DygDog logoDygDogLIVE
Sign inGet started
Blog

Does Your Website Get Scanned While You Sleep? Now It Does.

DygDog Team··4 min read

DygDog now monitors your domain on a schedule and emails you a security report the moment a new finding appears — so you know about misconfigurations before your customers, attackers, or auditors do.

The problem with one-off scans

Running a security scan once is useful. Running it once and then forgetting about it is how breaches happen.

Your attack surface changes constantly. A developer pushes a new header config. A third-party CDN silently drops a directive. A certificate renewal fails. An SPF record gets overwritten during a DNS migration. None of these events trigger an alert in your application monitoring — but every one of them is visible to an attacker within hours.

Most teams only discover these regressions during a quarterly review, an external audit, or worse, an incident. DygDog's scheduled scanning module exists to close that gap.

What module 66 actually does

Module 66: Scheduled Scan Reports - adds a continuous monitoring layer on top of DygDog's existing 65+ passive checks. Once enabled, it does three things automatically:

  • Scans your domain on a recurring schedule: daily or weekly, depending on your plan - using the same full module suite that runs during a manual scan.
  • Compares results against your last known state - so you see what changed, not just the current score.
  • Emails a structured report to your chosen address - with findings grouped by severity (Critical, High, Medium, Low), each with a plain-English description and a one-step remediation hint.

No agent to install. No polling endpoint to expose. No webhook integration to maintain. It runs entirely passively against your public domain, the same way an attacker would probe it.

What the report covers

Each scheduled scan report includes the full output of DygDog's security module suite. The areas consistently responsible for the most Critical and High findings across our user base are:

  • SSL/TLS configuration - expired certificates, weak cipher suites, missing HSTS preload
  • Security headers - CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy gaps
  • Email authentication - SPF, DKIM, and DMARC misconfiguration (a leading vector for domain impersonation)
  • Cookie security - missing Secure, HttpOnly, or SameSite attributes on session cookies
  • Source map exposure - production .js.map files that leak your full application source to anyone who asks
  • Open redirect and SSRF surface - unvalidated redirect chains that attackers can chain into phishing or internal network access

Each finding in the report links directly to the DygDog dashboard where you can see the full evidence, the affected endpoint, and the fix.

Who this is for

Scheduled scan reports are built for three personas we hear from constantly:

The solo founder running a SaaS product who doesn't have a dedicated security team. You want a weekly digest that tells you if anything broke — not a full-time job learning OWASP.

The engineering lead at a growing startup preparing for SOC 2 or ISO 27001. Continuous evidence of monitoring is a hard requirement for most audits. A timestamped weekly report from an automated scanner is something you can hand directly to your auditor.

The agency or managed service provider responsible for the security posture of multiple client domains. DygDog's organisation model lets you monitor all of them from one dashboard, with per-domain scheduled reports going to the right contact for each client.

How to turn it on

  1. Sign in to your DygDog dashboard and navigate to your site's Settings tab.
  2. Enable Scheduled monitoring: choose daily or weekly cadence.
  3. Set your report email address and toggle Email reports on.
  4. That's it. Your first scheduled scan will run in the next cycle and land in your inbox.

If you haven't added your domain yet, run a free scan first — it takes under 30 seconds and requires nothing more than a free account.

A note on privacy

DygDog is fully passive. Scheduled scans make no authenticated requests to your application, inject no payloads, and touch no internal endpoints. Every check runs against publicly observable signals, the same signals any external party can already see. Your users, your data, and your application logic are never in scope.\

The DygDog team