Backend language
PHP
Backend runtime for project intake, scan orchestration, report generation, customer workflow state, and domain rules.
WebRiskOps
A self-service website risk operations platform and a concrete example of Aptenova automation-first SaaS development. WebRiskOps has grown beyond a scan-and-report flow into a broader system for authorized scanning, evidence, private reports, AI-assisted remediation, repository-aware planning, retests, monitoring, billing, agency workflows, and customer operations.
Scope
Scans only run after customer-controlled or explicitly authorized scope is captured.
Evidence
Reports connect findings to screenshots, HTML snapshots, headers, browser observations, and issue fingerprints.
Workflow
Fix credits, ticket fallback, repository planning, retests, monitoring, agency support, and billing state stay connected to the same project.
Risk operations platform development
From authorized scanning into full website risk operations.
WebRiskOps is built for commercial websites where the problem is not just finding issues, but coordinating authorized website risk work across checkout, consent, accessibility, security headers, trust signals, and remediation evidence. It demonstrates how Aptenova handles product boundaries, safety gates, async work, AI-assisted review, billing state, customer portals, agency workflows, and internal operations in one system.
01
Public pages explain the offer, checks catalog, workflow, pricing, sample report, FAQ, scan authorization, responsible scanning limits, data retention, acquisition diagnostics, and contact routing.
02
Customers create accounts and projects, register domains, classify key flows, choose package intent, accept scan scope, and keep unsupported or unsafe targets blocked before work starts.
03
Scanner work collects page coverage, screenshots, HTML snapshots, response headers, console and network observations, and issue evidence for reports and fix tasks.
04
Reports move findings into generated remediation tasks, scoped access requests, repository-aware planning, customer-applied evidence, retests, monitoring schedules, alerts, billing, credits, and agency-client workflows.
Expanded platform surface
What makes WebRiskOps useful as a larger development example.
The product is strongest where automated scanning becomes a guarded operating workflow: authorization, packages, evidence, AI-assisted remediation, repository planning, monitoring, agency support, billing, and admin diagnostics all have to agree before the platform can claim progress.
-
Authorized scan scope
Customers must describe the target domain, market, platform, business flow, access model, and permission boundary before scans can run.
-
Public scan lead capture
The public homepage accepts a URL as a preview request, then routes the customer toward account setup, target authorization, package state, and scan limits.
-
Site discovery and crawl limits
Sitemap discovery, public-page fetching, internal-link grouping, skipped URLs, page limits, include/exclude scope, and package-aware scan contracts keep scanner work bounded.
-
Checks catalog and evidence model
The product covers accessibility blockers, consent and tracking signals, checkout/forms, security headers, mixed content, browser errors, and crawler coverage.
-
Node scanner package
A separate scanner runtime uses Node.js, Playwright, and axe-core to run browser checks, health checks, and unit-tested evidence collection outside the Laravel request cycle.
-
Private reports with quality gates
Reports organize risk score, issue severity, confidence, affected pages, screenshots, HTML/header evidence, technical appendix, and publication state.
-
Remediation workflow
Findings can become fix tasks with generated guidance, scoped access requests, ticket-only fallback, before/after evidence, and retest outcomes.
-
AI integration
OpenAI-backed workflows support report summaries, finding triage, remediation guidance, support reply drafts, usage controls, and reviewable AI output before customer publication.
-
AI-assisted report and fix drafts
AI prompt templates support finding triage, executive summaries, report copy edits, remediation plans, fix recipe drafts, support replies, usage logging, and budget caps.
-
Repository-aware remediation planning
Repository file indexes, platform detection, code mapping, patch generation, pull-request planning, and publication safeguards connect scanner evidence to code-level remediation.
-
Monitoring and alerts
Recurring checks compare new, fixed, and recurring issues while keeping cadence, next run, paused state, and notification routing visible.
-
Billing, credits, and package gates
Package state, scan credits, fix credits, subscriptions, service credits, refund requests, transaction history, and dispute evidence control what workflows can start.
-
Agency and client operations
Agency dashboards, client accounts, client portals, report sharing, package allowances, white-label handoff, and assignment workflows support multi-client risk operations.
-
Browser extension evidence capture
The extension captures active-tab context for customer-provided evidence while keeping cookies, storage, payment fields, passwords, and background browsing history out of scope.
-
Acquisition and support routing
Public leads, acquisition diagnostics, suppression rules, inbound messages, outbound status, support categories, and generated support replies keep communication asynchronous.
-
Assurance and extension modules
Catalogs cover basic web trust, SOC 2 and ISO 27001 evidence checklists, vulnerability/dependency packs, CRA readiness, CMS plugin plans, mobile scan planning, and AI workflow risk checks.
