Targets and assets
How WASViking represents what you scan, and the difference between a target you declare and an asset the engine discovers.
WASViking® separates two ideas a lot of tools conflate:
- A target is something you declare. A URL, an OpenAPI document, an SOAP WSDL endpoint, a host with sensitive ports to monitor.
- An asset is something the engine discovers while scanning a target. A subdomain, a login form, an API path, a GraphQL operation, an exposed port, a TLS certificate.
The distinction matters because the work happens at the asset level. Findings, evidence, Risk Score, and SLA all attach to assets, not to the target you typed in.
Targets
A target is the unit of authorization. WASViking enforces ownership at target creation time. Without ownership proof, the target cannot be scanned. This is policy, not engine code.
A target has:
| Field | Purpose |
|---|---|
| URL | Where the scan starts. |
| Subdomain coverage | single host or wildcard. Wildcard expands to discovered subdomains. |
| Group | Optional tag for filtering and reports. |
| Scan profile | Default profile for scheduled scans. |
| Auth mode | Form Login, Bearer, Cookie, Header, or unauthenticated. |
Assets
Assets are produced by the Target Discovery Engine and by analyzers as they crawl. The platform tracks five kinds:
| Asset kind | Source |
|---|---|
| Subdomain | DNS enumeration, certificate transparency, headless-browser crawl. |
| URL | Crawl, OpenAPI ingest, Swagger ingest, GraphQL introspection. |
| Login form | Form discovery + AI Form Autofill. |
| Sensitive port | Sensitive port monitoring. |
| Certificate | TLS certificate monitoring. |
Each asset carries a parent reference so chains (host → subdomain → URL → form) survive across scans.
Asset lifecycle and drift
Assets have three lifecycle events the Risk Score and webhooks consume:
first_seen: the asset just appeared.disappeared: the asset is no longer reachable.reappeared: the asset returned after adisappearedevent.
Asset drift is a signal in itself. A subdomain that disappears and reappears with a different certificate is worth knowing about.
Subdomain discovery
When an asset is configured with Monitor SSL → Domain and discovered subdomains (set at asset creation time), WASViking continuously enumerates subdomains under the root domain and tracks them as assets in their own right.
How discovery works
| Source | What it brings |
|---|---|
| Certificate transparency logs | New subdomains appear in CT logs as soon as a certificate is issued. WASViking observes those events. |
| Passive DNS | Subdomains visible in DNS records the platform can resolve. |
| Crawl signals | URLs the DAST crawler discovers during scans under the root domain. |
Discovery runs at the root domain level. To opt in for an asset, toggle Monitor SSL with scope Domain and discovered subdomains.
Lifecycle events
Each discovered subdomain is treated as a regular asset and follows
the same first_seen / disappeared / reappeared lifecycle as a
manually declared one. Webhook events fire identically.
Per-org safeguards
Discovery and the auto-scan that follows are bounded:
- Per-org cap on how many subdomains a single root can fan out to (driven by your plan).
- Deny-list of patterns you do not want scanned (
staging.*,*.internal.*, dev hostnames). - 24-hour cooldown between auto-scans on the same host.
- TCP probe gate so unreachable subdomains do not consume a scan slot.
Auto-discovery scan
When subdomain monitoring sees a newly enumerated subdomain, WASViking triggers a full-coverage DAST scan automatically (subject to the guards above). Net new attack surface gets evidence within a day, not a quarter.
The same Auto-discovery scan also kicks in for assets created manually with the discovered-subdomains scope as soon as the first enumeration cycle completes.
Asset Inventory
The Asset Inventory page at /portal/inventory/ is a flat, filterable
view across every asset every scan has produced. Use it to answer
questions like:
- "Which subdomains run TLS 1.2 only?"
- "Which assets reappeared last week?"
- "Which assets have an open finding right now?"
- "Which assets carry components flagged by KEV?"
The inventory is the foundation for the Exposure Intelligence module and for the Findings risk amplification rules.