Fortwatch Review: Strong Agentless EASM, Until You Count Your Subdomains
Fortwatch is a fast, agentless EASM scanner with eleven scanners and a $99 sticker. The catch is per-subdomain billing and a vendor with no track record. Our independent review does the math and compares it to Snyk, Datadog, CrowdStrike, and Splunk.
What Fortwatch actually is
Fortwatch is an agentless external attack-surface management tool. You give it a domain, and within a few minutes it runs eleven scanners against your public-facing infrastructure: open ports via Nmap, CVE detection against more than 9,000 Nuclei templates refreshed daily, SSL grading through testssl.sh, DNS and email-auth checks, security headers, exposed sensitive files, subdomain takeover, cloud bucket exposure, brand and typosquat monitoring, visual change detection, and WHOIS intelligence (fortwatch.ai/services). Nothing to install. The pitch is that a small team gets serious external coverage without hiring a security engineer to run it.
Our six-person AI review panel scored it 6.5 out of 10, and that split verdict is the right way to read the product. The engineering holds up under scrutiny: eleven working scanners, Nuclei templates pulled daily, escalating SSL alerts, and an AI layer that prioritizes findings instead of dumping a raw CVE list. The pricing model and the absence of any vendor track record are what keep it out of the upper half of its category. There is no G2, Trustpilot, or Gartner Peer Insights listing for it as of June 2026, so this review fills in what the vendor pages and the generic best-EASM listicles leave out.
Fortwatch and the alternatives at a glance
Fortwatch competes in a crowded band, and the useful comparison is not against one product but against the lane you are actually in: external surface scanning, developer and code security, or a security module bolted onto a platform you already run.
| Tool | Model | Entry price | Panel score | Lane |
|---|---|---|---|---|
| Fortwatch | Per-asset EASM scanning | $99/mo (Essential) | 6.5 | Agentless external surface scanning |
| Snyk | Per-developer SCA/SAST | $25/dev/mo | 8.2 | Code and dependency security |
| Datadog | Usage-based platform | From $15 | 7.0 | Security inside an observability suite |
| CrowdStrike | Per-endpoint platform | From $7.99 | 8.3 | Endpoint and exposure management |
| Splunk | SIEM / analytics | Contact sales | 8.0 | Enterprise SIEM and analytics |
Note the gap. Fortwatch is the lowest-scoring option in this table, and that is not an artifact of the matrix. The higher scores belong to vendors with funding, history, and audit-grade depth. Fortwatch trades that maturity for speed and a low sticker, and whether the trade works for you depends almost entirely on how many subdomains you run.
Fortwatch
Fortwatch — the agentless EASM specialist
What it is. Fortwatch does one job and does it without a sales call. You start a 14-day trial with no card, point it at a domain, and the scanners run. Setup is a few minutes because there is no agent and nothing to instrument (fortwatch.ai). The AI layer ranks findings by severity rather than handing you an undifferentiated CVE dump, which is what the product leans on for its "no security hire needed" claim.
Strengths. The breadth is the draw, and it is verifiable on the services page: OWASP Top 10 coverage, SSL expiry alerts escalating at 30, 14, 7 and 1 days, and 117 sensitive-file paths checked per asset. The pricing is fully published with no gate, which is a concrete edge over enterprise rivals that hide every number behind a demo. For a team running a handful of assets, the dashboard genuinely consolidates eleven scanners into one place.
Where it falls short. The $99 sticker covers one web application asset and five infrastructure assets. Fortwatch defines a web application asset as a domain or a subdomain, and each additional one costs $49 per month on Essential and Pro (fortwatch.ai/pricing). A team with six subdomains pays the base $99 plus five extra assets: $99 + (5 x $49) = $344 per month, not $99. The other caveat is softer but worth naming: "no security hire needed" still leaves someone on your team triaging and remediating what the scanners surface, and the quality of the AI prioritization is not something an outside reviewer can verify. The tool finds the issues; it does not fix them for you.
Pick Fortwatch if:
- You are a solo founder or small DevOps team with no dedicated security person.
- Your asset count is genuinely small, ideally a handful of subdomains or fewer.
- You want agentless coverage running in minutes and can absorb a Pro-tier commitment.
- You can model your real per-asset cost before signing, not after invoice two.
What $99 actually buys
Every panelist who looked at the money landed in the same place. The sticker is honest about being $99; it is not honest about what $99 buys. Here is the tier math from the pricing page.
| Tier | Price (annual) | Scan cadence | Alerts | Extra web-app asset |
|---|---|---|---|---|
| Essential | $99/mo | Weekly | Email only | $49/mo each |
| Pro ("Most Popular") | $199/mo | Daily | Slack + webhook | $49/mo each |
| Business | $329/mo | Daily | Slack + webhook | $59/mo each |
| Enterprise | Custom | Daily | Full | Custom |
Two rows in that table contradict the homepage's "all eleven scanners on every plan, nothing hidden" framing. First, daily scans and Slack or webhook alerts start at Pro ($199), so Essential is a weekly, email-only product, and weekly cadence rules out anything close to real-time CVE detection. Second, three of the eleven scanners, subdomain takeover, cloud bucket exposure, and brand and typosquat monitoring, are gated to Business ($329) and above (fortwatch.ai/pricing). The eleven-scanners claim is technically true and practically misleading on the cheaper tiers.
