AppSec
Scan configuration and tools
Beyond the core Dashboard, Assessments, Targets, and Findings loop, Application Security has a set of supporting tabs that configure how assessments run and help you act on what they find. This page covers Scan Templates, Credentials, Agents, the CSP Generator, Tools, Exceptions, and Compliance.
What it's for
- Standardize how you scan — save a scan configuration once as a template and reuse it on future assessments instead of rebuilding it every time.
- Store credentials safely — keep the logins and auth flows an assessment needs to test behind a login wall, without re-entering them each run.
- Reach targets inside your network — deploy scan agents so assessments can test internal apps that aren't reachable from the internet.
- Generate a Content Security Policy — turn a crawl of your site into a ready-to-deploy CSP header.
- Accept and track risk — request, review, and expire exceptions for findings you've chosen not to fix immediately.
- See compliance readiness — map a completed assessment's findings against PCI-DSS, SOC 2, and ISO 27001 controls.
The screens in it
- Scan Templates — reusable assessment configurations (agents, budget, feature toggles) you can save and load.
- Credentials — a vault of saved logins and reusable authentication profiles for testing authenticated areas of an app.
- Agents — the Docker-based scan agents that connect outbound from inside your network, plus the tokens used to enroll them.
- CSP Generator — a standalone utility that builds a Content Security Policy from a crawl summary.
- Tools — a set of standalone security utilities for exercising specific backend capabilities directly.
- Exceptions — the risk-acceptance workflow for findings you've decided to defer, with review and expiry.
- Compliance — compliance-framework scoring generated from a completed assessment's findings.
Every control explained
Scan Templates
A scan template captures a reusable configuration — which agents run, how aggressive the scan is, and a handful of feature toggles — so you don't have to reconfigure an assessment from scratch every time.
| Control | What it does |
|---|---|
| Seed Defaults | Loads a starter set of templates if you don't have any yet. |
| Create Template | Opens the template editor to build a new one. |
| Search | Filters templates by name, description, or base type. |
| Edit (pencil) | Opens the template editor pre-filled with the template's current settings. |
| Duplicate (copy) | Creates a copy of the template named "(copy)" that you can then adjust. |
| Delete (trash) | Removes the template, with a confirm step. Not available on the seeded default templates. |
The table also shows each template's Base Type, how many Agents it enables (out of the full set), how many times it's been Used, and when it was Last Used.
The template editor lets you configure:
| Field | What it controls |
|---|---|
| Template Name / Description | How the template appears in the list and the wizard. |
| Base Type | The assessment type the template is built on — Full Pentest, API Pentest, Quick Scan, Mobile Security, or Custom. |
| Budget Level | How much scanning effort to spend — Low, Medium, High, or Custom. |
| Features | Toggles for AI-Powered Planning, Exploit Chain Analysis, Multi-Pass Scanning, Headless Browser Crawling, Prioritize API Spec Endpoints, Intelligent Discovery, and API Version Mirroring. |
| Max Crawl Pages / Scan Timeout | Numeric limits on how much of a site to crawl and how long a scan may run before it's cut off. |
| Agents | Which individual scanning agents (XSS, SQLi, SSRF, auth testing, and dozens more) are enabled for this template — select all, deselect all, or pick individually. |
Credentials
The Credentials screen is a vault for anything an assessment needs to log in as a test user. It has two tabs: Saved Credentials and Auth Profiles — both store the same kind of information, but Auth Profiles are the form used when wiring authentication into an assessment from the wizard.
| Control | What it does |
|---|---|
| Add Credential / New Auth Profile | Opens a form to save a new credential or auth profile. |
| Search | Filters by name, username, URL, or description. |
| Type filter chips | Narrows the list to a specific credential/auth type. |
| Sort (Name / Date) | Reorders the list. |
| Test (flask icon) | Runs a live login test against a target URL and shows whether it succeeded. |
| Edit / Delete | Updates or removes a saved credential or profile. |
When you add a credential, you give it a name, pick a credential type (username/password, form login, API login, bearer token, API key, HTTP basic auth, OAuth 2.0, cookie login, or custom headers), and fill in only the fields that type needs — for example a login URL and username/password for a form login, or a token for a bearer-token credential. Secret values (passwords, tokens, API keys) are never shown again once saved — leave them blank when editing to keep the existing value.
Auth Profiles and Saved Credentials store the same kind of authentication information. Create either one from this screen, or create an Auth Profile directly from the Assessment Wizard while configuring a new scan — both approaches produce the same reusable profile.
