Run assessment

After a successful configuration check, review and finalize your scope configuration before starting the assessment.

Important: You cannot change domain scopes or protected URLs after you start an assessment.

Review domain scope

The “Scope” section of the “Configuration check” page shows the domains identified during authentication and discovery checks. Each domain displays a suggested rule type. Target domains and subdomains are marked as Attackable while third-party sites are marked as Allow Visit.

Verify critical domains are included

Automated discovery may not capture all application components. Many applications use multiple subdomains or services that are not exercised during initial authentication. Review the proposed scope to ensure all critical domains are included.

Note: Enterprise users can add missing domains to the configuration. Lightspeed users should contact XBOW if a critical domain is missing.

  1. In the “Add domain” field at the end of the domain list, enter the missing domain.
  2. Click Add scope to add the domain to the list.

Check domain rule types

Each domain is defined as Attackable, Allow Visit, or Blocked. Verify that all domains have the appropriate rule type and edit any incorrect assignments.

  • Attackable: Domains that XBOW actively tests for vulnerabilities. Use this for your application’s core functionality.
  • Allow Visit: Domains that XBOW can visit but not attack. Use this for third-party services required for application functionality, such as authentication providers, CDNs, or domains serving static assets.
  • Blocked: Domains that XBOW cannot access or test. Use this sparingly, only for domains that should never be accessed. Any domain not explicitly listed is treated as blocked by default.

Best practice: Leave domains defined as “Blocked” only if you are certain that the site functions normally in a web browser without any access to them. For more information, see Scope configuration.

Note: If you block a domain that’s used to log in or to maintain a session, such as an identity provider or token endpoint, XBOW may be unable to authenticate, so it will pause the assessment. See Authentication problems.

Configure URLs for special treatment (optional)

XBOW automatically prevents attacks on URLs that are likely to interrupt your assessment. You may also want to manually protect additional URLs to ensure safe testing. For example, you typically want to block access to financial management endpoints.

Note: Any endpoints that XBOW uses to authenticate during the configuration check are automatically locked as “Auth-only”. Click the blue “XX URLs are locked” button to view a list of locked URLs.

To learn more about locked URLs and manual URL protection, see Protected URLs.

Add URLs for special treatment

  1. Expand the “Protected URLs” area within the “Scope” section.
  2. Choose a match type and define the endpoint or endpoint pattern.
    • Exactly matches: Use to match a single endpoint.
    • Starts with: Use to match a group of endpoints that share the same prefix.
    • Includes: Use to match a group of endpoints with a shared element.
    • Regexp matches: Use to match a group of endpoints where the pattern is more complex.
  3. Click Protect URL to add a row with your definition set to Auth-only.
  4. Update the behavior to Blocked if needed. If blocking access to a URL is likely to cause problems during the assessment, you will see a detailed warning message. Revert to Auth-only unless you are confident that the URL is not needed for authentication.
  5. Use the “Simulator” area to verify that the pattern matches all relevant variations (for example, /api/delete and /api/v1/delete).
  6. Ensure legitimate testing paths remain accessible.

Choose a level for impact demonstration

In the “Impact demonstration” section, choose how intrusively XBOW can investigate the impact of any significant vulnerabilities it finds during this assessment. We recommend that you use the default of “Moderate” unless you have a specific reason to change it.

Each target remembers the level you saved last, so a new assessment or retest of the same target starts with the same setting unless you change it.

Tip: This setting has no impact on the cost of the assessment.

For more information, see Impact demonstration. For guidance on choosing a level, see Limiting impact demonstration.

Start your assessment

Once you’ve reviewed and confirmed your scope configuration:

  • Click Start assessment.

XBOW begins systematically testing your application for vulnerabilities.

The duration of your assessment varies according to the application size and your configuration decisions. Once you have started the assessment, you can leave it to run. XBOW will email you or your organization administrator when the assessment is complete.

Note: You can leave the assessment to XBOW, but keep your testing environment stable while it runs. If the application, credentials, or security controls change mid-run, XBOW pauses and tells you what to fix rather than returning misleading results. See Monitor assessment for the changes to watch for.

Next steps

Was this helpful?