Frequently Asked Questions

Nano EASM is an External Attack Surface Management platform — a cybersecurity SaaS product that helps IT teams, security generalists, and MSSPs discover internet-facing assets, scan for risk, monitor exposure changes, and prioritise remediation.

Nano EASM focuses on the external attack surface layer of Continuous Threat Exposure Management. It helps teams discover internet-facing assets, monitor exposure changes, prioritise findings, and turn them into remediation actions. CTEM is broader than EASM and may include internal vulnerabilities, identity exposure, cloud posture, attack path validation, and control validation. Nano EASM is designed as a practical starting point for teams building toward a CTEM program — not a complete CTEM platform.

Nano EASM helps you see your external attack surface the way an attacker would. You give it a domain, IP, or cloud asset, and it discovers what’s connected to it — subdomains, exposed services, cloud buckets, certificates — scans for vulnerabilities, watches for changes over time, and turns each finding into clear next steps your team can act on.

Yes. Each of the seven detection categories can be enabled or disabled at the organisation level, and overridden per asset group. Findings are still recorded in the dashboard for auditing — you’re only suppressing the alert/notification, not the data. For finer control, the platform also supports tuning rules that suppress findings matching a pattern (host, port, finding type).

Yes. An organisation has a default set of alert categories enabled, and any asset group can override those defaults. Common patterns we see: a group of internal-by-design admin tools with Service Exposure disabled (admin panels are expected); a dev/staging group with Misconfigurations and Hygiene turned down because configs are deliberately loose; a PCI-scope group with everything required at every severity. The group’s rules apply only to its assets — the rest of the organisation continues with the org default.

No. Nano EASM is fully cloud-hosted. You sign in through your browser, add your assets, and start scanning. Nothing to deploy on your network. If you want to connect Slack, Jira, or webhooks, that’s a config setting in the dashboard.

After signing up, go to Assets and click Add asset. Drop in a domain, IP, or cloud asset URL you own or are authorised to test. Nano EASM will start mapping what’s exposed within minutes.

Quick scans run in seconds and check the most-common ports and headline issues — good for a first look or fast revalidation.

Standard scans are the default and balance depth with speed (most users live here).

Deep scans check a wider range of ports, services, and known vulnerabilities, and can take several minutes. All three honour the same authorisation rules.

Quick scans finish in under a minute. Standard scans typically take a few minutes. Deep scans can take 10–20 minutes depending on what’s exposed and how much there is to check. You don’t have to wait around — kick it off and we’ll email you when it’s done if you’ve enabled notifications.

Anything you own, or anything you have explicit written permission to test. That’s the rule. If your name is on the domain registration or your company controls the IP range, you’re fine. If you’re testing a client’s environment under a contract or statement of work, you’re fine. If you’re “pretty sure it’ll be okay” — you’re not. The full breakdown is in our Acceptable Use Policy and Security & Scanning Authorisation.

Yes — if you have written authorisation. A signed pentesting engagement, an MSSP services agreement that names the asset, a statement of work, or explicit written permission from the asset owner. “They’re a client” or “I used to work there” isn’t enough. We log every scan with its origin, so attribution is clear if anyone ever asks.

Anything you don’t have authority to test. That includes critical national infrastructure (power, water, signals), government or military systems without a contract, healthcare systems without compliance clearance, and shared cloud infrastructure where your authority extends only to your own tenant. You also shouldn’t scan our own sub-processors (Stripe, Resend, AWS, etc.). Detailed list in the Security & Scanning Authorisation document.

Yes. Active scanning generates real network traffic, and any well-monitored target will see your requests in their logs. SIEMs and IDS systems may even alert on it. This is normal and expected — but it’s another reason to only scan what you’re authorised to scan.

We log every scan with the originating account, IP, and target. We rate-limit unauthenticated quick scans, IP-block repeat abusers, and reserve the right to suspend or terminate accounts engaged in unauthorised scanning. We may also disclose logs to law enforcement when required by law or by a serious abuse report. The full enforcement ladder is in our Acceptable Use Policy.

No — and any tool that claims to is overpromising. Discovery is best-effort. We use multiple sources (CT logs, DNS enumeration, certificate inspection, third-party intelligence feeds) and continuously expand coverage, but no automated tool finds 100% of an organisation’s exposed assets, especially shadow IT, internal-only DNS, or assets behind authentication. Findings, severity scores, and remediation guidance also benefit from independent verification before you act on them.

Yes. The Free plan lets you add up to 2 assets and run up to 5 scans per month with no payment method required. Use it to evaluate the platform on your own infrastructure before committing to a paid plan.

Trials are request-only — click Request free trial on any paid plan card and we’ll review the request manually. If approved, the requested plan is enabled at no charge for a defined period. No payment method is needed. When the trial ends, your organisation reverts to Free unless you switch to another tier.

You’ll see a clear message in the app explaining which limit you hit. Actions are blocked rather than billed — we don’t do overages. Upgrading unlocks more scans, more monitored assets, and more team seats. Every paid tier is currently free to switch into.

Yes, anytime — open Settings → Plans and pick the tier you want. Every paid tier is free to upgrade into until further notice, and the change takes effect immediately. When billing returns later, downgrades will apply at the end of the billing period; there’s no contract lock-in.

Plans are currently free to upgrade — there’s nothing to refund or cancel. Closing your account anytime keeps your data accessible until you delete it manually. When billing returns, cancellations will take effect at the end of the billing period and refund exceptions follow our Refund & Cancellation Policy.

Account info you provide (email, name, optional profile fields), the assets and scan configurations you create, scan results and findings we generate on your behalf, and operational logs (IP addresses, request data, audit events) for security and abuse prevention. Card data is collected by Stripe — we never see or store it. Full breakdown in our Privacy Policy.

On AWS in the United States (us-east-1 region) — chosen for sub-processor availability and global low-latency. International transfers follow the safeguards described in our Privacy Policy. If you have a data-residency requirement, contact us — we can discuss options under a custom contract.

No. We don’t use customer data — assets, scan results, findings, configurations, or anything else — to train any AI or machine-learning model. Our finding explanations are written by security engineers up front, not generated from your data. This is a deliberate choice; many security tools quietly do the opposite.

Yes. As an organisation owner you can delete your entire workspace from Settings → Billing → Danger Zone, which cascades to all linked records (assets, scans, findings, members, audit logs for the org). Production deletion is immediate. Backups roll over within 30 days. Individual data-subject deletion requests under privacy law are honoured within 30 days — email support@nanoeasm.com.

Inside your organisation, role-based access control governs who sees what (Owner, Admin, Analyst, Viewer). Outside your organisation, only specific Nano EASM operations personnel with named production access can see your data, and only when needed for support, security, or legal compliance. Privileged actions like superadmin impersonation are audit-logged. We never share or sell scan data.

Yes. From Settings → Team, send an email invite to any teammate. They’ll receive a link to set up their account, join your organisation, and inherit the role you assigned (Admin, Analyst, or Viewer). Owner is the seat that controls billing — there’s only one owner per org, transferable on request.

Yes — on Professional plans and above. Configure webhooks to fire on events like new finding, scan completed, or monitor alert raised. Each webhook gets its own signing secret so you can verify the payload. Configure them from Settings → Integrations.

Yes. Findings can be exported to CSV at any time. Generated PDF and Excel reports are also available — go to Reports, choose what to include, and download. The data is yours.

Absolutely — MSSPs are one of our core audiences. You can manage multiple client organisations from one account, with separate workspaces, separate billing, and separate access controls per client. Reports can be exported and rebranded for client delivery. If you’re an MSSP looking to onboard several clients, contact us for partner pricing.