Back to VertexScan
VertexScan API
A free, honest external exposure scanner. Live-verifies cached intel and classifies every port and CVE by confidence. Light, non-intrusive probing only.
Endpoint
POST https://vertexelite.org/api/scan
Content-Type: application/json
{ "target": "example.com", "cfToken": "<cloudflare-turnstile-token>" }- • A valid Cloudflare Turnstile token is required (anti-abuse). Rate-limited per IP.
- • Private / internal / reserved targets are refused (SSRF-guarded).
- • Responses:
200report ·400bad target ·403verification ·429rate-limited.
Confidence model
- ✅ Confirmed — cache claimed it and we connected live just now.
- 🔴 Blind-spot — live-open, but the cache never reported it.
- 👻 Phantom — cache claimed it, but it's dead now (the false positive).
- 🔥 CVEs — split into actively-exploited (CISA KEV) vs version-string guesses.
Discovery
- • OpenAPI: /.well-known/openapi.json
- • API catalog (RFC 9727): /.well-known/api-catalog
- • MCP server card: /.well-known/mcp/server-card.json
- • Auth model: /auth.md (public + Turnstile, no OAuth)
MCP server
The same engine runs as an open-source MCP server:
npx -y vertexscan-mcp
Tools: scan_host · verify_ports · check_cve · subdomains
Scan only hosts you own or are authorized to test.