You enter a domain. You click scan. Ninety seconds later, you have a compliance report covering GDPR, ePrivacy, NIS2, and security vulnerabilities, with evidence for every finding. A website compliance scan that would take a consultant weeks runs in the time it takes to make coffee.
But what actually happens in those 90 seconds? Here is the full sequence.
Phase 1: Infrastructure Reconnaissance
Before loading a single page, Vakteye examines the domain's infrastructure. Four tasks launch simultaneously.
- DNS resolution and CNAME chain analysis: follows alias chains to detect cloaked trackers hiding behind first-party subdomains
- TLS handshake: certificate validity, protocol version, cipher strength, and HSTS enforcement
- Email security: SPF, DKIM, DMARC, and BIMI records checked via DNS queries
- DNS security: DNSSEC validation and CAA record verification
These checks are network-level. No browser needed. They complete in seconds and already surface findings like expired certificates, missing DNSSEC, or spoofable email domains.
Phase 2: Baseline Page Load and Cookie Inventory
A browser loads your site without interacting with any consent banner. This baseline snapshot captures every cookie set and every network request fired before the user makes a choice.
Each cookie is classified against a database of 400,000+ known tracker domains. Purpose, vendor, and jurisdiction are attached automatically. Cookies from unknown third parties are flagged for human review and never silently dropped.
If tracking cookies appear during the baseline load, before any consent interaction, that is already an ePrivacy Article 5(3) violation. Vakteye captures this with CERTAIN confidence because the evidence is behavioral: the cookie exists before consent was given.
Phase 3: Consent Banner Testing
Vakteye tests your consent banner automatically. It finds the reject button, clicks it, and checks whether cookies and trackers actually stop. This works across 2,800+ consent management platforms.
The reject flow records a cookie diff: what changed after clicking reject? Cookies that persist are violations. Vakteye then clears all cookies, waits three seconds, and checks again to detect zombie cookies that respawn after deletion.
A separate clean browser context runs the accept flow. The triple comparison (baseline vs. reject vs. accept) reveals consent theater: banners that look functional but change nothing regardless of the user's choice.
- Google Consent Mode v2 monitoring: detects analytics pings sent after denial
- Legitimate interest pre-ticking: inspects TCF v2.2 toggles for pre-checked state
- Per-vendor consent audit: compares network requests against CMP-declared vendor lists
- Multi-page testing: consent behavior verified across up to 10 pages, not just the homepage
Phase 4: Security and Vulnerability Scanning
While consent testing runs, security scanners work in parallel. CVE and misconfiguration checks run against known vulnerability databases. Dynamic application security testing covers SQL injection, cross-site scripting, CSRF, and header analysis. Fingerprinting detection looks for canvas, WebGL, and AudioContext probes, plus 17 known session replay vendors like Hotjar, FullStory, and Microsoft Clarity.
Form analysis identifies special category data collection (health, religion, ethnicity) that triggers GDPR Article 9 obligations. Data residency checks flag US transfers without supplementary measures post-Schrems II. Cloud provider detection identifies AWS, Azure, and GCP infrastructure. Accessibility is checked against WCAG 2.1 AA standards.
Phase 5: Contradiction Detection
This is where it gets interesting. AI reads your privacy policy and extracts every claim: "We do not use third-party tracking." "Data is stored within the EU." "We only set essential cookies."
Then it compares those claims against what the scanner actually found. If your policy says no third-party tracking but the scan detected 14 advertising cookies from 8 vendors, that is a contradiction. Each one is mapped to specific GDPR articles and paired with the evidence that proves it.
Contradiction detection is not pattern matching. It's AI-powered comparison between natural language policy claims and behavioral scan evidence. The scanner proves what happens. The AI interprets what was promised.
Phase 6: Verification and Reporting
Every finding gets a confidence level. CERTAIN means behavioral proof: a cookie exists, a header is missing, a port is open. FIRM means multiple corroborating signals. TENTATIVE means a single pattern match that warrants human review. UNVERIFIED means the scanner could not reproduce the issue.
Accuracy improves over time. When human reviewers correct a finding, that correction applies to future scans automatically.
The final output: a compliance report with legal mappings, remediation guidance, and downloadable forensic evidence including browser session recordings and HAR recordings. If the scan is clean, a verifiable compliance certificate is issued.
Comprehensive Checks, Under Two Minutes
All checks run in parallel from an EU data center. Most scans complete in under two minutes. The result is a report that covers DNS, TLS, cookies, consent, fingerprinting, vulnerabilities, privacy policy contradictions, data residency, accessibility, and more.
No consultants, no questionnaires, and no weeks of waiting for results.
See it for yourself
Enter your domain and watch the scan run. Results in 90 seconds, evidence for every finding.
Try it now, takes 90 seconds