-
Operational control plane
Filament-backed admin areas expose product configuration, diagnostics, queue health, public leads, communications, monitoring, metrics, and failure inspection.
Product screens
A gallery of the WebRiskOps product surface.
These screens are representative WebRiskOps surfaces: public scan entry, customer command center, and project intake for scan scope and package context. The product now extends further into reports, remediation, monitoring, agency operations, and internal diagnostics.
Capabilities
The platform now combines acquisition, customer and agency operations, scanner output, remediation state, and internal control surfaces.
01
Public surface: homepage, how-it-works, checks catalog, pricing, public checkout intent, sample report, FAQ, use-case landing pages, legal/trust pages, acquisition diagnostics, sitemap, and robots output.
02
Customer workspace: dashboard, onboarding, accounts, projects, scan runs, reports, billing, monitoring, agency client portals, activity timeline, trust log, remediation flow, support, and settings.
03
Risk evidence domain: crawler pages, issue categories, risk score, severity, confidence, evidence availability, report publication gates, sample report output, print and PDF views.
04
Automation layer: scheduled monitoring scans, generated fix tasks, repository mapping, pull-request planning, scoped platform access, async notifications, support drafts, queue diagnostics, and failure inspection.
Engineering roles
Laravel backend, Vue customer app, queues, billing, reports, monitoring, AI workflows, and extension boundaries.
WebRiskOps is not a static scan landing page. It is a workflow product where authorization rules, scan lifecycle, billing and credit gates, report evidence, generated fix tasks, repository planning, monitoring schedules, browser-extension evidence capture, agency support, and internal diagnostics all need to stay consistent while remaining self-service.
Application framework
Laravel
Main framework for routing, authentication, authorization, jobs, scheduled commands, domain services, and customer workflow guards.
Owner backoffice
Filament
Internal control plane for configuration, diagnostics, metrics, public leads, communication logs, queues, monitoring, reports, billing signals, and failure inspection.
Database
PostgreSQL
Relational storage for accounts, projects, scan runs, pages, issues, reports, fix tasks, credits, billing records, and audit-oriented state.
Embedded database
SQLite
Lightweight relational storage for local execution, test paths, and scanner-adjacent workflows where a small file-backed store is enough.
Cache and queue backend
Redis
Data infrastructure used for cache and queue-backed product work that should not block customer-facing screens.
Scanner runtime
Node.js
Separate scanner package runs browser-based checks outside PHP, with health checks, unit tests, and command-line execution.
Scanner package language
TypeScript
Typed JavaScript layer for scanner package modules, browser automation glue, extension-facing code, and maintainable customer-workflow behavior.
Browser automation
Playwright
Scanner automation layer for loading pages, observing browser behavior, collecting screenshots, and detecting console or network failures.
Accessibility checks
axe-core
Automated accessibility signal collection used by the Node scanner to identify blocker patterns and evidence candidates.
AI integration
OpenAI
AI integration layer for report summaries, finding triage, remediation drafts, support replies, repository planning, usage logging, and reviewable customer-facing output.
Evidence capture
Browser extension
Customer-initiated active-tab capture for page context and report evidence without collecting cookies, storage, passwords, or background browsing history.
Server-driven UI bridge
Inertia.js
Connects Laravel controllers to Vue product screens for the customer app while preserving Laravel-owned routing and authorization.
Frontend interface
Vue.js
Interactive UI layer for public pages, dashboard, onboarding, projects, scans, reports, billing, remediation, agency portals, and settings.
Build pipeline
Vite
Frontend asset pipeline for the public site, authenticated app, scanner-adjacent UI, and production bundles.
UI styling system
Tailwind CSS
Utility CSS system for public pages, authenticated forms, command-center dashboards, dense tables, and operational controls.
API auth package
Laravel Sanctum
Laravel package for app session and API authentication boundaries around customer, project, and workflow operations.
Social authorization
OAuth 2.0
Authorization protocol used for social sign-in and external account connection flows without storing third-party passwords.
Route sharing
Ziggy
Bridges Laravel route names into Vue screens so authenticated product navigation and workflow actions stay tied to backend routes.
Regression coverage
Pest / PHPUnit
Test stack for public pages, domain rules, billing states, scanner workflows, AI-assisted output, extension boundaries, report behavior, and customer-facing copy constraints.
Self-service guardrails
WebRiskOps is designed to block unsupported or unsafe scope instead of turning ambiguous cases into manual delivery. Missing authorization, missing package state, insufficient credits, and report quality gates all produce explicit next actions.
Evidence before claims
The product records observable browser and scanner evidence before creating report findings. It avoids presenting itself as legal advice, a compliance certificate, or a penetration test.
Operations after the report
After the first report, the same project context can keep remediation, repository planning, monitoring, recurring issues, fixed findings, alert routing, and report refreshes tied to the original evidence baseline.