Skip to main content

AppSec

Scan configuration and tools

Beyond the core Dashboard, Assessments, Targets, and Findings loop, Application Security has a set of supporting tabs that configure how assessments run and help you act on what they find. This page covers Scan Templates, Credentials, Agents, the CSP Generator, Tools, Exceptions, and Compliance.

What it's for

  • Standardize how you scan — save a scan configuration once as a template and reuse it on future assessments instead of rebuilding it every time.
  • Store credentials safely — keep the logins and auth flows an assessment needs to test behind a login wall, without re-entering them each run.
  • Reach targets inside your network — deploy scan agents so assessments can test internal apps that aren't reachable from the internet.
  • Generate a Content Security Policy — turn a crawl of your site into a ready-to-deploy CSP header.
  • Accept and track risk — request, review, and expire exceptions for findings you've chosen not to fix immediately.
  • See compliance readiness — map a completed assessment's findings against PCI-DSS, SOC 2, and ISO 27001 controls.

The screens in it

  • Scan Templates — reusable assessment configurations (agents, budget, feature toggles) you can save and load.
  • Credentials — a vault of saved logins and reusable authentication profiles for testing authenticated areas of an app.
  • Agents — the Docker-based scan agents that connect outbound from inside your network, plus the tokens used to enroll them.
  • CSP Generator — a standalone utility that builds a Content Security Policy from a crawl summary.
  • Tools — a set of standalone security utilities for exercising specific backend capabilities directly.
  • Exceptions — the risk-acceptance workflow for findings you've decided to defer, with review and expiry.
  • Compliance — compliance-framework scoring generated from a completed assessment's findings.

Every control explained

Scan Templates

A scan template captures a reusable configuration — which agents run, how aggressive the scan is, and a handful of feature toggles — so you don't have to reconfigure an assessment from scratch every time.

ControlWhat it does
Seed DefaultsLoads a starter set of templates if you don't have any yet.
Create TemplateOpens the template editor to build a new one.
SearchFilters templates by name, description, or base type.
Edit (pencil)Opens the template editor pre-filled with the template's current settings.
Duplicate (copy)Creates a copy of the template named "(copy)" that you can then adjust.
Delete (trash)Removes the template, with a confirm step. Not available on the seeded default templates.

The table also shows each template's Base Type, how many Agents it enables (out of the full set), how many times it's been Used, and when it was Last Used.

Scan Templates — the template list with base type, agent count, and usage

The template editor lets you configure:

FieldWhat it controls
Template Name / DescriptionHow the template appears in the list and the wizard.
Base TypeThe assessment type the template is built on — Full Pentest, API Pentest, Quick Scan, Mobile Security, or Custom.
Budget LevelHow much scanning effort to spend — Low, Medium, High, or Custom.
FeaturesToggles for AI-Powered Planning, Exploit Chain Analysis, Multi-Pass Scanning, Headless Browser Crawling, Prioritize API Spec Endpoints, Intelligent Discovery, and API Version Mirroring.
Max Crawl Pages / Scan TimeoutNumeric limits on how much of a site to crawl and how long a scan may run before it's cut off.
AgentsWhich individual scanning agents (XSS, SQLi, SSRF, auth testing, and dozens more) are enabled for this template — select all, deselect all, or pick individually.

Credentials

The Credentials screen is a vault for anything an assessment needs to log in as a test user. It has two tabs: Saved Credentials and Auth Profiles — both store the same kind of information, but Auth Profiles are the form used when wiring authentication into an assessment from the wizard.

ControlWhat it does
Add Credential / New Auth ProfileOpens a form to save a new credential or auth profile.
SearchFilters by name, username, URL, or description.
Type filter chipsNarrows the list to a specific credential/auth type.
Sort (Name / Date)Reorders the list.
Test (flask icon)Runs a live login test against a target URL and shows whether it succeeded.
Edit / DeleteUpdates or removes a saved credential or profile.

When you add a credential, you give it a name, pick a credential type (username/password, form login, API login, bearer token, API key, HTTP basic auth, OAuth 2.0, cookie login, or custom headers), and fill in only the fields that type needs — for example a login URL and username/password for a form login, or a token for a bearer-token credential. Secret values (passwords, tokens, API keys) are never shown again once saved — leave them blank when editing to keep the existing value.

Credentials Vault — saved credentials with type badges and a test panel open
Auth Profiles vs. Credentials

Auth Profiles and Saved Credentials store the same kind of authentication information. Create either one from this screen, or create an Auth Profile directly from the Assessment Wizard while configuring a new scan — both approaches produce the same reusable profile.

Agents

Scan Agents are lightweight Docker containers you run inside your own network. They connect outbound only to ThreatWeaver over a persistent WebSocket, so assessments can reach internal apps and APIs that aren't exposed to the internet — no inbound firewall rules required.

