Context and prioritization

Why this step matters more than people expect

The agent is good at discovering attack surface, but it cannot read your mind about which surface matters to your business. A login page on a marketing microsite and a login page on a payment portal look similar to a port scan; the difference is context, and context is what you supply here.

Teams that skip this step typically run identical-looking discoveries every week and wonder why the findings stay generic. Teams that invest fifteen minutes here see the next assessment produce specific, actionable issues against the assets they actually care about.

Step 1 — Review the discovery output

Start on the run detail page. Open Assets to see what was discovered, Findings to see any early issues, and Activity to see what the agent prioritized during the run.

• Skim the asset list. Which surfaces are familiar? Which are new? Which are unexpected?
• Read the early findings — even informational ones often point at where deeper testing would pay off.
• Look at the run's recommended follow-up priorities. The agent usually surfaces a short list of the highest-value next targets.

Step 2 — Confirm organization-level context

Organization context applies across every scope. If you have not already, fill in the company-level fields. The agent reads them on every run.

• Business model and what the company sells.
• Critical workflows (login, checkout, identity, data export, account recovery).
• Sensitive data classes (PII, PHI, payment data, source code, customer data).
• Compliance frameworks your team needs to support.
• Organization-wide hard-no actions (techniques that should never be used).
• Escalation contacts for high-severity findings.

Step 3 — Strengthen scope context

Scope context is environment-specific. This is where the bulk of post-discovery work happens, and where the highest leverage is.

• Mission objective — what does success look like in this scope?
• Rules of engagement — refine windows, rate, exclusions, forbidden techniques based on what discovery surfaced.
• Rate and impact limits — tune them now that you know which services are sensitive.
• Exclusions — add anything discovery found that should be off-limits (third-party services, sensitive admin paths, partner endpoints).
• Credentials — add a test account or token if discovery surfaced an authenticated workflow worth testing.
• Repository mappings — map the source repo if you want code-aware findings.
• Operator notes — anything the agent should know about recent changes, ongoing incidents, or expected oddities.

Step 4 — Enrich the assets that matter

Open each high-value asset and fill in the profile. This is where general discovery becomes specific guidance for the next assessment.

1. 1Promote the asset to managed.
2. 2Set business criticality, operational criticality, and data sensitivity.
3. 3Mark customer-facing or internet-facing flags accurately.
4. 4Identify the authentication boundary (login, API key, mTLS, none).
5. 5Add an owner team.
6. 6Add a one-line criticality reason explaining why this asset matters.

Step 5 — Write a targeted follow-up goal

Now write the goal for the next run. After discovery + context, your goal should name a specific surface, ask a specific security question, and reference the test account or repository you added if relevant.

Review authenticated workflows on the customer portal admin area for IDOR, privilege escalation, and tenant isolation issues. Focus on the billing and user-management endpoints flagged during the discovery run. Use the test account in scope credentials. Stay within the rules of engagement.

The loop, summarized

Discover, contextualize, target, triage, retest, automate. Every scope on the platform benefits from this rhythm. The first time through is a half-day. After that, the loop becomes maintenance — adding new assets as the environment changes, refreshing rules of engagement, and turning steady-state work over to automations.