Creating a Scan¶
Prerequisites¶
- At least one verified domain. If you don't have one, add and verify a domain first.
- Available scan quota (daily and weekly limits depend on your plan).
Steps¶
- On the Scans page, click New Scan.
- Configure the scan:
Scan Configuration¶
| Field | Required | Default | Description |
|---|---|---|---|
| Domain | Yes | — | Select a verified domain from the dropdown |
| Path | No | / |
The starting path under the domain (e.g. /app, /api/v1) |
| Scan Types | Yes (≥1) | All selected | Choose which security modules to run (see Scan Modules) |
| Bearer Token | No | — | A JWT or API token for scanning authenticated endpoints |
| Skip Paths | No | — | Paths to exclude from scanning (e.g. /logout, /admin) |
| Max Pages | Yes | 50 | Maximum number of pages to crawl (capped by your plan) |
| Max Depth | Yes | 3 | Maximum crawl depth from the start path (capped by your plan) |
Scan Types (Modules)¶
Select one or more modules to run. All are enabled by default:
| Module | What It Tests |
|---|---|
| Crawler | Discovers pages, endpoints, forms, and JavaScript files |
| SQL Injection | Tests for SQL injection in parameters, headers, and API endpoints |
| XSS | Tests for reflected XSS, DOM-based XSS, and template injection |
| JWT Analysis | Tests for JWT algorithm attacks, weak secrets, and role escalation |
| Authentication | Tests default credentials, CORS, IDOR, CSRF, and rate limiting |
| Security Headers | Checks for missing or misconfigured HTTP security headers |
| Data Exposure | Tests NoSQL injection, mass assignment, file upload, and path traversal |
| SSRF | Tests for SSRF, cloud metadata access, and command injection |
| Fuzzing | Directory brute-forcing, HTTP method testing, XXE, and external tool integration |
Bearer Token¶
If your application requires authentication, provide a valid Bearer token. The token is:
- Stored temporarily in Redis during the scan
- Never persisted in the database
- Deleted automatically after the scan completes
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Skip Paths¶
Use skip paths to exclude URLs you don't want the scanner to visit (e.g. logout endpoints that would invalidate your session token).
- Type a path and press Enter or click Add
- Paths appear as removable pills
- Paths are relative to the target URL (e.g.
/logout,/admin/reset) - A leading
/is added automatically if missing
Plan Limits¶
The scan modal shows your current usage:
- Daily scans used vs limit (includes deleted scans)
- Weekly scans used vs limit (includes deleted scans)
-
Max pages and Max depth capped by your plan
-
Click Start Scan.
After Launching¶
The scan enters the Queued state. You can monitor its progress on the Scan Detail page, which auto-refreshes every 5 seconds while the scan is queued or running.
If there are other scans ahead of yours, you'll see your queue position and an estimated wait time.