A forensic web audit platform, architected around a two-stage authorization model that earns trust before asking for access, then turns findings into a legally defensible, engineer-ready audit.
Enterprise e-commerce and SaaS platforms carry measurable risk across four domains simultaneously: revenue suppression, regulatory exposure (GDPR, PIPEDA, Quebec Law 25), security vulnerabilities, and accessibility liability. Existing tools each cover a slice.
CAD $50M–$500M GMV, in-house engineering, no dedicated security audit capacity. Needs findings in dollars and regulation, not just severity labels.
Deliver technical audits to clients; need a platform to underpin findings with defensible, structured data.
Security audit products face a structural bind: customers need to see value before committing, but running a full audit without authorization creates legal exposure for both sides. I designed the two-stage model that resolves it, modeled on patterns operators already trust (Google Search Console, Let's Encrypt ACME), then specified the full module coverage, competitive positioning, and pricing anchor strategy end to end.
Runs on public HTTP responses only: headers, CSP, SSL, script inventory, WCAG contrast. Delivers 3–5 high-impact findings in under 3 minutes, no account required.
Gated behind a cryptographic domain-verification header. All 23 modules run: authenticated flows, storage analysis, credential scanning, subdomain enumeration.
The customer adds one HTTP response header; the platform polls for it every 60 seconds and logs the detection as a timestamped, immutable authorization record, attachable to any regulatory filing or client deliverable.
Every Stage 2 report states the maximum statutory penalty exposure identified. For pre-consent tracking under Quebec Law 25, that figure runs to $25M CAD per violation category. Against that, a $299 audit isn't a hard sell; it's the obvious next step.
Scrutas is built and running internally: the two-stage authorization model, all 23 audit modules, and the verification protocol are live. That two-stage model was the hard problem to solve: it's what turns a legally risky idea (auditing a site you don't own) into a defensible, authorized audit.
MVP: full audit engine + verification flow. Then agency white-label and findings API.
Monthly Monitor subscription + regression tracking. Then CI/CD integration and enterprise frameworks (HIPAA, SOC 2, PCI-DSS).
Third-party auditor marketplace: Scrutas becomes the infrastructure layer, not just the audit tool.
See the rest of the work, or get in touch.