Frequently Asked Questions

Nano EASM is an External Attack Surface Management platform — a cybersecurity SaaS product that helps IT teams, security generalists, and small MSSPs discover internet-facing assets, scan for risk, monitor exposure changes, and prioritise remediation. (Not to be confused with the similarly-named open-source Verilog assembler — Nano EASM is a security platform for the modern web, not a hardware tool.)

Nano EASM helps you see your external attack surface the way an attacker would. You give it a domain, IP, or cloud asset, and it discovers what’s connected to it — subdomains, exposed services, cloud buckets, certificates — scans for vulnerabilities, watches for changes over time, and turns each finding into clear next steps your team can act on.

No. Nano EASM is fully cloud-hosted. You sign in through your browser, add your assets, and start scanning. Nothing to deploy on your network. If you want to connect Slack, Jira, or webhooks, that’s a config setting in the dashboard.

After signing up, go to Assets and click Add asset. Drop in a domain, IP, or cloud asset URL you own or are authorised to test. Nano EASM will start mapping what’s exposed within minutes.

Quick scans run in seconds and check the most-common ports and headline issues — good for a first look or fast revalidation.

Standard scans are the default and balance depth with speed (most users live here).

Deep scans check a wider range of ports, services, and known vulnerabilities, and can take several minutes. All three honour the same authorisation rules.

Quick scans finish in under a minute. Standard scans typically take a few minutes. Deep scans can take 10–20 minutes depending on what’s exposed and how much there is to check. You don’t have to wait around — kick it off and we’ll email you when it’s done if you’ve enabled notifications.

Anything you own, or anything you have explicit written permission to test. That’s the rule. If your name is on the domain registration or your company controls the IP range, you’re fine. If you’re testing a client’s environment under a contract or statement of work, you’re fine. If you’re “pretty sure it’ll be okay” — you’re not. The full breakdown is in our Acceptable Use Policy and Security & Scanning Authorisation.

Yes — if you have written authorisation. A signed pentesting engagement, an MSSP services agreement that names the asset, a statement of work, or explicit written permission from the asset owner. “They’re a client” or “I used to work there” isn’t enough. We log every scan with its origin, so attribution is clear if anyone ever asks.

Anything you don’t have authority to test. That includes critical national infrastructure (power, water, signals), government or military systems without a contract, healthcare systems without compliance clearance, and shared cloud infrastructure where your authority extends only to your own tenant. You also shouldn’t scan our own sub-processors (Stripe, Resend, AWS, etc.). Detailed list in the Security & Scanning Authorisation document.

Yes. Active scanning generates real network traffic, and any well-monitored target will see your requests in their logs. SIEMs and IDS systems may even alert on it. This is normal and expected — but it’s another reason to only scan what you’re authorised to scan.

We log every scan with the originating account, IP, and target. We rate-limit unauthenticated quick scans, IP-block repeat abusers, and reserve the right to suspend or terminate accounts engaged in unauthorised scanning. We may also disclose logs to law enforcement when required by law or by a serious abuse report. The full enforcement ladder is in our Acceptable Use Policy.

No — and any tool that claims to is overpromising. Discovery is best-effort. We use multiple sources (CT logs, DNS enumeration, certificate inspection, third-party intelligence feeds) and continuously expand coverage, but no automated tool finds 100% of an organisation’s exposed assets, especially shadow IT, internal-only DNS, or assets behind authentication. Findings, severity scores, and remediation guidance also benefit from independent verification before you act on them.

Yes. The Free plan lets you add up to 2 assets and run up to 5 scans per month with no payment method required. Use it to evaluate the platform on your own infrastructure before committing to a paid plan.

Trials are request-only — click Request free trial on any paid plan card and we’ll review the request manually. If approved, the requested plan is enabled on your organisation for a defined period at no charge. No payment method is required during the trial. If you don’t convert, your organisation reverts to the Free plan when the trial ends.

You’ll see a clear message in the app explaining which limit you hit. Most actions are blocked rather than charged as overages — we don’t want surprise bills. To run more scans, monitor more assets, or invite more teammates, upgrade to a higher plan. Plan changes mid-cycle are pro-rated automatically.

Yes, anytime. Open Settings → Billing → Manage billing. Upgrades take effect immediately with pro-rated charges. Downgrades take effect at the end of your current billing period — you keep your current limits until then. There’s no contract lock-in.

Cancellations take effect at the end of your current billing period — you keep paid features until then, and your data isn’t deleted. Subscription fees are non-refundable for elapsed time, with exceptions for billing errors, material service failures on our side, and where consumer law requires (e.g. Australian Consumer Law guarantees). Full details in our Refund & Cancellation Policy.

Account info you provide (email, name, optional profile fields), the assets and scan configurations you create, scan results and findings we generate on your behalf, and operational logs (IP addresses, request data, audit events) for security and abuse prevention. Card data is collected by Stripe — we never see or store it. Full breakdown in our Privacy Policy.

On AWS in the United States (us-east-1 region). Although Nano EASM is based in Australia, we host in the US for sub-processor availability and global low-latency. International transfers are governed by the safeguards described in our Privacy Policy. If you have a data-residency requirement, contact us — we can discuss options under a custom contract.

No. We don’t use customer data — assets, scan results, findings, configurations, or anything else — to train any AI or machine-learning model. Our finding explanations are written by security engineers up front, not generated from your data. This is a deliberate choice; many security tools quietly do the opposite.

Yes. As an organisation owner you can delete your entire workspace from Settings → Billing → Danger Zone, which cascades to all linked records (assets, scans, findings, members, audit logs for the org). Production deletion is immediate. Backups roll over within 30 days. Individual data-subject deletion requests under privacy law are honoured within 30 days — email support@nanoeasm.com.

Inside your organisation, role-based access control governs who sees what (Owner, Admin, Analyst, Viewer). Outside your organisation, only specific Nano EASM operations personnel with named production access can see your data, and only when needed for support, security, or legal compliance. Privileged actions like superadmin impersonation are audit-logged. We never share or sell scan data.

Yes. From Settings → Team, send an email invite to any teammate. They’ll receive a link to set up their account, join your organisation, and inherit the role you assigned (Admin, Analyst, or Viewer). Owner is the seat that controls billing — there’s only one owner per org, transferable on request.

Yes. The full Nano EASM API lets you create assets, run scans, fetch findings, manage monitors, and pull report data programmatically. Authentication uses API keys you generate from Settings → API Keys. Use it to integrate with your SOAR, your ticketing system, or your own dashboards.

Yes — on Professional plans and above. Configure webhooks to fire on events like new finding, scan completed, or monitor alert raised. Each webhook gets its own signing secret so you can verify the payload. Configure them from Settings → Integrations.

Yes. Findings can be exported to CSV at any time. Generated PDF and Excel reports are also available — go to Reports, choose what to include, and download. The data is yours.

Absolutely — MSSPs are one of our core audiences. You can manage multiple client organisations from one account, with separate workspaces, separate billing, and separate access controls per client. Reports can be exported and rebranded for client delivery. If you’re an MSSP looking to onboard several clients, contact us for partner pricing.