Skip to main content
Invoset

Methodology

How WCAG 2.1 AA scanning actually works.

Invoset is not magic and we are not going to pretend it is. This page walks through what each WCAG scan actually does, what we choose to test against, where the limits sit, and how the resulting archive is structured so a lawyer or auditor can read it cold. If you want to see the output before reading the process, run a free single-page scan first.

The pipeline

A one-time ownership check, then four stages run end to end on every scan. Median runtime after verification sits between 30 and 60 seconds for a 10-page site.

  1. 00Stage

    Domain ownership verification

    Before we run anything, you publish either a DNS TXT record or a single HTML meta tag with a token we issue. The same pattern Google Search Console and Vercel use. We will not scan a domain that has not been verified, because a scan report is only useful in court if you actually own the site it covers.

    One-time step per domain. Takes about a minute on most DNS providers. The verification is recorded against the site so the audit-trail PDF can show exactly when ownership was proven.

  2. 01Stage

    Page discovery

    We discover the public pages of your site through the same channels search engines use, then queue them in priority order. Page allowance per scan scales by plan: 10 on Starter, 50 on Pro, 200 on Business.

    Crawl directives are honoured. Pages you disallow for general crawlers are skipped, even when they would otherwise be reachable.

  3. 02Stage

    Real browser rendering

    Each URL is opened in a real, fully-featured browser environment, not a raw HTML fetch. Scripts execute, fonts load, single-page-app routes resolve, and dynamic content settles before testing begins.

    Most accessibility issues only appear after a page hydrates and interactive components mount. Static-HTML scraping would miss them.

  4. 03Stage

    Rule evaluation

    We run an industry-standard accessibility test suite, the same family of rules that powers Chrome DevTools, Microsoft Edge accessibility insights, and Lighthouse, against WCAG 2.1 conformance Levels A and AA. Findings include the failing element, the WCAG criterion it maps to, and a remediation hint.

    Level AAA is deliberately excluded. AAA is not the legal benchmark in the US, the EU Accessibility Act, or UK Equality Act guidance, and including it would dilute the actionable signal.

  5. 04Stage

    Persistence

    Every finding is recorded with the raw machine output, the timestamps, the test-suite version, and the page count. Raw payloads are retained for seven years so any historical scan can be reproduced exactly.

    Storage is encrypted at rest. Backups are kept on the same retention window so the audit trail survives infrastructure changes.

  6. The outputSample

    Illustrative result, not a real customer site. Every finished scan lands in your dashboard and the audit-trail archive.

Cadence

Continuous, not one-shot.

A scan from January does nothing for a site as it stands in May. Invoset re-scans on a recurring schedule, so coverage keeps pace with the changes you ship.

  • Starter: monthly scans, automatic. The dashboard shows the next due date and the worker enqueues it for you.
  • Pro and Business: weekly scans, with the option to trigger an extra manual scan whenever you ship a meaningful change.
  • Manual scans: available on every plan from the dashboard. Useful right after a release.

Diffing

Every scan is compared to the one before it.

After a scan finishes we diff its findings against the previous completed scan at the rule-plus-page level. Two pieces of information come out of that diff and drive both the dashboard timeline and the email alert:

What broke since last time

New findings

A rule that did not fail on the previous scan now fails on at least one page. These are the items that need attention before they age into a complaint.

What you fixed

Resolved findings

A rule-page pair that was failing previously is now passing. We surface these so the audit trail records improvements as well as regressions.

The first scan for a site has no previous run to compare against. We mark it as the baseline; subsequent scans are diffed against it until the next one comes in. Email alerts only fire when the diff is non-empty so we do not train your inbox to ignore us.

Scoring

How the number is calculated.

The headline conformance score is straightforward arithmetic against per-rule outcomes. It is comparable across scans for the same site and useful as a trend signal, not an absolute legal guarantee.

score = passes / (passes + violations) × 100
  • Inapplicable rules (rules with nothing relevant to test on a given page) are excluded from both numerator and denominator.
  • Multi-page scans roll up: the score reflects every page we tested in that run.
  • Impact buckets (critical, serious, moderate, minor) are stored alongside the score so you can prioritise without re-reading the raw report.

Archive

The audit trail is the product.

If a demand letter arrives, the question your lawyer will ask is not whether your site was perfect on day one. It is whether you can show contemporaneous evidence of an active accessibility programme. The Invoset archive is built to answer that.

  • Per-scan timestamping. Every scan record carries queued, started, and finished timestamps in UTC.
  • Engine versioning. The exact test-suite version used is recorded against every scan so findings can be reproduced years later.
  • Raw payload retention. The complete machine output of each scan is kept for seven years, not just the summary counts.
  • Audit-trail PDF export. A single document covering every scan for a site, with a report ID, methodology section, and chronological scan log.
  • Public verification page. Anyone with the badge link can confirm which site is monitored and when the last scan ran.
  • Score band visibility. The badge image itself reflects the latest score band, so regressions are visible without opening the dashboard.

Honest limits

Things automated testing cannot catch.

Even the best automated engine catches roughly 30 to 40 percent of accessibility barriers. The rest needs a human. We are explicit about that because pretending otherwise is the exact thing that has earned the overlay industry its reputation.

  • Whether the labels on form fields are meaningful, not just present.
  • Whether a screen reader announces a custom widget in a way that makes sense in context.
  • Whether keyboard focus order matches the visual reading order on a complex page.
  • Whether colour combinations are confusing for users with specific colour-vision deficits beyond raw contrast ratios.
  • Whether a video has actually-correct captions versus autogenerated nonsense that technically passes the rule.

There is also a scope boundary. Invoset tests the public pages a visitor reaches without logging in, which is where the overwhelming majority of accessibility demand letters originate. Pages behind a customer or member login, such as account areas and document portals, are on our roadmap; until then, pair them with a manual review.

For full posture, pair Invoset with periodic manual review by a CPACC-certified auditor. Business plan customers get two hours of remediation time included each month for exactly this kind of work.

Reference

StandardWCAG 2.1, Levels A and AA
Test suiteIndustry-standard rule engine used by major browser tooling
RenderingReal browser environment, fully hydrated DOM
CoveragePublic pages discovered automatically, plan-bounded
CadenceWeekly or monthly auto-rescan, plus manual on demand
Score formulapasses / (passes + violations) × 100
DiffEach scan compared at the rule + page level
RetentionRaw payloads kept for 7 years, encrypted at rest
EvidenceAudit-trail PDF + public verification page

Ready

Run a scan against your site in five minutes.

Verify your domain (DNS TXT or HTML meta tag, about a minute), get one full scan free, then decide if continuous monitoring is worth a plan.

Start a free scanSee pricing