A security auditing computer system efficiently evaluates and reports security exposures in a target Web site hosted on a remote Web server system. The auditing system includes a crawler subsystem that constructs a first list of Web page identifiers representing the target Web site. An auditing subsystem selectively retrieves and audits Web pages based on a second list, based on the first. Retrieval is sub-selected dependent on a determined uniqueness of Web page identifiers relative to the second list. Auditing is further sub-selected dependent on a determined uniqueness of structural identifiers computed for each retrieved Web page, including structural identifiers of Web page components contained within a Web page. The computed structural identifiers are stored in correspondence with Web page identifiers and Web page component identifiers in the second list. A reporting system produces reports of security exposures identified through the auditing of Web pages and Web page components.