Our new elastic demand backend is now live
By Andrew McDowell
How We Built Biz Secure Online to Scale: Reliable Security Scanning at Any Volume
When a customer clicks "Scan" on Biz Secure Online, a lot happens behind the scenes. We run a full suite of security tools against their website — vulnerability scanning with Nuclei, port analysis with Nmap, WordPress detection, SSL certificate validation, header analysis, SEO checks, and more. Each scan takes 8–12 minutes and demands serious utility computing.
Our early architecture handled a handful of concurrent scans without issue. But as we grew, we hit a wall: queue 10 or 15 scans at once and some would silently stall. Scans would sit as "pending" indefinitely, the system would report zero demand, and no new workers would spin up to handle them.
We didn't try to patch it to make a workaround. We wanted the next release to fixed the problem for good.
What We Built
BSO now runs on a fully elastic scanning infrastructure. When scans are submitted, our autoscaler provisions dedicated cloud machines in under two seconds, distributes work evenly across them, and scales back down when demand drops — all automatically.
During our production validation, we ran 13 concurrent security scans across 7 machines. Every scan completed successfully with full results. No stalls. No lost jobs. No wasted resources.
Here's what makes it work:
Intelligent autoscaling. Our backend monitors queue depth in real time and starts or stops scan machines to match demand. Each machine handles two concurrent scans, so the system scales linearly — 10 machines handle 20 scans, 50 machines handle 100.
Isolated job processing. Every scan is claimed atomically. If two machines try to pick up the same scan, the second one detects it instantly and moves on. No duplicate work, no conflicts.
Resilient under load. Security scanning tools like Nuclei are CPU-intensive. We tuned our job locking and timeout layers so that heavy workloads don't cause false failures. A scan running at full CPU won't be interrupted or reassigned — it runs to completion on the machine that started it.
Graceful failure handling. If a scan machine goes down mid-scan, the system detects it, reclaims the job, and retries it on a healthy machine. No manual intervention required.
Under the Hood
For those interested in the architecture: BSO uses a Redis-backed job queue (BullMQ) with Fly.io machines as ephemeral scan workers. The autoscaler runs on a 30-second tick cycle, comparing queue depth against running capacity and adjusting accordingly. We use environment-isolated queues so staging and production never interfere with each other, and a layered timeout chain — from individual tool timeouts up through scan-level and job-level caps — ensures nothing can hang indefinitely.
The result is a scanning pipeline that's both horizontally scalable and self-healing.
What This Means for You
Whether you're scanning one website or fifty, BSO handles it. Scans start within seconds, run reliably, and deliver complete results every time. As our customer base grows, the infrastructure grows with it — transparently and automatically.
We built Biz Secure Online to be the security scanning platform that small businesses can trust. This scaling work is a big part of delivering on that promise.
Biz Secure Online provides automated security scanning for small and medium businesses. Try a free scan at bizsecure.online.