Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Detectify is a Swedish External Attack Surface Management and web vulnerability scanner. Operated by Detectify AB in Stockholm, it crawls customer websites from cloud workers, simulates real attacker payloads from a crowd sourced research community and reports findings via a SaaS console.
Detectify is an External Attack Surface Management (EASM) and web vulnerability scanner founded in Stockholm in 2013. The product crawls internet exposed customer assets from cloud workers, fingerprints services and runs payloads contributed by an invite only crowd sourced research community (Detectify Crowdsource). Findings appear in the Detectify console with severity, exploit description and remediation guidance.
Detectify does not embed any client side tag on customer websites. The console at detectify.com sets first party authentication cookies (detectify_session, csrf_token) for the customer team. The marketing site at detectify.com loads HubSpot, Google Analytics 4 and Segment, which set their own cookies subject to consent. Scanner workers fetch HTTP responses, headers, screenshots and DOM trees from the customer assets being assessed.
Detectify acts as a processor of the customer for the scanning service (Art. 28 GDPR). The console authentication cookies are strictly necessary. Marketing site analytics and CRM cookies fall under Article 5(3) of the ePrivacy Directive. Scans that traverse authenticated areas may expose user account data: customers must define scope carefully and obtain employees and end users awareness where appropriate.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the Detectify console, only strictly necessary cookies are set, and they are consent exempt. For the Detectify marketing site, HubSpot and Google Analytics cookies are gated behind their own consent banner. For the customer adopting Detectify, no consent is needed from website visitors because Detectify does not embed any code on the customer site; the scanner runs externally.
Detectify AB is a Swedish company and the core platform runs on AWS EU regions (Frankfurt, Ireland). Scanner workers are distributed globally to verify geo dependent exposure. Customer support, marketing analytics and certain sub processors operate in the United States. Detectify signs SCCs and publishes a sub processor list and DPA addendum.
Sign the Detectify DPA, define scanning scope explicitly to avoid touching user account data unintentionally, configure SSO for the console, document Detectify as a processor in your record of processing, and inform DPO and security teams about findings handling. No update to your public cookie policy is required for the scanner alone.
Websites using Detectify must obtain user consent under GDPR regulations.
DPIA considerations
Detectify scans customer owned assets and discovers vulnerabilities, configuration issues and exposed data. The processing acts on assets, not on end users of the customer site, so a DPIA is rarely required for the scanner itself. It may be appropriate where Detectify findings include personal data exposures that the customer must triage and remediate, or where scanning includes authenticated areas with user accounts.
Sample consent text
We use Detectify to scan our own websites for vulnerabilities. Detectify does not embed any code on this website; the scanner runs externally from Detectify AB infrastructure in the European Union. No personal data of visitors is shared with Detectify as part of routine scanning.
Third-party domains contacted
detectify.comapp.detectify.comassets.detectify.comapi.detectify.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| detectify_session | Strictly necessary (console authentication) | Session | Maintains the authenticated user session in the Detectify console |
| csrf_token | Strictly necessary (CSRF protection) | Session | Protects authenticated requests against CSRF attacks |
| OptanonConsent | Functional (Detectify marketing site consent) | 1 year | Records the consent state for marketing analytics cookies on detectify.com |
Detectify is an essential service, but transparency matters. Manage all your consent with FlowConsent.
On the Detectify console, only strictly necessary cookies (detectify_session, csrf_token). On the marketing site detectify.com, HubSpot, Google Analytics 4 and Segment cookies are loaded behind a consent banner. Detectify does not embed any tag on customer websites.
Not on the customer site itself, because Detectify does not embed any client side code. The Detectify marketing site has its own consent banner. The console runs on strictly necessary cookies, which are exempt.
Detectify acts as a processor of the customer under Art. 28 GDPR for the scanning service, which itself relies on Art. 6(1)(f) legitimate interest in keeping the customer assets secure. Console authentication uses Art. 6(1)(b) contract.
Core scanning and customer data live on AWS EU regions (Frankfurt, Ireland). Scanner workers are distributed globally to verify geographically dependent issues. Some marketing and support sub processors operate in the US under SCCs and the EU US Data Privacy Framework.
Usually no: Detectify scans assets, not visitors. A DPIA may be appropriate if Detectify findings include personal data exposures requiring triage, or if scans target authenticated areas with user accounts at scale.
Sign the Detectify DPA, define scanning scope explicitly, activate SSO for the console, document Detectify in your record of processing as a processor for security testing, and connect findings to your vulnerability management process.
Yes: Acunetix (Liechtenstein), Qualys (US), Tenable (US), Probely (Portugal/EU), Intruder (UK), Snyk (UK/US), Burp Suite Enterprise (UK). EU origin scanners reduce transfer risk; non EU need SCCs and a TIA.
You do not need to update your public cookie policy because Detectify does not embed cookies on your website. If you log in to the Detectify console, the cookies are first party to detectify.com and managed by Detectify's own privacy policy.