Most users have their first website scanning in under 5 minutes. Log into the dashboard, go to Websites, add your domain(s), verify ownership (file upload, DNS or META tag), then pick one or more Endpoint Packages. As soon as the first scan runs, you'll see results in Scans, Reports and Notifications views.

No. Grawlr works externally by replaying real‑world attack patterns against your public endpoints. You only need to verify that you own the domain(s). There is no agent or plugin required on your servers.

Yes. Reports are written in plain language with clear severity levels, affected endpoints and additional guidance. Technical teams can dive into details, while managers can focus on risk and trends.

You can adjust or cancel your subscription from the Billing area in the platform. There are no cancellation fees, and protection continues until the end of the current billing period. When you upgrade, higher limits on websites, packages and team members become available immediately.

Yes. We provide special pricing for non‑profit, educational and sports organisations. Use the Contact page and select the discount option in the subject, and our team will follow up with tailored options.

Grawlr supports standard online payment methods (such as credit and debit cards) through Stripe, a secure payment provider. For larger enterprise deployments, invoicing and custom terms are also available. You can find their terms of service & privacy policy here.

Our enterprise offering is designed for larger organisations, agencies and platforms that need deeper coverage and more control. In addition to everything in standard plans, enterprise customers can get:

• Custom endpoint packages tailored to your infrastructure and risk profile
• Advanced team management and role‑based access control
• Unlimited or high‑volume multi‑website management from one central dashboard
• Custom log parsing from firewalls, WAFs and application servers
• Integration into SIEM, ticketing and reporting systems
• 24/7 priority support, onboarding and ongoing security consultations

For details, pricing and scoping, contact our enterprise team via the Enterprise page or the Contact form.

As part of our enterprise offering, Grawlr can perform AI‑assisted penetration testing on your APIs. We consume your OpenAPI (or similar) specifications, identify endpoints, parameters and flows, and then generate intelligent attack scenarios that chain multiple requests together.

The AI adapts to how your API responds, exploring authentication, rate‑limiting, input validation and business‑logic edge cases. Findings are reported back into your enterprise reports with clear traces so your engineers can reproduce and fix issues.

Grawlr replays real‑world attack patterns against your websites and APIs using packages that focus on platforms (like WordPress or Laravel), attack types (SQL injection, XSS, path traversal, etc.), industries and monthly updated threats. Instead of guessing what might go wrong, we emulate how attackers are actually scanning and exploiting sites today.

Wordfence is a WordPress plugin that runs inside a single site, acting like a web application firewall and malware scanner. It is great at protecting one WordPress installation from within that environment, but it does not give you a cross‑site, cross‑technology security testing view.

Grawlr works from the outside in, replaying real attack traffic patterns across all your websites and APIs – regardless of whether they run WordPress, Laravel, custom backends or a mix. You get centralised dashboards, multi‑website management, endpoint packages, audit logs, and reporting that cover your whole portfolio, not just one CMS.

Many teams use Grawlr alongside tools like Wordfence: plugins reduce day‑to‑day noise at a single site level, while Grawlr validates the bigger picture and discovers issues that configuration mistakes or plugin gaps might leave open.

Grawlr is not yet a full replacement for manual penetration testing or for a web application firewall (WAF). Instead, it fills the gap between one‑off manual assessments and day‑to‑day protection by running continuous, behaviour‑driven tests based on real attack traffic. However, we are already offering an API penetration testing service as part of our enterprise offering.

You get far better coverage than ad‑hoc scans alone, and you can still benefit from WAF rules and periodic manual pentests where required by regulation or policy.

Yes. Grawlr only targets publicly exposed endpoints and does not request or store sensitive data such as passwords or payment card details. All communication is encrypted, access is role‑based, and every action performed on Grawlr platform is recorded in Audit Logs for traceability and compliance checks.

Our primary database and customer data storage are located in Germany (European Union), which means your data benefits from GDPR protections. Automated security scans are executed from multiple regions (EU, US, UK and Asia‑Pacific) so we can test from different geographic perspectives, but scan results are stored centrally in our EU infrastructure.

We do not persist your website content at remote scanning locations, and all providers are bound by strict data‑processing agreements. For details, see the Privacy Policy section on server locations and data processing.

Yes. Grawlr was designed for agencies, product companies and organisations with more than one site. In the Websites section you can add and verify many domains, and in Team you can invite colleagues with roles such as Owner, Admin, Member or Viewer. Audit Logs record every important change so you always know who did what.

Endpoint packages are pre‑configured sets of tests that bundle attack patterns for a particular purpose – for example a monthly baseline, a specific platform (like WordPress) or a class of vulnerability (like injections or authentication attacks). Your subscription tier defines how many packages you can select and how often you can change them per month.

This keeps configuration simple: instead of manually building and maintaining complex rule sets, you choose packages that match your stack and risk profile, and Grawlr keeps them up to date as new real‑world attacks appear.

Failed scans surface clear error messages in the Scans view so you can see whether the cause is a configuration issue, network problem or something else. Once resolved, you can rerun the scan.

When vulnerabilities are found, you'll see them in Reports and receive notifications, with recommendations that your development or DevOps teams can implement.

Grawlr is designed to exercise your public endpoints in a way that reflects how attackers behave, but with safeguards to avoid obvious destructive actions. That said, any kind of security testing can put additional load on fragile endpoints or reveal weaknesses in error handling.

We recommend running initial scans during off‑peak hours and monitoring your infrastructure when you first onboard. If you know certain endpoints are especially sensitive, you can adjust your configuration and packages accordingly or contact us to discuss a safer rollout strategy.

For step‑by‑step explanations of each platform area, check the Documentation page. Inside the platform, look for the small Help buttons in sections like Websites, Packages, Scans, Notifications, Audit Logs and Team – each opens a panel tailored to what you are currently viewing.

If something is unclear or you'd like guidance for your specific setup, you can always contact us via the Contact page for additional support.