wrong, so a human can investigate.
Windows 10/11 (64-bit) primary. macOS and Linux builds available via the Python source and bundled shell builder. No cloud instance needed.
Report it responsibly. If you have authorization (pentest engagement), follow the agreed reporting channel. For bug bounty programs, use the program's submission portal — Web Iron Shield generates reports formatted for HackerOne/Bugcrowd/Intigriti. If you've found a bug on your own site, congratulations — the remediation code in every Verify Now report shows you exactly how to fix it.
30-day money-back, no questions asked. If the tool doesn't find something useful on your sites in the first month, just email us.
Yes. One-time payment, lifetime updates. The auto-updater verifies SHA-256 signatures so even if our servers were compromised, you wouldn't install a malicious update. v2.8 → v3.x upgrades: included.