workflowbeginnerReviewed May 18, 2026

Discovery-first workflow

Use the first run to map attack surface before you ask the agent to dig deeper.

Why discovery comes first

A new scope rarely has enough context for deep targeted testing. Discovery gives the platform a map of reachable hosts, services, endpoints, technologies, and authentication surfaces.

The operating loop

1Run discovery.
2Review assets and services.
3Promote important assets to managed.
4Fill business criticality, data sensitivity, owner, and authentication context.
5Add credentials or repositories where needed.
6Run a targeted follow-up assessment.
7Triage findings and retest fixes.
8Automate repeated coverage.

What to look for

Admin, auth, billing, checkout, API, gateway, file, VPN, and identity surfaces.
Internal systems found through a private runner.
Assets that handle customer or regulated data.
Hosts with many services or recent findings.
Surfaces that are blocked only because context or credentials are missing.

Quickstart: your first assessment
Assessments and runs
Attack surface and assets

Why discovery comes first

The operating loop

What to look for

Related articles