Security & Compliance Mapping API Plans
Turn every website security scan into audit-ready evidence for PCI DSS, ISO/IEC 27001, and SOC 2
GRC integrations (Drata, Vanta, more to come)
Trust Center ready
JSON + XML reports
| Growth | Scale | |
| $499/mo Billed annually | Custom Billed annually | |
| Best For | Product teams and MSPs that don't need static IPs, custom scan behavior, or region pinning—just reliable evidence mapped to SOC 2 / PCI / ISO. | High-volume or regulated workloads needing static IPs, custom behavior, higher concurrency, and explicit data residency or geolocation. |
| Scans Included | 2,000 scans/mo + $0.60 per extra scan | Custom quota Custom pricing |
| Infrastructure | Shared cluster (multi-tenant) | Single-tenant cluster |
| Concurrent Scans | Up to 5 | 20 + |
| Uptime SLA | 99.9% | 99.95% |
| Support Response | 24-hour response | Priority acknowledgment |
| CORE FEATURES | ||
| Output Formats & Compliance Mapping |  JSON/XML/YAML with structured control IDs mapped to SOC 2, PCI DSS, ISO 27001 | JSON/XML/YAML with structured control IDs mapped to SOC 2, PCI DSS, ISO 27001 |
| IP Configuration | Pooled IPs (rotatable on request) | Static IP (allowing scanner IP whitelisting) |
| Scan Configuration | Standard scan config (fixed UA, depth, timeouts) | Custom scan parameters (user agent, scan depth, HTTP timeouts, and others) |
| Malware Scanner Engine Customization | N/A | |
| Regional Placement | N/A | US/EU/APAC · Optional On-Prem |
| Integration Help | Up to 2 hrs/mo | Up to 24 hrs/mo + architecture guidance |
| Growth | |
| $499/mo Billed annually | |
| Best For | Product teams and MSPs that don't need static IPs, custom scan behavior, or region pinning—just reliable evidence mapped to SOC 2 / PCI / ISO. |
| Scans Included | 2,000 scans/mo + $0.60 per extra scan |
| Infrastructure | Shared cluster (multi-tenant) |
| Concurrent Scans | Up to 5 |
| Uptime SLA | 99.9% |
| Support Response | 24-hour response |
| Output Formats & Compliance Mapping | JSON/XML/YAML with structured control IDs mapped to SOC 2, PCI DSS, ISO 27001 |
| IP Configuration | Pooled IPs (rotatable on request) |
| Scan Configuration | Standard scan config (fixed UA, depth, timeouts) |
| Malware Scanner Engine Customization | N/A |
| Regional Placement | N/A |
| Integration Help | Up to 2 hrs/mo |
| Scale | |
| Custom Billed annually | |
| Best For | High-volume or regulated workloads needing static IPs, custom behavior, higher concurrency, and explicit data residency or geolocation. |
| Scans Included | Custom quota/mo Custom pricing |
| Infrastructure | Single-tenant cluster |
| Concurrent Scans | 20 + |
| Uptime SLA | 99.95% |
| Support Response | Priority acknowledgment |
| Output Formats & Compliance Mapping | JSON/XML/YAML with structured control IDs mapped to SOC 2, PCI DSS, ISO 27001 |
| IP Configuration | Static IP (allowing scanner IP whitelisting) |
| Scan Configuration | Custom scan parameters (user agent, scan depth, HTTP timeouts, and others) |
| Malware Scanner Engine Customization | |
| Regional Placement | US/EU/APAC · Optional On-Prem |
| Integration Help | Up to 24 hrs/mo + architecture guidance |
Included In All Plans
Cyber Resilience and Compliance Features
- Full Stack Security ScanningMalware, Blacklist, SSL, & Ports
- Consistent Scanning EngineSame scanning engine for every plan.
- Blacklist Scenario AnalysisBlacklist scenarios (self‑blacklisted, reference, redirect) included and mapped.
- Full Suite Compliance MappingSOC 2, PCI DSS, ISO 27001
- In-Payload Control MappingDetections mapped in-payload to SOC 2, PCI DSS, and ISO/IEC 27001 control IDs.
- Seamless GRC IntegrationDesigned to feed Drata, Vanta, and OneTrust via webhooks/connectors.
