Your first scan
Add your first asset, pick a scan template and profile, configure preferences, and read findings.
This walkthrough takes you from a fresh account to a completed scan with findings. The default Starter plan includes everything you need to follow along. The portal flow is two steps: create the asset you want to scan, then configure and run the scan.
Prerequisites
- An active WASViking® organization. If you do not have one, create an account.
- A web application or API you are authorized to test. WASViking enforces ownership via a self-attestation at asset creation.
- Optional: credentials for an authenticated scan.
Step 1 — Add your first asset
In the portal, go to Assets Inventory → Add New Asset.
Asset configuration
| Field | What to put |
|---|---|
| Name | Operator-readable identifier, e.g., Daily Web Scan - Main Portal. |
| Description | Free text, e.g., Monthly risk assessment for compliance. |
| Protocol | https:// or http://. Dropdown. |
| Target URL | The host or full path the asset resolves to, e.g., api.customerportal.com. |
| Monitor SSL | Toggle. When on, the asset's TLS certificate is monitored continuously with severity escalation on expiration, weak chain, or hostname mismatch. |
Authorization
WASViking enforces ownership at asset creation by self-attestation. In the Authorization section, check:
I confirm that I am authorized to scan this asset.
The attestation is captured in your customer-facing audit log along with the operator and timestamp.
Confirm
Click Add New Asset. The asset becomes available for selection on the New Scan screen.
Step 2 — Configure and run a scan
Go to Scans → New Scan. The screen is a two-column form:
configuration tabs on the left, the form on the right. The header bar
shows the running summary of TARGET, TEMPLATE, and PROFILE
choices.
Step 2.1 — Target & Template
Open the Target & Template tab.
| Field | What to put |
|---|---|
| Target Address | Pick the asset you created in Step 1. |
| Execution Mode | Direct (External) for cloud-egress scans. Pick a Sentinel agent for internal-network targets (see Internal scanning). |
| Scan Template | Full Coverage (System) - Default is selected by default. Pick another saved template if you have one. |
| Override template settings for this scan only | Toggle. When off, the form below is locked to the template's preferences. When on, every field is editable for this run; the template itself is not modified. |
Step 2.2 — Scan Profile
Open the Scan Profile tab. The profile picks the depth of the assessment and the primary compliance catalog. Nine profiles ship by default:
| Profile | Use for |
|---|---|
| Full Coverage (recommended) | Crawl, OWASP injection class, SQLi, XSS, headers, JWT, SOAP, TLS, ports, and every other analyzer in the platform. |
| Web Application | Crawl, headers, OWASP injection class, SQLi, XSS. Ideal for standard web pentest evidence. |
| API and JWT | REST and GraphQL discovery, JWT advanced testing, header hardening. For API-first products. |
| SOAP and WSDL | WSDL ingestion, type-aware envelopes, XXE, XML Bomb, XPath, WS-Security bypass, SOAP-context injection. |
| Network and TLS | Exposed ports, TLS configuration, certificate hygiene, SSL monitoring. No application-layer probes. |
| Custom | Pick analyzers individually. Useful for compliance windows or targeted regression evidence. |
| PCI DSS (compliance) | Targets Requirement 6.5 (web app vulnerabilities), 4.1 (transport encryption), and 8 (authentication). Web crawler, security headers, SQLi, XSS, OWASP injection class, JWT, TLS, and credential exposure. |
| LGPD (compliance) | Mapped to Art. 46 (data protection measures). Same web app + auth + transport coverage as PCI, focused on personal-data surface under Brazilian privacy law. |
| GDPR (compliance) | Targets EU Regulation 2016/679 Art. 32 (security of processing) and Art. 25 (data protection by design). Same surface as LGPD; the report cites the European articles instead. |
Step 2.3 — Per-protocol profiles
The left configuration list shows four protocol-specific entries that can be inspected and adjusted independently of the main Scan Profile. Each shows the current configuration as a status line.
| Protocol entry | Example status |
|---|---|
| JWT Advanced | Wave 1 only |
| SOAP / WSDL | XXE, WS-Security, XML-Enc |
| WebSocket | Enabled |
| GraphQL | Enabled · 10 checks |
Open each to review or change the protocol-specific options. JWT Advanced and SOAP / WSDL are driven by saved profiles; WebSocket and GraphQL are direct toggles plus check selection.
Step 2.4 — Preferences
The Preferences block has four sub-tabs that apply across the scan regardless of profile.
| Tab | What you control |
|---|---|
| Scan Method | Execution Path. Direct (External) for cloud-egress. Via Sentinel Agent for internal targets. See Internal scanning. |
| Authentication | None, Form Login (with AI Form Autofill), Bearer token, Cookie, or Custom header. See Authenticated scanning. |
| Crawl | Custom User-Agent string, excluded paths, depth controls. |
| AI & Compliance | AI Recommendation on/off, primary compliance framework for the report (LGPD, GDPR, PCI DSS, BACEN, ISO 27001). |
Step 2.5 — Run
Click Scan. The scan moves through
queued → discovering → scanning → analyzing → done. Typical duration
is 8 to 25 minutes depending on the profile and the surface size.
You can leave the page. A notification arrives when the scan completes (email, Slack, Teams, or webhook depending on your integration setup).
Step 3 — Read the findings
Open Findings. Each finding carries:
- Category (SQLi, XSS, SSRF, GraphQL BOLA, and so on).
- Severity and Risk Score 0-100. The Risk Score combines severity with asset criticality, environment, industry, and SLA window.
- CWE, with a single canonical mapping.
- Evidence: payload, raw HTTP request and response, the analyzer that produced it.
- AI recommendation: executive summary, business risk narrative, and a prioritized action. EN, PT-BR, or ES.
- Status workflow:
open → accepted | mitigated | false_positive | fixed, with audit log.
Engineering override. The engine's verdict wins on every disagreement with the LLM. AI cannot drift past the engine.
Step 4 — Route alerts
In Integrations, connect Jira, Slack, Teams, or a webhook. Status transitions emit signed webhook events. Routing is per organization.
Where next
- Authenticated scanning at scale. Save a scan template under Scan Templates so every team member runs the same baseline.
- Internal applications. Install the Sentinel agent on a host inside your network.
- CI/CD. Drop the
wasviking-sentinelbinary in your pipeline for SBOM, secrets, or a policy-driven scan gate. See Sentinel CI. - Compliance. Open the Compliance tab on the scan report to see per-control mapping across PCI DSS, LGPD, GDPR, BACEN, and ISO 27001:2022.