ControlWhat it does
Quick Setup wizardWalks you through generating an enrollment token, running the Docker command, and confirming the agent connects — in three steps.
Deploy panelThe subscription-aware flow for generating enrollment tokens and deployment commands.
Fleet statsTotals across Connected, Active, Stale, and Offline agents.
Agent rowShows the agent's name, hostname, connection status, last heartbeat, scans completed, and its current task load. Expand a row to see its recent task history.
Max concurrent tasks (cap)An editable per-agent limit (1–32) on how many scan tasks it runs at once.
DecommissionRetires an agent, with a confirm step.
Enrollment Tokens panelLists tokens used to register new agents, showing active/expired/revoked status and usage count, with a Revoke action.
Scan Agents — fleet stats, the architecture overview, and connected agents

CSP Generator

The CSP Generator is a standalone utility that turns a crawl of your site into a ready-to-use Content-Security-Policy header.

ControlWhat it does
Base URLThe site the policy is being generated for.
Modestrict (enforced) or report-only (logs violations without blocking).
Report URIOptional endpoint that receives CSP violation reports.
Crawl results JSONThe crawl data (pages, scripts, and external resources found) the policy is built from.
GenerateBuilds the policy header, any warnings, and ready-to-paste server config snippets.
Download .confDownloads a config file with the generated policy.
Server snippet tabsSwitches the generated snippet between nginx, Apache, and Express formats.
CSP Generator — a generated policy header with an nginx snippet

Tools

Tools is a set of standalone utilities, each wrapping one focused backend capability with a form and a response viewer — useful for testing a capability directly or for a demo, without needing a separate API client.

ToolWhat it does
AI FixBuilds AI fix prompts for a finding, parses a model's response, and generates a suggested patch.
Dep BumpComposes a dependency-upgrade plan and pull-request envelope from vulnerability advisories.
Slack SimulatorExercises the /tw Slack slash-command responses without needing a connected Slack workspace.
MCP AuditAudits an MCP (Model Context Protocol) server inventory against policy checks.
Maintainer RiskScores open-source package maintainer risk as part of supply-chain review.
AI Code DetectorFlags files with patterns typical of AI-generated code for elevated review.
Post-Merge VerifyGiven a merged pull request and before/after findings, decides which findings were actually fixed.
CARTDrives multi-phase automated campaign state and builds a resume plan from a checkpoint.
Repo ScannersKicks off secrets, infrastructure-as-code, and static-analysis scans against a repository.
Tools — the tool picker with the AI Fix tool open

Exceptions

Exceptions record findings you've formally accepted as risk instead of fixing right away — with a business justification, an expiry date, and (for higher severities) a review chain.

ControlWhat it does
Filter by targetSwitches between a single target's exceptions and an all-targets view.
Status filter chipsNarrows the list to Pending Review, Awaiting L2, Approved, Rejected, Expired, or Revoked.
Expand row (chevron)Shows the business justification, compensating controls, and review history.
Review / L2 ReviewApproves or rejects a pending exception, with a required comment.
ExtendAdds more days (30/60/90/180/365) to an approved exception's expiry.
RevokeEnds an approved exception early.

The table shows each exception's Finding, Target, Severity, Status, when it was Requested, and when it Expires.

Request Exception is available from the single-target view (select a target from the filter dropdown first) and opens a form where you:

  • Pick the finding the exception covers.
  • Write a business justification (minimum 10 characters).
  • Optionally describe compensating controls already in place.
  • Choose an expiry period.

Approval requirements scale with severity: Info/Low findings are auto-approved, Medium requires one review, and High/Critical requires two independent reviews before the exception takes effect.

Exceptions Management — status filter chips and the exceptions table

Compliance

Compliance turns a completed assessment's findings into a readiness score against three frameworks: PCI-DSS 4.0, SOC 2 Type II, and ISO 27001:2022.

ControlWhat it does
Assessment selectorPicks which completed assessment the compliance scores are computed from. Defaults to the most recent one.
Framework cardsEach shows a circular score gauge, a pass/fail/partial breakdown, and a pass-rate bar. Click a card to see its control details.
Status filter pills (in the detail panel)Narrows the control list to All, Pass, Fail, or Partial.
Control rowExpand a control to see the findings tied to it and a plain-language recommendation for closing the gap.
Compliance Readiness — three framework score cards with PCI-DSS selected

Common workflows

Workflow: save and reuse a scan template

  1. Configure an assessment the way you want it (agents, budget level, feature toggles) — either directly on the Scan Templates tab via Create Template, or from inside the assessment wizard.

  2. On the Scan Templates tab, click Create Template, give it a name and description, choose a Base Type, and select the agents it should run.

    Step 1 — building a new scan template
  3. Click Create Template to save it.

  4. The next time you start an assessment, choose Custom Template as the assessment type and load your saved template from the dropdown — its agents are applied automatically, and you can still adjust them before launching.

    Step 2 — loading a saved template in the assessment wizard

Workflow: request and approve a risk exception

  1. Open Exceptions, use the Filter by target dropdown to choose the target the finding belongs to, and click Request Exception.

    Step 1 — opening the Request Exception form for a target
  2. Select the finding, write a business justification, optionally note any compensating controls, and choose an expiry period.

  3. Submit the request. Info/Low severity findings are approved automatically; Medium and above route to a reviewer.

  4. A reviewer opens the pending exception from the exceptions table and clicks Review (or L2 Review for high/critical findings), chooses Approve or Reject, and adds a comment.

    Step 2 — reviewing a pending exception
  5. Once approved, the exception appears with its expiry date; use Extend before it lapses, or Revoke to end it early.