I built PTaaS ContractShield because I kept seeing the same pattern: indie devs and small SaaS teams ship fast, but security testing is either too expensive (pentest firms charge €5K-€20K) or too complex (setting up your own Nuclei/Nmap pipeline). Most early-stage products have zero security testing until a client or investor asks for a report.
What it does:
PTaaS ContractShield runs automated DAST (Dynamic Application Security Testing) against your web app using Nuclei with 2,500+ CVE templates. It crawls your app with katana to find parameterized endpoints, then scans for real vulnerabilities: SQL injection, XSS, SSRF, LFI, RCE, open redirects, misconfigurations, exposed panels, and more.
The key difference: instead of dumping a flat list of CVEs, the report translates findings into business impact. A non-technical CEO should understand what's at risk and what to fix first.
How it works:
Submit your target URL
We crawl with katana to discover attack surface
Nuclei runs DAST templates against discovered endpoints
You get a prioritized report with business context
Pricing:
OneShot scan: €19 (single scan, keep the report)
3-pack: €49
10-pack: €149
PTaaS subscription: from €49/month (recurring scans + dashboard)
Tech stack: FastAPI backend, Next.js frontend, PostgreSQL, Redis job queue, Docker. Runs on a 2GB VPS because I'm bootstrapping this.
What it's NOT:
Not a replacement for a manual pentest (no business logic testing)
Not a bug bounty platform
Not going to find your auth bypass or IDOR — those need human testers
It's the security equivalent of running npm audit but for your live web app, with actual exploit attempts against known CVEs.
Why I'm sharing this:
I've been lurking HN for years. The MoltBot breach last month (300K records exposed, basic SQLi) reminded me why this matters. Most of the SaaS products launching on Product Hunt this week have never been scanned. A €19 scan could have caught that.
Would love feedback from the HN security crowd. What would make you trust an automated scanner enough to run it against your production app? What's missing?
alec_codec•1h ago
I built PTaaS ContractShield because I kept seeing the same pattern: indie devs and small SaaS teams ship fast, but security testing is either too expensive (pentest firms charge €5K-€20K) or too complex (setting up your own Nuclei/Nmap pipeline). Most early-stage products have zero security testing until a client or investor asks for a report.
What it does:
PTaaS ContractShield runs automated DAST (Dynamic Application Security Testing) against your web app using Nuclei with 2,500+ CVE templates. It crawls your app with katana to find parameterized endpoints, then scans for real vulnerabilities: SQL injection, XSS, SSRF, LFI, RCE, open redirects, misconfigurations, exposed panels, and more.
The key difference: instead of dumping a flat list of CVEs, the report translates findings into business impact. A non-technical CEO should understand what's at risk and what to fix first.
How it works:
Submit your target URL We crawl with katana to discover attack surface Nuclei runs DAST templates against discovered endpoints You get a prioritized report with business context
Pricing:
OneShot scan: €19 (single scan, keep the report) 3-pack: €49 10-pack: €149 PTaaS subscription: from €49/month (recurring scans + dashboard)
Tech stack: FastAPI backend, Next.js frontend, PostgreSQL, Redis job queue, Docker. Runs on a 2GB VPS because I'm bootstrapping this. What it's NOT:
Not a replacement for a manual pentest (no business logic testing) Not a bug bounty platform Not going to find your auth bypass or IDOR — those need human testers
It's the security equivalent of running npm audit but for your live web app, with actual exploit attempts against known CVEs.
Why I'm sharing this:
I've been lurking HN for years. The MoltBot breach last month (300K records exposed, basic SQLi) reminded me why this matters. Most of the SaaS products launching on Product Hunt this week have never been scanned. A €19 scan could have caught that.
Would love feedback from the HN security crowd. What would make you trust an automated scanner enough to run it against your production app? What's missing?