Enterprise quick start
- Enterprise only
This guide orients new Enterprise users to assessments, whatever their role. It follows an assessment from initial setup to reviewing results. Sections are grouped by the role that performs each step, roughly from the most to the least permissive, so you can jump to the parts that apply to you.
Get started
Enterprise users access XBOW Console through an organization, rather than signing up individually. Every user starts in the same place: log in to XBOW Console at https://console.xbow.com.
Your organization’s “Applications” page is displayed. It lists the applications (assets) set up for testing, along with your organization’s recent findings. If no applications have been added yet, you see “No applications found”.
From this page you can see your organization’s testing at a glance and reach everything you have access to.
What you can do depends on your role
Your role controls which options and content you see throughout the product. The full setup in this guide spans several roles, so a single user may not complete every step. The following table lists the minimum role required for each action, ordered roughly from most to least permissive. Monitor and Uploader are peer roles: each adds a different ability on top of the same read-only access, so neither is more permissive than the other.
| What you can do | Minimum required role |
|---|---|
| Add a new application | Administrator |
| Configure an application | Existing Asset Administrator |
| Run assessments | Developer |
| Pause a running assessment | Monitor |
| Upload context | Uploader |
| View results | All users |
To check which role you have, click your organization’s name in the top-left corner, then select Members. The list shows every member and their role, including your own.
If a button or option described in this guide is missing, you probably do not have the required role. Ask an administrator to complete that step or to change your role. For the full list of permissions, see User roles.
Add a new application
Minimum required role: Administrator
Before anyone can test an application, an administrator adds it to the “Applications” page. Click New assessment, then choose New Application.
For a smooth and successful assessment, it’s important to make sure your application is ready for pentesting. For example, you will need to create a test account for XBOW to use and confirm that XBOW pentesting requests can reach the application.
For information about setting up an application site that XBOW can test effectively, see Choosing a target to test and Protecting targets during XBOW testing.
Administrators should see Organization administration overview for other aspects of the Administrator role.
Configure an application
Minimum required role: Existing Asset Administrator
You can configure how XBOW accesses and tests each application, then run checks until the application shows Preflight successful on the “Applications” page. Once credentials for the test account and access to the application are confirmed, anyone with the Developer role or higher can run assessments.
To configure an application, start from the “Applications” page: click New assessment and select the application, or click Configure assessment on the application’s row. This opens the “Assessment type” page, where configuration begins.
Set up authentication
On the “Assessment type” page, click Continue to display the “Target configuration” page. Use the “Credentials” area to define the authentication method:
- If the target does not require authentication to test, move to the next step.
- Otherwise, define how XBOW can authenticate using a test account, see Define authentication for testing.
Confirm XBOW can reach your target
Make sure your server will accept test requests from XBOW, then validate the configuration:
- At the bottom of the page, read the confirmation section carefully.
- Check that your firewall is configured to allow test requests from XBOW, then select the WAF confirmation checkbox.
- Check that CAPTCHA is disabled for the test account, then select the CAPTCHA confirmation checkbox.
- Click Start checks to validate your configuration, or Save to return to it later.
For more information, see Configure your server to allow XBOW requests.
Review the configuration check
When you start checks, XBOW verifies that it can access and authenticate with the target, support multiple concurrent authenticated sessions, and find at least one domain to attack. Results appear on the “Configuration check” page, with warnings or errors for any problems.
- You must fix any errors before you can start the assessment, see Fix configuration check problems.
- You should also review any warnings to ensure that the assessment will meet your needs.
- Review the domain scope. If a critical domain is missing, add it using the “Add domain” field, then check that each domain has the correct rule type (Attackable, Allow Visit, or Blocked). For more information, see Scope configuration.
- Optional. Expand the “Protected URLs” section and specify any URLs that should not be tested, see Protected URLs.
- Optional. Change the level of impact demonstration used during the assessment, see Choose a level for impact demonstration.
Set execution options
The “Execution options” section controls when tests run, the rate at which test requests are sent to your site, and whether to allow multiple concurrent sessions. The default settings run tests at maximum speed and concurrency, so you should review them and match them to the capabilities of your site. For example:
- Keeping Unlimited requests/second could overload your site or cause the test user to exceed rate limits and be blocked. We recommend starting with 250 requests/second, then adjusting the limit as needed for subsequent assessments.
- If concurrent sessions for the same user are not supported, under “Sequential mode”, select Enable.
For more information, see Set execution options.
When the checks pass, the Run assessment button is enabled on the “Configuration check” page and the application shows Preflight successful on the “Applications” page. The application is ready for assessment. Save the successful configuration or run an assessment.
Run assessments
Minimum required role: Developer
Once XBOW has successfully accessed an application using the credentials defined by an administrator, you can run assessments against it as needed.
Start an assessment
You start an assessment from the “Applications” page. Where you begin depends on the application’s status:
- If the application shows Preflight successful, click Configure assessment on its row. It is already configured, so you go straight to the “Configuration check” page.
- Otherwise, click New assessment at the top of the page, choose Existing application, then click Configure assessment. This opens the “Assessment type” page.
If you start on the “Assessment type” page, choose the type of test, then click Continue to work through the configuration:
- To conduct an assessment across your application using all available attack types, select Comprehensive application assessment.
- To verify fixes from a previous assessment, select Retest previous vulnerabilities and choose the vulnerabilities to retest.
On the “Configuration check” page, confirm that your firewall and any CAPTCHA are configured to allow XBOW requests to reach the application. When the checks pass, click Run assessment to begin.
XBOW reports findings on the “Run assessment” page as they are detected. Developers can stop, pause, and resume an assessment at any time. Assessment duration varies depending on the size of the application and your configuration. When the assessment completes, you or your organization administrator will receive an email.
Review a completed assessment
For an application with status Assessment complete, click View assessment to see the results, or start another assessment as described above.
For more information, see Run assessment. To set up alerts to report the status of running assessments, an administrator can use the assessment changed webhook, see Automate events.
Pause a running assessment
Minimum required role: Monitor
The Monitor role is for users who need to halt testing quickly in an emergency, for example, when an assessment affects a production system. In addition to the read-only access that all users have, Monitors can pause a running assessment.
To pause an assessment, open it from the “Applications” page while it is running. Monitors cannot resume a paused assessment; a user with the Developer role or higher must resume it. For more information, see Monitor assessment.
Upload context
Minimum required role: Uploader
XBOW uses any additional information you provide to focus the assessment and test more effectively. This is equivalent to briefing a human pentester on the endpoints to focus effort on, the types of vulnerabilities that worry you most, and the purpose of your application.
Although this step appears here by role, you upload context during configuration, before running an assessment. You upload and enter this information on the “Target configuration” page while configuring an application. For more information, see Provide target context, Guiding XBOW testing, and Guiding XBOW testing for experts.
View results
Minimum required role: All users
As an Enterprise user, you can see the applications set up for testing, along with your organization’s assessments, findings, and reports.
To review what XBOW finds and act on it, click View assessment. For more information, see Explore and fix XBOW results.