Who We Are
AuditWard runs continuous, authorized security scanning and AI-driven QA on the websites you own. We are AuditWard, LLC, a Delaware company hosted on AWS in the United States. Read who we are and how our scanning works.
Why we exist.
Most teams check their website security in bursts. A consultant runs a scan, hands over a PDF, and the report is stale within a few weeks as the site keeps shipping. Keeping that consultant on retainer is expensive, and the gaps between engagements are where problems sit unnoticed.
AuditWard was built to close those gaps. We scan the sites you own on a continuous basis, with authorization proven up front, and we pair that scanning with AI-driven QA so the output is something an owner can actually act on rather than a backlog of raw scanner noise.
The problem we solve.
We give you authorized, continuous website security scanning and automated QA in one place. The scanner looks at what changes between releases, which is where real exposure tends to appear, and the AI layer triages what it finds into prioritized findings.
Each finding is written for the person who owns the system, in plain language, with the impact spelled out and a clear path to a fix. A severity score and a stack trace do not tell you what to do next, so we do not stop at those.
How it works.
Our methodology starts from a simple rule. We only scan what you have proven you control, and we make it easy for anyone to stay out of our way for good.
Authorization comes first. Customers verify domain ownership with a DNS TXT record, so a domain has to be proven before the heavier tooling ever touches it. A global scan opt-out registry is checked before any scan starts. Opted-out resources are never scanned, for any customer, and the opt-out is permanent and platform-wide.
On findings, we keep a hard line between tagging and certifying. You can tag a finding to SOC 2, ISO 27001, and other frameworks to help you gather evidence, but that is evidence support, not a certification. Tagging a finding to a framework does not make you compliant, and AuditWard is not a PCI Approved Scanning Vendor.
DNS-verified authorization
A domain is proven with a DNS TXT record before heavier tooling runs against it.
Global opt-out
A permanent, platform-wide registry that takes a resource out of scope for every customer.
Tag, do not certify
Framework tagging is evidence support to help you gather proof, never a certification or a compliance claim.
Published scanning tools
curl, testssl.sh, Nuclei, Nmap, Gobuster, nslookup, and WhatWeb.
Identifiable scanner
Requests carry a fixed, published User-Agent (AuditWard/1.0 (+https://auditward.com/scanner)), and paths disallowed in your robots.txt are left out of crawl-based discovery.
No destructive testing
We do not run denial-of-service or flooding tests, and we report takeover-style weaknesses rather than exploiting them.
The full authorization and scanner-behavior detail lives on the security page.
The team.
AuditWard is built by a small group working across a few disciplines: security engineering, LLM triage, and infrastructure. The standards are the same across all of them. Authorization before scanning, findings that an owner can act on, and customer data handled under the policies we publish.
We handle sensitive findings about our customers' systems, so we keep our team low-profile to reduce social-engineering and targeting surface. We hold ourselves accountable through our registered entity, our published security and disclosure policies, and named contacts for security, privacy, and abuse.
This is about the people, not the company. The entity itself is fully transparent: where we are registered, what we run on, and how we handle your data are all documented on this site and in our policies.
Company and where we are based.
AuditWard, LLC is a Delaware limited liability company based in the United States. Our registered address is 2261 Market Street STE 19811, San Francisco, CA 94114.
Customer scan data is hosted on AWS infrastructure in the United States. Data is encrypted in transit with TLS, and credentials supplied for authenticated scans are stored only in encrypted form, never in plaintext.
Security and compliance posture.
Our security commitments are written out in full on the security page, and we keep the proof there so you can check it rather than take our word for it. We do not hold a SOC 2 or ISO 27001 certification or report, and we say so plainly. Framework tagging inside the product is there to help you gather evidence, and it is not a certification of AuditWard.
The short version of how we treat your data is below. For the detail and the supporting documents, see the security page.
Encrypted, on AWS in the US
Encrypted in transit with TLS and at rest, on AWS infrastructure in the United States.
No AI training on your data
Customer scan data, findings, evidence, artifacts, and credentials are never used to train, fine-tune, or benchmark any AI model. AI analysis runs through Amazon Bedrock, which is contractually restricted from doing so.
Published sub-processor list
A published sub-processor list naming every third party that touches the service.
Responsible disclosure
A responsible-disclosure policy with a safe-harbor commitment for good-faith security research.
Proof and commitments.
We would rather you verify than trust. Each of these is a public document you can read in full.
We do not claim certifications we do not hold. AuditWard has no SOC 2 or ISO 27001 report, and we will not imply otherwise.
Sub-processor list
The third parties that process data on our behalf, including AWS, Mailgun, Stripe, Umami, and Sentry. See /sub-processors.
Responsible disclosure
Our safe-harbor terms and response timelines for reported issues. See /security-disclosure.
No AI training on customer data
Stated and backed by a contractual restriction on the AI inference provider. See /security.
Contact.
For general questions, write to contact@auditward.com. For anything security-related, including vulnerability reports and abuse, write to security@auditward.com.
If you are reporting a security issue, our disclosure policy explains what to expect. We confirm receipt within two business days and aim to assess severity and confirm whether we can reproduce the issue within five business days. See /security-disclosure for the full policy.