How a Vakteye Scan Actually Works

You type in a domain. You click scan. Under two minutes later, you have a compliance report backed by evidence: network recordings, cookie snapshots, browser session replays, and legal article references. Not opinions. Evidence.

Most compliance tools give you a checklist. Vakteye gives you proof. Here is how.

Your website loads. Here's what we see.

The moment a scan starts, dozens of checks run in parallel from an EU data center. Think of it like a doctor checking vitals: pulse, blood pressure, temperature, all at once.

We trace your domain records to find trackers hiding behind your own subdomains. We check your encryption: is your certificate valid, is the connection properly secured? We verify your email setup to make sure attackers cannot send fake emails pretending to be your company.

At the same time, a browser loads your site without touching the consent banner. This baseline snapshot captures every cookie and every network request that fires before a visitor makes any choice. We detect fingerprinting techniques (scripts that try to identify visitors through their browser, screen, or audio settings). We check whether session replay services are recording your visitors' mouse movements.

We also scan every form on your site. If a signup form collects health information, religious beliefs, or other sensitive personal data without proper safeguards, that is an Article 9 violation. Vakteye catches it.

All of this happens in the first few seconds.

Now we test your consent banner

Vakteye supports thousands of consent management platforms. For the vast majority of websites, we can find and click the reject button automatically. For the rare sites with unusual or heavily customized consent banners, automated visual analysis takes over. It can read the screen, find buttons, and navigate consent flows it has never seen before.

The result is the same: we get a clean reject action on virtually every site we scan.

We click reject. Then we watch.

After clicking reject, Vakteye waits. Then it re-checks every cookie. Any new tracking cookie that appeared after the visitor explicitly denied consent is a violation, and the evidence is behavioral. The cookie exists. The visitor said no. That is the entire argument.

Then comes zombie detection. Vakteye clears all cookies, waits, and checks again. Cookies that respawn after deletion are designed to circumvent visitor choice. The proof is undeniable: the cookie was deleted, and it came back.

We also monitor network traffic after rejection. If data is still flowing to advertising or analytics services after the visitor denied tracking, that is a measurable violation of their explicit choice.

This is the difference between "I think he stole it" and "here is the security camera footage."

We click accept in a clean browser

A completely fresh browser with no cookies and no history loads the site and clicks accept. This creates the third snapshot in a triple comparison: baseline (no interaction), reject, and accept.

The triple comparison reveals several violation types. Consent theater: banners where reject and accept produce identical results, meaning the banner is decorative. Pre-consent tracking: cookies that appear before any visitor interaction. Non-functional accept: accept buttons that do not actually change anything, suggesting the site tracks regardless of choice.

After accept, Vakteye also checks which third-party services receive data and compares that against what the consent banner disclosed. Vendors receiving data that are not listed in the consent interface are flagged as undisclosed, a transparency violation.

We read your privacy policy. Then we check if it's true.

This is where it gets interesting. Vakteye reads your privacy policy and extracts every concrete claim: "We do not use third-party tracking." "Data is stored within the EU." "We only set essential cookies."

Then it checks each claim against the scan evidence. If your policy says "we do not share data with third parties" but the scan found a dozen third-party tracking services loading on your homepage, that is a contradiction. If your policy says "data is stored in the EU" but your infrastructure points to US-based servers without adequate protection, that is a contradiction.

Each contradiction is mapped to the specific GDPR articles it violates: Article 5(1)(a) for transparency, Article 13 for information provision, Article 6(1)(a) for consent. The evidence is attached: what the policy claimed, what the scan found, and the gap between them.

Your privacy policy makes promises. We check the receipts.

We look for vulnerabilities

Security scanning runs in parallel during every scan.

• Known vulnerability detection: thousands of checks for security flaws, misconfigurations, and exposed sensitive files
• Application security testing: can an attacker inject code into your site, steal user sessions, or bypass your security protections?
• Accessibility scanning: does your site meet the accessibility standards required by the European Accessibility Act?

These are real security tests, not checkbox assessments. When the scan finds a vulnerability, it provides the severity, the evidence, and the remediation steps.

Vakteye also checks where your data goes. Transfers to countries without adequate data protection are flagged, along with the specific legal obligations that apply. If your site collects data from children without age verification, that is flagged too.

A human reviews everything

Every finding passes through expert human verification. Reviewers see the full evidence: screenshots, network recordings, cookie snapshots, and the confidence level assigned by the scanner.

The review process learns from experience. When a reviewer marks a finding as a false positive, that correction is stored. The next time the scanner encounters the same pattern, it remembers. The system gets more accurate with every review.

Accuracy is measured weekly, broken down by finding type. This is not a black box. The accuracy is tracked and improved over time.

You get evidence, not opinions

The final output is not a PDF checklist. It is a forensic evidence package.

• Network recordings: traffic captured during baseline, reject, and accept phases, so you can see exactly what happened at each stage
• Browser session replays: replayable recordings you can step through frame by frame
• Cookie snapshots: side-by-side comparison of cookie state before and after consent interactions
• Tamper-proof manifest: cryptographic verification of every evidence file, creating an auditable chain of custody
• Legal article references: every finding linked to specific GDPR articles, NIS2 controls, or DIFC provisions with applicable fine ranges

The entire evidence package is downloadable. This is evidence a regulator can examine, not a PDF checklist you file and forget.

Every finding carries the relevant legal article reference, the applicable fine tier, and specific remediation guidance across three jurisdictions: GDPR, NIS2, and DIFC. A DPO can hand this to a regulator and say: here is what we found, here is the evidence, here is what we did about it.