Comparing different types of assessment
By default, XBOW runs a comprehensive assessment of your target. After fixing vulnerabilities, you can run a retest assessment to verify the fixes. Lightspeed accounts can use these two assessment types. Enterprise users can also configure targeted assessments.
All users
Comprehensive application assessment
A comprehensive assessment performs a full security evaluation across your entire application, testing for all vulnerability types supported by XBOW.
This is the default assessment type and is used for initial Lightspeed assessments.
When to use:
- First time testing an application with XBOW
- Regular security assessments to identify all potential vulnerabilities
- Compliance or audit requirements that need complete coverage
- When you want to understand your overall security posture
What it tests:
- All OWASP Top Ten vulnerability classes
- Application-wide security controls
- Authentication and authorization mechanisms
- All accessible endpoints and functionality
Retest previous vulnerabilities
A retest assessment verifies whether previously identified vulnerabilities have been remediated.
XBOW attempts to reproduce the original exploit to confirm the fix. If the original exploit is blocked, XBOW applies advanced exploitation techniques to ensure that fixes are comprehensive and cannot be bypassed.
When to use:
- After remediating vulnerabilities from a previous XBOW assessment
- To verify that security patches are effective
- When you need evidence that vulnerabilities are resolved
- Before deploying fixes to production
What it tests:
- Previously identified vulnerabilities using original exploits
- Potential bypasses of implemented fixes
- Alternative exploitation techniques if original exploit fails
Enterprise users
Targeted application assessment
This assessment focuses on one or more specific categories of vulnerability, while also checking for common security issues.
When to use:
- Recent code changes affect particular security controls
- Previous assessments identified issues in specific areas
- You want to focus resources on high-priority vulnerability classes
What it tests:
- Selected vulnerability classes with deep focus
In addition to your selected classes, XBOW always tests for:
- Misconfigurations
- Publicly known CVEs
- Leaked secrets
- Common vulnerability types
Testing for only one or two vulnerability classes (such as Remote Code Execution and Cross-Site Scripting) increases focus and depth on those specific areas.
Choosing the right assessment type
Consider these factors when selecting an assessment type:
- Testing frequency: Use comprehensive assessments quarterly or before major releases. Use targeted assessments for specific concerns or after focused development work.
- Available time: Comprehensive assessments take longer but provide complete coverage. Targeted assessments complete faster when you need quick results.
- Development focus: If recent work concentrated on specific functionality (for example, new authentication system), use targeted assessment for those vulnerability classes.