Audit Any Website's Technology Stack for Known Vulnerabilities
DetectZeStack detects technologies on any website and includes CPE identifiers (when available) so you can look up known vulnerabilities in the NVD. One API call gives your security team the data they need.
How CPE Mapping Works
Detect Technologies
Send a URL to the API. DetectZeStack analyzes HTTP headers, HTML content, DNS records, and TLS certificates to identify technologies (with versions when detectable).
Map to CPE Identifiers
Detected technologies include a CPE (Common Platform Enumeration) identifier when available, the standard used by vulnerability databases.
Query NVD for CVEs
Use the CPE identifiers to query the National Vulnerability Database (NVD) API and retrieve any known vulnerabilities (CVEs) for those specific software versions.
Example API Response
Technologies in the response include a cpe field when available, which you can use to look up vulnerabilities.
{
"domain": "example.com",
"technologies": [
{
"name": "jQuery",
"version": "3.6.0",
"categories": ["JavaScript libraries"],
"confidence": 100,
"cpe": "cpe:2.3:a:jquery:jquery:*:*:*:*:*:*:*:*"
},
{
"name": "WordPress",
"version": "6.4",
"categories": ["CMS", "Blogs"],
"confidence": 100,
"cpe": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"
},
{
"name": "Nginx",
"version": "1.24",
"categories": ["Web servers"],
"confidence": 100,
"cpe": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*"
},
{
"name": "Google Tag Manager",
"categories": ["Tag managers"],
"confidence": 100
}
]
}Security Audit Use Cases
Third-Party Vendor Risk Assessment
Before onboarding a vendor, scan their public-facing sites to identify outdated or vulnerable technologies. Use CPE data to check if any detected software has known CVEs in the NVD.
Supply Chain Security Auditing
Monitor the technology stacks of your partners and integrations. Detect when they adopt new technologies or run outdated versions that could introduce risk to your supply chain.
Compliance Reporting (SOC 2 / ISO 27001)
Generate evidence of third-party technology assessments for compliance audits. The structured API response with CPE identifiers provides auditable, machine-readable data for your reports.
Competitive Security Intelligence
Track competitors' technology choices and identify when they update or change their stack. Understand the security posture of sites in your industry based on the technologies they run.
Manual Auditing vs DetectZeStack
| Aspect | Manual Auditing | DetectZeStack API |
|---|---|---|
| Time per audit | Hours of manual inspection | Seconds (single API call) |
| Detection coverage | Limited to visible source code | HTTP headers, HTML, DNS, and TLS |
| Automation | Manual, error-prone | Fully automated via REST API |
| CPE mapping | Requires manual lookup per technology | CPE identifiers included when available |
| Batch scanning | One site at a time | Up to 10 URLs per batch request |
| Ongoing monitoring | Periodic manual re-checks | Webhooks for automated monitoring |
Frequently Asked Questions
What is CPE?
CPE (Common Platform Enumeration) is a standardized naming scheme for IT products maintained by NIST. It provides a structured way to identify applications, operating systems, and hardware. CPE identifiers are used by the National Vulnerability Database (NVD) to link known vulnerabilities (CVEs) to specific software products and versions.
How does DetectZeStack map to NVD?
Detected technologies include CPE identifiers in the API response when available. You can then query the NVD API using those CPE identifiers to retrieve any known CVEs. Read more about how CPE vulnerability detection works.
Can I automate vulnerability monitoring?
Yes. Use DetectZeStack's webhook feature to receive notifications each time a monitored domain is analyzed, and the batch API to scan multiple domains in a single request. Combine these with scheduled scans to continuously monitor your attack surface and check for new vulnerabilities. See our guide on auditing website dependencies with CPE.
Is DetectZeStack a vulnerability scanner?
No. DetectZeStack is a technology detection API. It identifies what technologies a website uses and provides CPE identifiers when available. You then use those CPE identifiers to query the NVD or other vulnerability databases for known CVEs. It does not perform active vulnerability scanning or penetration testing.
Start Your Security Audit
Detect technologies and get CPE identifiers (when available) for NVD vulnerability lookup. Free tier available.
Get Your Free API Key