Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
FCVL is a site where Filippo Cavallarin publishes security research, vulnerability disclosures, and open-source tools. Its cybersecurity offerings mainly focus on HTCAP, HTCRAWL, DOMDig, and Burp DOM Scanner. It is not a traditional SaaS security platform, but rather a set of local security testing tools for modern Web single-page applications (SPAs). Its core purpose is to address issues that traditional crawlers often fail to cover adequately, such as Ajax/fetch/jsonp/websocket traffic, DOM changes, and authentication flows in SPAs.
HTCAP is the main tool, positioned as a Web application scanner. It can recursively crawl SPAs, collect requests by intercepting Ajax calls and DOM changes, and store the results in a SQLite database. Its built-in fuzzers can detect issues such as SQL injection, XSS, command execution, and file disclosure, and it can also call external tools such as sqlmap, Arachni, Wapiti, and Burp. DOMDig focuses on DOM XSS scanning; HTCRAWL is a Node.js crawler module based on Puppeteer/Chromium; and Burp DOM Scanner integrates DOMDig capabilities into the Burp Suite GUI.
Deployment is mainly based on local command-line usage and open-source modules. HTCAP depends on Python, Node.js, npm, and Puppeteer/Chromium, and sqlmap and Arachni can also be installed as external scanners. For management, the tools support multithreaded scanning, chained command execution, SQLite queries, interactive HTML reports, advanced filtering, and workflow utilities. However, the available materials do not indicate centralized team management, access control, real-time alerting, or SIEM/IM notification capabilities. Integration capabilities are relatively strong, with support for proxies, cookies, custom headers, HTTP Auth, login sequences, and custom scanning modules.
No commercial pricing, subscription plans, payment methods, or enterprise support information is provided in the available materials. Several projects point to GitHub, so the overall offering is closer to open-source/free research tools. There is also no visible SOC 2, ISO 27001, GDPR, or other compliance certification information, nor any enterprise-grade SLA details. As a result, it should not be treated as a compliance-oriented enterprise security platform.
Its main advantages are its strong focus on SPA scenarios, its ability to discover Ajax/API requests missed by traditional crawlers, and its support for authenticated crawling, custom fuzzing, and integration with external tools. The downsides are a relatively high barrier to deployment and use, technical documentation, and a lack of commercial support, visual management, and compliance endorsements. It is best suited for penetration testers, security researchers, and DevSecOps teams with scripting capabilities, especially for targeted Web security testing and strengthening an existing toolchain.
The available materials do not provide information on network accessibility from mainland China, payment options, or localized services, so china_access can only be marked as unknown. If access to GitHub-related resources is unstable, teams in China may consider more common alternatives or complementary tools such as Burp Suite, OWASP ZAP, sqlmap, and Wapiti.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on fcvl.net official site.
fcvl.net is an Italy pentest provider. TG4G tracks its product information, an overall rating of 7.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach fcvl.net directly.