Agents
Scan Agents are lightweight Docker containers you run inside your own network. They connect outbound only to ThreatWeaver over a persistent WebSocket, so assessments can reach internal apps and APIs that aren't exposed to the internet — no inbound firewall rules required.
| Control | What it does |
|---|---|
| Quick Setup wizard | Walks you through generating an enrollment token, running the Docker command, and confirming the agent connects — in three steps. |
| Deploy panel | The subscription-aware flow for generating enrollment tokens and deployment commands. |
| Fleet stats | Totals across Connected, Active, Stale, and Offline agents. |
| Agent row | Shows the agent's name, hostname, connection status, last heartbeat, scans completed, and its current task load. Expand a row to see its recent task history. |
| Max concurrent tasks (cap) | An editable per-agent limit (1–32) on how many scan tasks it runs at once. |
| Decommission | Retires an agent, with a confirm step. |
| Enrollment Tokens panel | Lists tokens used to register new agents, showing active/expired/revoked status and usage count, with a Revoke action. |
CSP Generator
The CSP Generator is a standalone utility that turns a crawl of your site into a ready-to-use Content-Security-Policy header.
| Control | What it does |
|---|---|
| Base URL | The site the policy is being generated for. |
| Mode | strict (enforced) or report-only (logs violations without blocking). |
| Report URI | Optional endpoint that receives CSP violation reports. |
| Crawl results JSON | The crawl data (pages, scripts, and external resources found) the policy is built from. |
| Generate | Builds the policy header, any warnings, and ready-to-paste server config snippets. |
| Download .conf | Downloads a config file with the generated policy. |
| Server snippet tabs | Switches the generated snippet between nginx, Apache, and Express formats. |
Tools
Tools is a set of standalone utilities, each wrapping one focused backend capability with a form and a response viewer — useful for testing a capability directly or for a demo, without needing a separate API client.
| Tool | What it does |
|---|---|
| AI Fix | Builds AI fix prompts for a finding, parses a model's response, and generates a suggested patch. |
| Dep Bump | Composes a dependency-upgrade plan and pull-request envelope from vulnerability advisories. |
| Slack Simulator | Exercises the /tw Slack slash-command responses without needing a connected Slack workspace. |
| MCP Audit | Audits an MCP (Model Context Protocol) server inventory against policy checks. |
| Maintainer Risk | Scores open-source package maintainer risk as part of supply-chain review. |
| AI Code Detector | Flags files with patterns typical of AI-generated code for elevated review. |
| Post-Merge Verify | Given a merged pull request and before/after findings, decides which findings were actually fixed. |
| CART | Drives multi-phase automated campaign state and builds a resume plan from a checkpoint. |
| Repo Scanners | Kicks off secrets, infrastructure-as-code, and static-analysis scans against a repository. |
Exceptions
Exceptions record findings you've formally accepted as risk instead of fixing right away — with a business justification, an expiry date, and (for higher severities) a review chain.
| Control | What it does |
|---|---|
| Filter by target | Switches between a single target's exceptions and an all-targets view. |
| Status filter chips | Narrows the list to Pending Review, Awaiting L2, Approved, Rejected, Expired, or Revoked. |
| Expand row (chevron) | Shows the business justification, compensating controls, and review history. |
| Review / L2 Review | Approves or rejects a pending exception, with a required comment. |
| Extend | Adds more days (30/60/90/180/365) to an approved exception's expiry. |
| Revoke | Ends an approved exception early. |
The table shows each exception's Finding, Target, Severity, Status, when it was Requested, and when it Expires.
Request Exception is available from the single-target view (select a target from the filter dropdown first) and opens a form where you:
- Pick the finding the exception covers.
- Write a business justification (minimum 10 characters).
- Optionally describe compensating controls already in place.
- Choose an expiry period.
Approval requirements scale with severity: Info/Low findings are auto-approved, Medium requires one review, and High/Critical requires two independent reviews before the exception takes effect.
Compliance
Compliance turns a completed assessment's findings into a readiness score against three frameworks: PCI-DSS 4.0, SOC 2 Type II, and ISO 27001:2022.
| Control | What it does |
|---|---|
| Assessment selector | Picks which completed assessment the compliance scores are computed from. Defaults to the most recent one. |
| Framework cards | Each shows a circular score gauge, a pass/fail/partial breakdown, and a pass-rate bar. Click a card to see its control details. |
| Status filter pills (in the detail panel) | Narrows the control list to All, Pass, Fail, or Partial. |
| Control row | Expand a control to see the findings tied to it and a plain-language recommendation for closing the gap. |
Common workflows
Workflow: save and reuse a scan template
-
Configure an assessment the way you want it (agents, budget level, feature toggles) — either directly on the Scan Templates tab via Create Template, or from inside the assessment wizard.
-
On the Scan Templates tab, click Create Template, give it a name and description, choose a Base Type, and select the agents it should run.
Step 1 — building a new scan template -
Click Create Template to save it.
-
The next time you start an assessment, choose Custom Template as the assessment type and load your saved template from the dropdown — its agents are applied automatically, and you can still adjust them before launching.
Step 2 — loading a saved template in the assessment wizard
Workflow: request and approve a risk exception
-
Open Exceptions, use the Filter by target dropdown to choose the target the finding belongs to, and click Request Exception.
Step 1 — opening the Request Exception form for a target -
Select the finding, write a business justification, optionally note any compensating controls, and choose an expiry period.
-
Submit the request. Info/Low severity findings are approved automatically; Medium and above route to a reviewer.
-
A reviewer opens the pending exception from the exceptions table and clicks Review (or L2 Review for high/critical findings), chooses Approve or Reject, and adds a comment.
Step 2 — reviewing a pending exception -
Once approved, the exception appears with its expiry date; use Extend before it lapses, or Revoke to end it early.