AppSec
Application security scanning
Application security scanning is the core loop of this module: you register the apps and APIs you want tested (targets), run assessments against them, and work through the findings that come back. This page explains every screen and control involved, and walks the full flow end to end.
What it's for
- Register the things you want tested — web apps, REST and GraphQL APIs, and mobile apps.
- Run assessments — a full penetration-style test, an API-focused test, a mobile test, or a fast quick scan.
- Triage and close findings — review evidence, confirm or dismiss, and track each finding to remediation.
The screens in it
The workspace is organized as a set of tabs. The ones you'll use most are:
- Dashboard — an at-a-glance summary: security-posture score, key counts, a findings-by-severity breakdown, and your most recent assessments.
- Assessments — the list of every scan you've run or scheduled, with the controls to start, stop, re-run, and organize them.
- Targets — the apps and APIs registered for testing.
- Findings — every vulnerability found across all assessments, in one place.
The remaining tabs support that core loop:
- Compliance — map findings against the compliance frameworks you care about.
- Exceptions — record accepted risks and exclusions.
- Reports — generate shareable reports of your results.
- Scan Templates — reusable assessment configurations.
- Scanners and Scan Agents — the engines that run your scans and the agents that reach targets inside your network.
- Credentials — securely stored logins an assessment can use to test authenticated areas of an app.
- CSP Generator — build a Content Security Policy for a site.
- Tools — a set of standalone security utilities.
- Settings — options for the workspace.
Every control explained
The AppSec dashboard
The dashboard summarizes where things stand and gives you quick ways to start a scan.
| Control | What it does |
|---|---|
| Security Posture ring | A single score (0–100) rolling up your open findings into one health indicator, labelled Good, Fair, or Critical. |
| Total Targets / Active Scans / Open Findings / Completed | Key counts across the workspace. Active Scans is how many assessments are running right now. |
| Findings by Severity | A donut and bar breakdown of open findings by Critical, High, Medium, Low, and Info. |
| Quick Start buttons | Four convenient shortcuts — New Web App Scan, API Pentest Test, Quick Scan, and Mobile App Test — that all open the same new assessment wizard below; none of them preselects a type, so you still pick it in the wizard. |
| Recent Assessments | Your latest scans, each showing its status and finding counts. Click one to open it; View All jumps to the Assessments tab. |
The Assessments tab
| Control | What it does |
|---|---|
| New Assessment | Starts the assessment wizard to configure and launch a scan. |
| Search | Filters the list by assessment name. |
| Status filter | Narrows the list to Running, Queued, Completed, Scheduled, Failed, or Cancelled. |
| Retests toggle | Shows or hides retest assessments (re-runs of a single finding). Appears only when retests exist. |
| Refresh | Reloads the list. Running scans also update on their own. |
| Folder chips | Quick filters — All, Running, Completed, Failed, and Drafts — each with a live count. |
| New Folder | Creates your own folder chip to group assessments; you can rename or delete it later from its menu. |
| Summary stats | A strip showing Total, Running, Critical Findings, and High Findings. |
Each row in the assessment list has its own actions — View to open the full detail, Start or Stop depending on its state, Re-run to launch a fresh copy, and Delete. Times in the list are shown in your local time zone, noted above the table.
An assessment moves through several internal phases while it runs; the list shows all of them simply as Running with a live indicator, so you always know when work is in progress.
The assessment wizard
Starting a new assessment opens a wizard where you:
- Pick a target — search and select the app or API to test. In edit mode the currently selected target is always shown.
- Choose an assessment type — Full Pentest (a thorough web-app test), API Pentest (REST or GraphQL), Mobile Security (iOS/Android), or Quick Scan (a fast check).
- Name and launch the assessment.
You can also switch to the AI assessment builder, which helps you describe what you want tested in plain language and drafts the assessment configuration for you.
The Targets tab
| Control | What it does |
|---|---|
| Search | Filters targets by name or address. |
| Type filter | Narrows to Web Application, REST API, GraphQL API, or Mobile App. |
| Add Target | Opens a form to register a new target. |
| Target name (in the table) | Opens the target's detail view. |
| View details (eye) | Opens the same detail view. |
| Activate | Marks an inactive target active so it can be scanned. Shown only when a target isn't already active. |
| Quick Scan (play) | Immediately starts a fast scan of the target; switch to the Assessments tab to watch progress. |
| Delete (trash) | Removes the target after a confirm step. |
The table also shows each target's Type, address, Status, when it was Last Assessed, and how many open Findings it has.
The Findings tab
The Findings tab collects every vulnerability from every assessment in one list.
| Control | What it does |
|---|---|
| Severity cards | Critical / High / Medium / Low counts across the filtered results. Click a card to filter to that severity. |
| Search | Filters findings by text. |
| Status filter | Narrows to Open, Confirmed, Accepted Risk, Retest Pending, Persistent, or Remediated. |
| Application filter | Narrows to findings on a single app. |
| Export CSV | Downloads the current findings as a spreadsheet. |
| Column sort | Click Severity, CVSS 4.0, or Status headers to sort. |
| Row checkbox | Selects findings for a bulk action. |
| Expand (chevron) | Opens the finding's full detail inline. |
When one or more findings are selected, a bulk-action bar appears with Mark Confirmed, Mark False Positive, Mark Remediated, and Export Selected.
A finding's detail
Expanding a finding shows its description, quick status buttons (Confirmed, False Positive, Remediated), and three sub-tabs:
- Request/Response — the exact HTTP request and response that demonstrate the issue, each with a Copy button.
- Reproduction Steps — the numbered steps to reproduce it.
- CVSS 4.0 Breakdown — the score, the full vector, and a plain-language breakdown of each metric (attack vector, complexity, privileges required, and so on).
Common workflows
Workflow: scan an app from scratch
-
Open the Targets tab and click Add Target. Give it a name, choose the type (for example Web Application), and enter its address.
Step 1 — adding a new target -
Back in the list, click the target's Quick Scan (play) button — or open the Assessments tab and click New Assessment to choose a fuller assessment type.
Step 2 — starting a scan from the target row -
Switch to the Assessments tab to watch progress. The assessment shows as Running with a live indicator until it completes.
Step 3 — the assessment running in the list -
When it finishes, click the assessment to open its detail, or open the Findings tab to see everything it discovered.
Step 4 — reviewing the findings the scan produced
Workflow: triage a finding
- Open the Findings tab and click a severity card (for example Critical) to focus on the findings that matter most.
- Click a finding's row to expand it, then read the Request/Response and Reproduction Steps to confirm it's real.
- Use the status buttons to mark it Confirmed (needs fixing), False Positive (not a real issue), or Remediated (already fixed).
- To act on several at once, tick their checkboxes and use the bulk-action bar.
Workflow: export findings to share
- On the Findings tab, set the filters so the list shows exactly what you want to share.
- Click Export CSV to download every filtered finding, or select specific rows and click Export Selected.
- The spreadsheet downloads to your device.