Use Cases
Major use cases are:
- PCI-DSS compliance
- Malvertising detection and protection
- Enhanced SOAR Security Analysis
- SOC 2 reporting automation
- ISO/IEC 27001 evidence collection
- GDPR/DORA readiness assessments
Integration Options
You can integrate the Website Malware Scanner API into your system, or use the existing integrations with other platforms:
- FortiSOAR — FortiSOAR is a security orchestration, automation, and response (SOAR) solution.
- Palo Alto Networks Cortex XSOAR — Cortex XSOAR is the most comprehensive SOAR platform in the market today.
Frequently Asked Questions
Billing & pricing
- What are the available API plans and prices?Two main offerings:
Growth — $499 /mo (billed annually) with 2,000 scans / mo and $0.60 per extra scan;
Scale — Custom quota / custom pricing (contact sales).
Growth purchases use the online checkout (BlueSnap)
Scale is handled via sales. - How are excess (overage) scans billed?Overages on Growth are billed at the published per-scan price (e.g., $0.60 /extra scan) and for Scale are handled per your contract (custom overage terms). Overages are appended to the invoice for the following month or invoiced separately per contract.
- Are cached results charged?No — API charges only for new scan requests; requests that return existing cached results are not billed as new scans.
- What payment methods are supported?Growth plan checkout is via BlueSnap (start-trial / buy links on the page); Scale / enterprise customers contact sales for invoicing and contract terms.
Plans, SLAs & support
- Do plans differ in detection coverage, output, framework or scan type?No - every plan uses the same scanning engine and returns the same detections and compliance mappings (SOC 2, PCI DSS, ISO 27001). The plans differ only in infra (shared vs single-tenant), concurrency, IP model, SLA, and integration/architecture options.
- What uptime SLA and support response times apply?Growth: 99.9% SLA and 24-hour support response; Scale: 99.95% SLA with priority acknowledgment and higher support/architecture time.
- How many concurrent scans can I run?Growth: up to 5 concurrent scans. Scale: 20+ concurrent scans (custom).
IPs, scan configuration & regional placement
- How does IP allowlisting (whitelisting) work?Shared (Growth) uses pooled egress IPs (rotatable on request). Dedicated/Scale provides static, exclusive IPs that you can whitelist. On-prem installations give full control of egress IPs. Use the static IPs for vendor reviews / whitelist rules where required.
- Can I customize scan behavior (user agent, depth, timeouts)?Growth uses a standard scan configuration (fixed UA/depth/timeouts). Scale supports custom scan parameters (user agent, depth, timeouts, etc.) and more extensive engine customization.
- Can you run scans in a specific region or on-prem?Scale customers can request regional placement (US/EU/APAC) and optional on-prem deployments; Growth does not provide regional/on-prem placement.
Reports, formats & GRC
- Which report formats are available?JSON, XML, and YAML payloads are available; PDF reports are not provided. The outputs include in-payload control IDs mapped to SOC 2 / PCI DSS / ISO 27001.
- Can Quttera integrate with GRC tools?Yes — the API provides structured control mapping and is designed to feed GRC platforms (Drata, Vanta, OneTrust) via webhooks or connectors.
API usage, keys, webhooks & automation
- How do I authenticate & protect my API key?Treat your API key as a secret: store it in a secure secrets manager / CI environment variable and do not commit it to source control. Use short-lived credentials or rotate keys per your security policy. (Common best practice the API key stored as a secret.)
- Can I automate scans from CI/CD?Yes — the API supports on-demand POST scan requests and polling for status; common CI patterns: POST to start a scan, poll the scan status, then fetch the report once finished. See our API usage templates for examples.
- Do you support webhooks and how to secure them?Webhooks deliver JSON events (detections, blacklist, etc.). Secure them by using HTTPS endpoints and verifying requests (IP allowlist or request signatures). The API docs and integration pages describe webhook payloads and recommended verification.
Remediation & extra services
- How do I request remediation / blacklist removal?You can open a remediation ticket from the dashboard (or start via support); We will triage, perform an audit, and — if needed — request access credentials (FTP/SFTP, SSH, or CMS admin) to clean infections and coordinate blacklist removals. Remediation does not include DB repairs or backup restores.
- What extra integration help is included?Growth includes up to 2 hrs. / mo. integration help; Scale includes up to 24 hrs. / mo. plus architecture guidance.
