Launch Ops6 min readMay 4, 2026

Why most security scans fail on first run

Understand why scans sometimes return "Scan Unavailable" instead of a real grade, and what you can do to get a clean result on the next attempt.

Scan failures

A failed scan is not a failed site

When VibeLeak cannot complete a scan, it marks the result as "Scan Unavailable" rather than assigning a misleading grade. Understanding why helps you get a real result on the next attempt.

WAF blocks

~40%

The most common cause. Bot protection sees the scanner as automated traffic.

Timeouts

~25%

The site responds too slowly for the scanner to complete its checks.

DNS issues

~20%

Propagation delays, misconfigured records, or temporary resolution failures.

Redirect loops

~15%

Misconfigured redirects that trap the scanner in a loop.

Bot protection

WAFs are doing their job — but they block legitimate scanners too

Cloudflare, AWS WAF, and similar services often block automated requests by default. The scanner looks like a bot because it is one, even if its intent is benign.

Whitelist the scanner IP range if you control the WAF.
Temporarily lower bot protection sensitivity for the scan window.
Use a staging environment without WAF for baseline scans.

Note

Do not disable WAF permanently. The goal is to allow the scanner through for a few minutes, then restore protection.

Performance

Slow sites time out before the scanner finishes

Each scan module has a timeout. If the site takes too long to respond to any individual check, the scan aborts to avoid hanging indefinitely.

Quick fix

Run the scan during off-peak hours when the server is less loaded. If timeouts persist, investigate server response time as a separate performance issue.

Resolution

DNS problems are usually temporary

New domains, recent DNS changes, or intermittent resolver issues can all prevent the scanner from finding the target. These usually resolve themselves within hours.

Verify the domain resolves from multiple geographic locations.
Check for CAA or DNSSEC issues that might block validation.
Wait 24 hours after major DNS changes before scanning.

Action

How to get a clean scan result

Most scan failures are transient. A few simple checks can turn a failed scan into a completed one with a real grade.

Check the URL

Make sure the domain is correct and publicly reachable without authentication.

Temporarily relax WAF rules

If you control the firewall, allow the scanner through for the duration of the scan.

Retry during off-peak hours

Server load and network congestion are lower, reducing timeout risk.

Run from a staging environment

If production is heavily protected, scan staging first to establish a baseline.

Next action

Run the scanner against your own site

The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.

Start scan

More field notes

Back to blog Top

Launch Ops

The Small Business Trust Checklist: 10 Things Customers Check Before Buying

Before a customer buys from you, they run a mental checklist. Most of it happens in under 30 seconds. Here are the 10 signals that decide whether they stay — and how to verify each one.

Open article

Security

Why Your 'Secure' Badge Might Be Lying to Your Customers

Security seals can help, but a badge image is not proof by itself. Here is what common trust signals actually verify, what they leave out, and what real domain-bound proof looks like.

Open article

Security

I Got Duped by a Fake Supplier. Here's the 5-Minute Check I Do Now.

A real story about getting burned by a convincing supplier clone — and the exact five-minute verification checklist I built afterward so it never happens again.

Open article