Detectify and Intruder solve overlapping problems from opposite directions. Both are external attack-surface and dynamic application security testing (DAST) tools: they look at your internet-facing assets the way an outside attacker would and flag what is exposed. Detectify leans into breadth and research depth, pairing automatic asset discovery with vulnerability tests sourced from a community of ethical hackers. Intruder leans into simplicity, giving smaller teams scheduled scanning with a clean dashboard and minimal setup. This page is a neutral comparison, not a sales pitch. We sell a different kind of tool, and we say so plainly at the end, but the comparison itself is built to be fair and accurate. Every pricing and feature claim below is checked against the vendors' own live pages, and anything we could not confirm is marked clearly.
Prices change. Verify before you buy. The figures here were read from Detectify and Intruder pages in June 2026. Intruder has removed public prices from its pricing page, so its numbers below come from third-party listings and are flagged as unverified. Always confirm against the live vendor page and your own quote.
Detectify vs Intruder at a glance
| Dimension | Detectify | Intruder |
|---|---|---|
| Entry pricing | Application Scanning from €90/mo (1 domain); Surface Monitoring from €302/mo (up to 25 subdomains). Separate products. |
No price shown on the live pricing page (see vendor). Third-party listings report an Essential tier in the low hundreds of USD per month. Unverified. |
| Scan model | EASM (Surface Monitoring) plus DAST (Application and API Scanning) as distinct products. | Continuous and scheduled infrastructure, web, cloud, and (on higher tiers) internal vulnerability scanning. |
| Asset / subdomain discovery | Yes. Add a domain and it discovers and continuously monitors subdomains and exposed assets. | Subdomain discovery is listed against the Enterprise tier on the pricing page. Lower tiers scan the targets you license. |
| Pricing unit | Per product, scoped by subdomain / domain / API count. | Base fee plus a per-target infrastructure license; 5-license minimum. |
| False-positive handling | Tests validated through the Crowdsource research process before they ship. | Noise reduction and prioritization in the dashboard; cyber-hygiene scoring. |
| Free tier / free tools | 2-week free trial. No permanent free plan advertised. | 14-day free trial. Free open-source tools (Autoswagger, cvemon) on GitHub, separate from the platform. |
| Ownership / authorization | Domain verification required to confirm authorization before testing. | You license and add the targets you are responsible for; standard authorization expectations apply. |
| Best for | Teams with a larger surface that value discovery and research depth. | Lean teams that want scheduled scanning with minimal setup. |
Detectify: discovery plus crowdsourced research
Detectify positions itself around two ideas: see everything you have, and test it with research no single vendor could produce alone. Its Surface Monitoring product is the external attack-surface piece. You add an apex domain and it maps subdomains, IP addresses, open ports, and SSL certificates, then watches them continuously, including a large library of DNS-takeover tests. Its Application Scanning and API Scanning products are the DAST side, with authenticated crawling and fuzzing against a specific app or API.
The differentiator is Crowdsource, a community Detectify describes as 400+ ethical hackers whose research is built into the platform daily. That model means coverage of undocumented, vendor-specific issues that a generic CVE feed would miss. Pricing reflects the breadth: Application Scanning starts at €90/month for one domain, and Surface Monitoring starts at €302/month for up to 25 subdomains, billed as separate products, so a team wanting both pays for both. Annual invoicing carries a stated minimum (€1500/$1650). Detectify suits security teams with a real attack surface to map and the budget to fund continuous discovery plus research-grade testing.
Intruder: lean, scheduled scanning for smaller teams
Intruder is built for teams that want vulnerability scanning to be a background utility rather than a project. You license targets, it scans them on a schedule, and findings land in a dashboard with prioritization and cyber-hygiene scoring. Plans run Essential, Cloud, Pro, and Enterprise, with capability rising as you climb: Essential gives one scheduled scan a month with unlimited ad-hoc scans, Cloud adds unlimited scheduled scans and cloud-account coverage, Pro adds internal scanning, and Enterprise adds the widest checks and unlimited cloud accounts.
Two details matter when you compare. First, pricing is a base fee plus a per-target license with a 5-license minimum, so cost scales with how many IPs, hostnames, and URLs you track. Second, on the live pricing page, attack-surface and subdomain discovery is listed against the Enterprise tier; lower tiers scan the targets you explicitly license rather than discovering new ones for you. Intruder has also removed public prices from its pricing page, so we will not assert a specific Essential figure here. Treat any number you see elsewhere as unconfirmed and get a quote. Intruder suits a lean team that knows its targets and wants clean, scheduled coverage without the operational weight of a larger platform.
Best-for verdicts
Detectify
Pick Detectify for discovery and research depth across a larger surface.
Intruder
Pick Intruder for lean-team simplicity and scheduled scanning of known targets.
Where both leave a gap
Both tools are solid at what they do, and we are not going to claim parity with either on their home turf. But there is a specific gap that neither leads with, and it is the reason pentes.io exists.
