Run assessment
After a successful configuration check, review and finalize your scope configuration before starting the assessment.
Important: You cannot change domain scopes or protected URLs after you start an assessment.
Review domain scope
The “Scope” section of the “Configuration check” page shows the domains identified during authentication and discovery checks. Each domain displays a suggested rule type. Target domains and subdomains are marked as Attackable while third-party sites are marked as Allow Visit.
Verify critical domains are included
Automated discovery may not capture all application components. Many applications use multiple subdomains or services that are not exercised during initial authentication. Review the proposed scope to ensure all critical domains are included.
Note: Enterprise users can add missing domains to the configuration. Lightspeed users should contact XBOW if a critical domain is missing.
- In the “Add domain” field at the end of the domain list, enter the missing domain.
- Click Add scope to add the domain to the list.
Check domain rule types
Each domain is defined as Attackable, Allow Visit, or Blocked. Verify that all domains have the appropriate rule type and edit any incorrect assignments.
- Attackable: Domains that XBOW actively tests for vulnerabilities. Use this for your application’s core functionality.
- Allow Visit: Domains that XBOW can visit but not attack. Use this for third-party services required for application functionality, such as authentication providers, CDNs, or domains serving static assets.
- Blocked: Domains that XBOW cannot access or test. Use this sparingly, only for domains that should never be accessed. Any domain not explicitly listed is treated as blocked by default.
Best practice: Leave domains defined as “Blocked” only if you are certain that the site functions normally in a web browser without any access to them. For more information, see Scope configuration.
Configure URLs for special treatment (optional)
While XBOW automatically prevents attacks on URLs that may interrupt your assessment, you should also manually protect sensitive URLs to ensure safe testing. For example, you typically want to block access to financial management endpoints.
Note: If XBOW has defined any URLs as “Auth-only”, these are needed for authentication or session management. Do not change these settings as it could lead to user lockout and incomplete testing.
To learn more about automatic and manual URL protection, see Protected URLs.
Add URLs for special treatment
- Expand the “Protected URLs” area within the “Scope” section.
- Choose a match type and define the endpoint or endpoint pattern.
- Exactly matches: Use to match a single endpoint.
- Starts with: Use to match a group of endpoints that share the same prefix.
- Includes: Use to match a group of endpoints with a shared element.
- Regexp matches: Use to match a group of endpoints where the pattern is more complex.
- Click Protect URL to add a row with your definition. Update the behavior to Auth-only if needed.
- Use the “Simulator” area to verify that the pattern matches all relevant variations (for example,
/api/deleteand/api/v1/delete). - Ensure legitimate testing paths remain accessible.
Choose a level for impact demonstration
In the “Impact demonstration” section, choose how intrusively XBOW can investigate the impact of any significant vulnerabilities it finds during this assessment. We recommend that you use the default of “Moderate” unless you have a specific reason to change it.
Each target remembers the level you saved last, so a new assessment or retest of the same target starts with the same setting unless you change it.
Tip: This setting has no impact on the cost of the assessment.
For more information, see Impact demonstration. For guidance on choosing a level, see Limiting impact demonstration.
Start your assessment
Once you’ve reviewed and confirmed your scope configuration:
- Click Start assessment.
- XBOW begins systematically testing your application for vulnerabilities.
- Monitor progress on the assessment dashboard.