Frequently Asked Questions

RTS Scanner is a professional web-based penetration testing platform. It performs automated reconnaissance and vulnerability scanning on web applications, discovering subdomains, crawling URLs, testing for 25+ vulnerability classes with 500+ payloads, and generating detailed reports.

Click Register on the homepage, fill in your details, select your preferred plan, and submit. Your account will be reviewed by an admin and approved within 1–24 hours. You will receive access once approved.

RTS Scanner is a security tool that can be misused. We manually review all registrations to ensure the platform is used ethically and legally. This protects both our users and the broader internet.

The Free plan gives you 3 quick scans at no cost. Quick scans cover surface-level reconnaissance including subdomain discovery, basic crawling, and vulnerability checks. Deep scan, auto scan, credentials, and PDF reports require a paid plan.

No. RTS Scanner is entirely web-based. You just need a modern browser. No software installation, no command-line tools, no configuration required.

Quick scan performs a fast surface-level assessment: up to 30 crawled pages, 5 subdomains, basic vulnerability checks, and data leak detection. Deep scan is comprehensive: up to 100 pages, 50 subdomains, JavaScript extraction, API endpoint discovery, S3 bucket checks, backup file detection, cloud asset enumeration, and full vulnerability testing with 500+ payloads.

Full Scope enumerates all subdomains of the target domain and scans them all. Target Only restricts the scan to the exact URL you entered, with no subdomain discovery. Use Target Only for faster, focused scans.

Quick scans typically complete in 2–8 minutes. Deep scans on large targets can take 10–30 minutes. Scan duration depends on the target size, number of subdomains, and network response times.

You may only scan websites you own or have explicit written permission to test. Unauthorized scanning is illegal. RTS Scanner monitors for abuse and will terminate accounts found scanning without authorization.

RTS Scanner tests for: SQL Injection, XSS (Reflected, Stored, DOM), Command Injection, SSRF, LFI/RFI, Path Traversal, XXE, SSTI, IDOR, CORS Misconfiguration, CSRF, Open Redirect, Host Header Injection, JWT Vulnerabilities, Subdomain Takeover, Clickjacking, Cookie Security issues, CSP misconfigurations, and more.

Free plan: 1 scan at a time. Standard plan: up to 5 concurrent scans. Premium plan: unlimited concurrent scans.

Premium users can provide login credentials (username/password, form fields, or session cookies) to scan authenticated pages and APIs that require login. This enables testing of user-specific functionality and authenticated endpoints.

Credits are consumed when you run paid scans. Quick scan costs 2 credits, Deep scan costs 5 credits. Free plan users get 3 free quick scans without using credits. Credits are added to your account when you purchase a plan.

You will not be able to start new scans until you top up. Existing running scans will complete. You can upgrade your plan on the Pricing page to get more credits.

We accept UPI payments (GPay, PhonePe, Paytm, etc.) to rudratechserv@sbi. On the Pricing page, select your plan, scan the QR code, pay the amount, and submit your UTR number. Admin will verify and activate your plan within 1–12 hours.

UTR (Unique Transaction Reference) is a 12-digit number generated by your UPI app for every transaction. Find it in your UPI app under transaction history. Submit it after payment so we can verify your payment.

Since this is a digital service, refunds are generally not provided once a plan is activated. If you have a payment issue (e.g., payment deducted but plan not activated), contact support within 48 hours with your UTR number.

Credits do not expire as long as your account is active. They remain in your account until used.

PDF reports include: executive summary, vulnerability count by severity, full vulnerability details (type, URL, parameter, payload, evidence, remediation), subdomain list, data leaks, technologies detected, DNS records, and scan metadata. Reports are generated server-side and are professionally formatted.

Premium plan users can download full PDF reports. Standard plan users can export results as TXT files. Free plan users can view results in the browser but cannot download reports.

Scan results are stored until you manually delete them from your dashboard. There is no automatic expiry. We recommend downloading reports for important scans.

Currently, scan results are private to your account. Sharing features are planned for a future update. You can share PDF reports by downloading and distributing them.

Auto Scan (Standard and Premium) lets you schedule recurring scans every 5, 12, or 24 hours. It automatically runs a deep scan and highlights new findings compared to the previous scan — useful for continuous monitoring of your attack surface.

Yes. Scan results are only accessible via non-guessable secure tokens — not sequential IDs. Every route enforces strict ownership checks so you can only access your own data. We do not share your scan data with third parties.

Credential passwords are encrypted with a strong cipher before being saved to the database. The encryption key is stored separately from the database. We still recommend using dedicated test credentials rather than production passwords.

Yes. Vulnerability findings are stored as part of your scan results so you can review them and generate reports later. You can delete any scan at any time to permanently remove its data.

We have multiple active defence layers: all input is validated and inspected for attack patterns, sessions are strictly managed, every data endpoint enforces ownership, credentials are encrypted at rest, security headers are set on every response, and all suspicious activity is logged, rate-limited, and reviewed.

Yes. Account passwords are processed through a strong one-way hashing algorithm before storage. We never store or transmit plaintext passwords. Even if the database were stolen, your password would not be recoverable.