VakteyeVakteye
VAKTEYE
SolutionsPlansAboutContactInsightsCareers
Sign InBook a Demo
Back to Insights
COMPANY

What Happens During a Vakteye Scan: A 90-Second Walkthrough

Mar 6, 2026/4 min read
By Vakteye Team

You enter a domain. You click scan. Ninety seconds later, you have a compliance report covering GDPR, ePrivacy, NIS2, and security vulnerabilities, with evidence for every finding. A website compliance scan that would take a consultant weeks runs in the time it takes to make coffee.

But what actually happens in those 90 seconds? Here is the full sequence.

Phase 1: Infrastructure Reconnaissance

Before loading a single page, Vakteye examines the domain's infrastructure. Four tasks launch simultaneously.

  • DNS resolution and CNAME chain analysis: follows alias chains to detect cloaked trackers hiding behind first-party subdomains
  • TLS handshake: certificate validity, protocol version, cipher strength, and HSTS enforcement
  • Email security: SPF, DKIM, DMARC, and BIMI records checked via DNS queries
  • DNS security: DNSSEC validation and CAA record verification

These checks are network-level. No browser needed. They complete in seconds and already surface findings like expired certificates, missing DNSSEC, or spoofable email domains.

Phase 2: Baseline Page Load and Cookie Inventory

A browser loads your site without interacting with any consent banner. This baseline snapshot captures every cookie set and every network request fired before the user makes a choice.

Each cookie is classified against a database of 400,000+ known tracker domains. Purpose, vendor, and jurisdiction are attached automatically. Cookies from unknown third parties are flagged for human review and never silently dropped.

If tracking cookies appear during the baseline load, before any consent interaction, that is already an ePrivacy Article 5(3) violation. Vakteye captures this with CERTAIN confidence because the evidence is behavioral: the cookie exists before consent was given.

Phase 3: Consent Banner Testing

Vakteye tests your consent banner automatically. It finds the reject button, clicks it, and checks whether cookies and trackers actually stop. This works across 2,800+ consent management platforms.

The reject flow records a cookie diff: what changed after clicking reject? Cookies that persist are violations. Vakteye then clears all cookies, waits three seconds, and checks again to detect zombie cookies that respawn after deletion.

A separate clean browser context runs the accept flow. The triple comparison (baseline vs. reject vs. accept) reveals consent theater: banners that look functional but change nothing regardless of the user's choice.

  • Google Consent Mode v2 monitoring: detects analytics pings sent after denial
  • Legitimate interest pre-ticking: inspects TCF v2.2 toggles for pre-checked state
  • Per-vendor consent audit: compares network requests against CMP-declared vendor lists
  • Multi-page testing: consent behavior verified across up to 10 pages, not just the homepage

Phase 4: Security and Vulnerability Scanning

While consent testing runs, security scanners work in parallel. CVE and misconfiguration checks run against known vulnerability databases, alongside passive exposure signals for injection classes like SQL injection, cross-site scripting and CSRF, plus header analysis. (Active injection probing is part of the authorized security test, an Enterprise add-on — not the standard compliance scan.) Fingerprinting detection looks for canvas, WebGL, and AudioContext probes, plus known session replay vendors like Hotjar, FullStory, and Microsoft Clarity.

Form analysis identifies special category data collection (health, religion, ethnicity) that triggers GDPR Article 9 obligations. Data residency checks flag US transfers without supplementary measures post-Schrems II. Accessibility is checked against WCAG 2.1 AA standards.

Phase 5: Contradiction Detection

This is where it gets interesting. AI reads your privacy policy and extracts every claim: "We do not use third-party tracking." "Data is stored within the EU." "We only set essential cookies."

Then it compares those claims against what the scanner actually found. If your policy says no third-party tracking but the scan detected 14 advertising cookies from 8 vendors, that is a contradiction. Each one is mapped to specific GDPR articles and paired with the evidence that proves it.

Contradiction detection is not pattern matching. It's AI-powered comparison between natural language policy claims and behavioral scan evidence. The scanner proves what happens. The AI interprets what was promised.

Phase 6: Verification and Reporting

Every finding gets a confidence level. CERTAIN means behavioral proof: a cookie exists, a header is missing, a port is open. FIRM means multiple corroborating signals. TENTATIVE means a single pattern match that warrants human review. UNVERIFIED means the scanner could not reproduce the issue.

Accuracy improves over time. When human reviewers correct a finding, that correction applies to future scans automatically.

The final output: a compliance report with legal mappings, remediation guidance, and downloadable forensic evidence including browser session recordings and HAR recordings. If the scan is clean, a publicly verifiable monitored-status record is issued — a status indicator backed by continuous monitoring, not a legal certification.

Comprehensive Checks, Under Two Minutes

All checks run in parallel from an EU data center. Most scans complete in under two minutes. The result is a report that covers DNS, TLS, cookies, consent, fingerprinting, vulnerabilities, privacy policy contradictions, data residency, accessibility, and more.

No consultants, no questionnaires, and no weeks of waiting for results.

See it for yourself

Enter your domain and watch the scan run. Results in 90 seconds, evidence for every finding.

Try it now, takes 90 seconds

Are you at risk?

Book a compliance demo

We scan your site live during the call and show exactly which risks need attention first.

Book demo
Previous

Continuous compliance monitoring: why one-time scans aren't enough

Next

GDPR Compliance Checklist for Swedish Websites

Related Articles

COMPANY5 min read

How Vakteye's Compliance Scanner Works

Automated scanning, consent testing, contradiction detection, and human review. Here's how Vakteye actually audits your website.

COMPANY5 min read

Evidence-based compliance: why screenshots and HAR files beat checklists

Regulators want proof, not promises. Vakteye's forensic evidence system produces browser session recordings, HAR files, and cookie diffs that hold up under regulatory scrutiny.

COMPANY5 min read

Continuous compliance monitoring: why one-time scans aren't enough

Websites change constantly. A clean scan today means nothing in three months. Continuous monitoring catches compliance drift before regulators do.

VakteyeVakteye
VAKTEYE

Website compliance checks for consent, policy, tracking and security. Vakteye shows what happened, what needs fixing and the evidence behind it.

Book demo
VakteyeVakteye
Privacy MonitoredContinuously monitored by Vakteye

PRODUCT

  • Plans
  • Trust center
  • Scanner identity
  • Security policy

COMPANY

  • About us
  • Contact
  • Insights
  • FAQ

LEGAL

  • Privacy Policy
  • Terms of Service
  • Cookies Policy
  • Sub-processors
  • Data Rights (GDPR)
  • For visitors

Contact

  • info@vakteye.com
  • LinkedIn

© 2026 Vakteye. All rights reserved.