Run the realistic number. A growth-stage team with eight subdomains that wants daily scans and Slack alerts is on Pro at $199. One web-app asset is included, so seven are billable extras at $49 each: $199 + (7 x $49) = $542 per month. That is no longer competing with a budget scanner; it is in the range of a Datadog security module. The trap is not dishonesty on the price tag. It is that the one variable driving your bill, subdomain count, is the one buyers forget to count.
Who is behind Fortwatch
The panel's lowest sub-score, 5.8, had nothing to do with the scanners and everything to do with provenance. The vendor publishes no founder, no launch date, no team size, no funding, no location, and no version history (fortwatch.ai/manifesto). Combine that with the missing third-party footprint noted earlier, and you are being asked to grant a tool continuous visibility into your external attack surface without being able to see who is behind it or how long they have shipped.
That blind spot carries more weight here than it would for most software, because an EASM tool sits at your perimeter and stores a map of your weak points; if the vendor is compromised or simply disappears, that map and your dependency on it go with them. There is a related ceiling on the compliance side. Fortwatch markets itself as "SOC 2 and ISO 27001 ready" with PDF and CSV evidence exports, which means it helps you produce audit evidence, not that the platform itself carries those certifications (fortwatch.ai/products). Walking into a SOC 2 Type II audit, that distinction is the line between a useful input and a liability.
When a different lane fits better
Fortwatch is the right shape only for a specific buyer. If you sit outside that shape, one of these scores higher for a concrete reason.
Snyk
What it is. Snyk is developer-first security: software composition analysis and static analysis that find vulnerabilities in your code and dependencies, not your public perimeter. The Team plan runs $25 per developer per month with a five-developer minimum and a ten-license cap before you move to Business (snyk.io/plans).
Strengths. A panel score of 8.2, and it owns the lane Fortwatch never touches. If your actual risk is a vulnerable npm package shipping to production, Fortwatch will not see it; Snyk catches it in the pull request where the fix is cheap.
The catch. The ten-license cap pushes a growing team toward Business pricing, and SCA or SAST does nothing for an exposed S3 bucket or an expiring certificate. It is the wrong tool if your exposure lives at the edge rather than in the repo.
Pick Snyk if: your risk lives in code and dependencies rather than at the network edge.
Datadog
If your team already lives in Datadog every day, the calculus changes. Datadog folds security monitoring into the observability platform you are already paying for, usage-based and starting around $15 for core modules, and adding a security module beats standing up a separate tool with a separate login. The panel scored it 7.0. The trade-off is twofold: usage-based billing has its own runaway-cost reputation, and Datadog security is one module inside a sprawling platform rather than a focused EASM product, so you are paying for the whole ecosystem to get the part you want. Pick Datadog if you already run its observability stack and want security to live in the same pane.
CrowdStrike
CrowdStrike is the answer to the exact trust gap that drags Fortwatch down. It is an established, well-funded endpoint and exposure-management platform, starting around $7.99 per endpoint, and it earned the highest panel score in this set at 8.3: a known vendor with a long track record moving aggressively into vulnerability and exposure management. The cost is in the deployment. It is endpoint-anchored, so the model and the setup effort are heavier than agentless external scanning, and it pulls in adjacent tooling you may not need. This is the upgrade lane, not the minimum-viable starting point. Pick CrowdStrike if vendor trust and platform depth matter more to you than a five-minute setup.
Splunk
What it is. Splunk is enterprise SIEM and security analytics, priced by contact with sales.
Strengths. A panel score of 8.0, with the audit-grade, established-vendor posture Fortwatch cannot offer. This is where teams land once lightweight EASM stops being enough.
The catch. It is overkill and overpriced for a small team, and it carries operational weight a no-security-hire shop cannot absorb. Standing up and tuning Splunk is itself a job. Wrong tool for the buyer Fortwatch targets.
Pick Splunk if: you need audit-ready security analytics and have the team to run it.
How to decide
Three questions narrow this fast.
How many subdomains do you actually run? Count them honestly, including staging and marketing hosts. If the answer is more than a handful, the per-asset math erodes Fortwatch's price advantage and you should model the real number before signing. If it is genuinely small, the agentless setup is hard to beat at the entry tier.
Where does your real risk live? If it is in your code and dependencies, Snyk is the better spend. If it is your public perimeter and you have no one watching it, Fortwatch fills a gap nothing else in this table covers as cheaply. If you already run a platform with a security module, check whether Datadog covers enough before adding a tool.
Can you tolerate a vendor with no track record? If you are pre-audit and experimenting, the trust gap is survivable and the trial costs nothing. If you are betting a compliance workflow or your perimeter monitoring on long-term reliability, CrowdStrike or Splunk carry the history Fortwatch has not yet earned.
Before you commit, do the one piece of arithmetic the pricing page leaves to you: add up every subdomain and infrastructure asset you would need covered, plug them into the tier you actually need for daily scans and Slack alerts, and compare that monthly total against Pro-tier rivals. If the number stays small and you can live without a vendor history, Fortwatch is a legitimate buy at a price the established players cannot match. If your subdomains run into the dozens or an audit is on the calendar, treat it as a stopgap and budget for the upgrade now rather than discovering it on invoice three.
Author
Ryan LedgerStartup advisor and SaaS analyst who has evaluated 500+ software products. Writes detailed comparisons and buyer guides.
