Ecommerce Detection & Response · Realtime

Detect Magecart, skimmers and
checkout tampering before
your customer’s bank tells you.

EcomScan scans your server files with 6 detection engines — signatures, YARA, heuristics, IOC matching, exploit detection, and CVE scanning. Deploy the korp CLI agent, scan your store, get a SOC-grade incident report in seconds.

Start free trial →See the platform
18s
scan 13,000+ files
6
detection engines
SOC 2
Type II, PCI-DSS aligned
korp · scanlive
https://
Readystep · 0/8elapsed · 0.0sscope ·
Trusted by ecommerce teams at
Realtime telemetry

A live feed of every storefront you operate.

Every script load, integrity diff, login, and checkout behavior across your fleet — streamed to a single timeline. Grouped into incidents, scored, and routed to the right channel.

4.8s
Median detect
99.4%
Signal-to-noise
2,431
Events / hour
28 fams
Magecart families
SlackPagerDutyWebhookEmailMS TeamsSIEM (Splunk · Datadog · Elastic)
events.live· region=eu-west· fleet=12 storesstreaming
Capabilities

Built for ecommerce, not retrofitted from antivirus.

We started with the four attacks that actually take stores down — and instrumented the layers attackers touch when they do.

S

Signature + YARA scanning

28 compiled regex patterns and 5 YARA rule files match webshells, skimmers, backdoors, and obfuscated malware across PHP, JS, and HTML files.

28 signatures · 38 hashes · 5 YARA rules
H

Heuristic analysis

40+ behavioral signals detect zero-day threats without signatures — eval chains, XOR encoding, entropy anomalies, exfiltration patterns, and payment form hooks.

zero-day · entropy · behavioral
D

Database scanning

Scans WordPress MySQL tables for injected scripts, rogue admin accounts, fake plugins, SEO spam, cron backdoors, and URL hijacking — reads wp-config.php automatically.

6 tables · wp_users · wp_options · wp_posts
V

CVE + plugin vulnerability

Matches installed plugins against NVD, WPScan, and Wordfence vulnerability databases. Flags outdated versions, known exploits, and CISA KEV entries.

NVD · WPScan · KEV · CVSS
R

Incident reports + email

Generate SOC-grade incident reports with one flag: --report. 10-section reports with executive summary, critical threats, action plan, and technical appendix. Email with --email.

--report · --email · .txt · .json
I

9 integrations

Send alerts to Slack, PagerDuty, Jira, Splunk, Datadog, Elasticsearch, MS Teams, Cloudflare (auto-block), and any HTTPS webhook with HMAC signing.

SIEM · alerting · edge block
Flagship · Magecart

A skimmer’s first second is its loudest.

We instrument the checkout DOM, not the homepage. The moment a script attaches to a card-input field, intercepts a fetch, or mounts an iframe overlay on a payment route, ecomscan correlates the fingerprint against 28 known families and 6 behavioral classes.

  • Field-level form-hook detection (PAN, CVV, expiry, cardholder)
  • Stripe / Adyen / Braintree iframe tampering watchers
  • Cross-store IOC propagation in <30s across your fleet
  • Magecart family fingerprints updated weekly by ecomscan Labs
MITRE ATT&CK · ecommerce overlaymapped
T1189Drive-by Compromise
T1195.002Supply Chain
T1056.003Web Form Capture
T1059.007JS Execution
T1041C2 Exfiltration
T1027Obfuscation
T1505.003Web Shell
T1071.001App Layer C2
T1185Browser Hijack
T1539Steal Session
// detection.skimmer · INC-2391 · 2026-05-12 04:18:09Z match(family="KeepUp.v3") { hook: "document.querySelector('#card_number').addEventListener", exfil: "https://js.payform-secure-checkout.io/p.js", confidence: 0.97, propagate: ["acmegear.com", "northpeak.co"] }
Checkout integrity

Watch the page your customers actually pay on.

Synthetic checkouts every 60 seconds from clean browsers in five regions. Every load is diffed against a known-good baseline: scripts attached, network requests made, fields hooked, headers returned.

  • Diff-first model — surfaces only what changed since the last good baseline
  • Card-data sources, sinks and exfil channels mapped to PCI 6.4.3
  • Region-by-region observability (skimmers often target single geos)
checkout · synthetic run · eu-west1 hook

Form fields

email · clean
shipping.address · clean
card.number · hooked by p.js
card.expiry · clean
card.cvv · iframe (Stripe)

Network egress

api.stripe.com · allowed
cdn.shopify.com · allowed
payform-secure...io · NEW · unsigned
klaviyo.com · allowed
gtm.io · allowed
Agency · 64 storefronts
“We replaced two scanners and a homegrown integrity tool with ecomscan. The single console across all our clients’ stores is the part we didn’t know we needed — every alert tells our analyst exactly which store, which file, and what to do.”
Marta Kovács
Head of Platform · Forge Commerce Agency
Time to detect

You’ll see your first incident before your second coffee.

Copy the korp binary to your server, run korp scan --path /var/www/html --db-scan, and get a full incident report in under 30 seconds. No agent install, no browser tag, no configuration.

Start free scanBook a demo
10 MB binary. Zero dependencies. 14-day trial.