- Proof of ownership re-verified inside the job. Detectify requires domain verification before testing, which is good practice. Neither tool, though, makes a cryptographic ownership proof the gate that the scan worker itself re-checks at run time, every time, before a single packet goes out.
- An absolute non-destructive guarantee. Both run safely by default, but neither ships its scanner with intrusive, exploit, denial-of-service, and fuzzing templates physically removed from the worker image. "Safe by configuration" and "safe because the dangerous code is not in the box" are different promises.
- LLM-triaged, plain-English reports. Both prioritize and reduce noise. Neither leads with an LLM that reads the structured findings, deduplicates them, ranks by real-world impact, and writes a fix in plain English, with scan diffs over time.
- Free tools tend to sit behind a trial or a separate download. Intruder's free utilities live on GitHub, separate from the platform; Detectify leads with a trial. A recurring free scan on a permanent plan is not the headline for either.
What pentes.io is not. We are honest about this: pentes.io has no crowdsourced ethical-hacker research community like Detectify's Crowdsource, and we do not sell manual penetration tests or human-led assessments. We are a focused, automated, owner-scoped monitor. If you need research-grade coverage of undocumented vulnerabilities or a human pentest, the incumbents above are the right call.
A third option for indie devs and startups
If you are an indie developer or an early-stage team that wants affordable, owner-scoped, non-destructive monitoring of the surface you actually control, pentes.io is built for exactly that buyer. A scan never runs until you have cryptographically proven you own the target with a DNS TXT or HTTPS path challenge, ACME-style, and that proof is re-verified inside the scan job. The scanners are non-destructive by construction: nuclei runs with intrusive, exploit, DoS, and fuzzing templates removed from the worker image, OWASP ZAP runs in baseline and passive mode only, and testssl.sh runs with no active renegotiation. Each scan container is ephemeral and destroyed after the job, egress comes from attributed dedicated IPs with a scanner.pentes.io PTR record, and every action lands in an immutable audit log. An Anthropic Claude model then triages the SARIF findings into an interactive report with deduplication, real-world-impact prioritization, plain-English fixes, and scan diffs. The pricing is built for small teams: a free tier with 5 scans a month, then $14.99 for 100 scans a month, then $99 for 1000.
Keep comparing
See how owner-scoped monitoring stacks up next to the incumbents and against the annual-pentest model:
- Best attack-surface monitoring tools for startups (coming soon)
- Continuous monitoring vs annual pentest (coming soon)
- pentes.io as a Detectify alternative (coming soon)
- pentes.io as an Intruder alternative (coming soon)
Frequently asked questions
Is Detectify or Intruder cheaper?
It depends on what you scan. Detectify publishes entry prices: Application Scanning starts at €90/month for one domain, and Surface Monitoring starts at €302/month for up to 25 subdomains, billed as separate products. Intruder no longer shows prices on its public pricing page; third-party listings report an Essential tier in the low hundreds of dollars per month, built from a base fee plus a per-target license with a 5-license minimum. For a single application, Detectify's published €90/month entry is the lower confirmed number. Verify both against the live vendor pages before you buy, because pricing and packaging change.
Which is better for startups, Detectify or Intruder?
For a lean team that wants scheduled infrastructure scanning with little setup, Intruder's Essential tier is the simpler starting point. For a team with many subdomains that values automatic asset discovery and crowdsourced research, Detectify Surface Monitoring fits better, but it carries a higher entry price. Neither is built around a generous free tier, so if budget is the deciding factor, weigh the per-target and per-product costs against how much surface you actually need to watch.
Do Detectify or Intruder offer a free scan?
Both offer time-limited trials rather than a permanent free plan. Detectify advertises a two-week free trial, and Intruder advertises a 14-day free trial. Intruder also publishes free, open-source standalone tools such as Autoswagger and cvemon on GitHub, but those are separate utilities, not a free tier of the scanning platform. If you want recurring scans on a permanent free plan, neither vendor leads with one.
Sources, read June 2026: Detectify pricing (detectify.com/pricing) for Application Scanning €90/mo, Surface Monitoring €302/mo, API Scanning €90/mo, 2-week trial, annual invoice minimum, and domain verification; Detectify Surface Monitoring product page for automatic discovery and the Crowdsource 400+ ethical-hacker figure; Intruder pricing page (intruder.io/pricing) for the Essential/Cloud/Pro/Enterprise tiers, per-target license model, 5-license minimum, 14-day trial, and subdomain discovery listed at the Enterprise tier (prices not shown on the live page); Intruder free tools (Autoswagger, cvemon) via Intruder's announcements and GitHub. Intruder price points reported by third-party listings (G2, Capterra, vendor-review sites) ranged roughly $99–$149/month and are not stated as fact here. All figures should be re-confirmed against the live vendor pages at publish time.