Introduction
Platform overview
What sits inside WASViking, how the pieces fit together, and what you get out.
WASViking is built around deep deterministic engines with a thin, deliberate AI layer that explains, prioritizes, and plans rather than detects. The platform is delivered as SaaS, with an optional on-premise agent for internal scope.
High-level architecture
The platform has four components a customer-facing user touches:
| Component | Role |
|---|---|
| Portal | Web console where customers configure organizations, targets, scans, and review findings. Multi-tenant, RBAC, SAML SSO. |
| API | Public REST API plus the scanning orchestration layer. Hosts every analyzer under one engine fabric. |
| Sentinel agent | Go binary the customer installs on-premises. Dials outbound mTLS to open a tunnel for internal scanning. Also runs SBOM and secrets locally. |
| Marketing and docs | This site, plus wasviking.com. |
How a scan flows
- Discovery. Target Discovery maps the attack surface: headless-browser SPA crawl, OpenAPI ingest, GraphQL introspection, robots and sitemap, CSRF-aware login.
- Environment Profile. A per-host fingerprint is captured: stack, protocols, defenses, auth surface, frontend rendering. Shared with every analyzer.
- Authenticated session. If the scan profile uses Form Login, the AI Form Autofill detects selectors, classifies compatibility, and establishes a shared session. All analyzers reuse it.
- Analyzers run. 17 deterministic analyzers across the seven categories of OWASP Top 10 web application risks, plus modern protocol coverage. The injection-class analyzer consolidates 11 detectors in a single pass.
- Findings written. Each finding gets a stable fingerprint, a primary risk category, a CWE mapping, and a Risk Score 0-100.
- AI layer. An LLM produces the executive summary, the business risk narrative, and the prioritized action. The engine override forces the LLM verdict to match the engine on disagreement.
- Routing. Status transitions emit webhook events. Alerts route to Slack, Teams, webhook, or email per organization configuration.
What you get out
A scan produces:
- Findings with payload, evidence, raw HTTP transcript, AI recommendation, CWE, Risk Score, SLA window, and compliance control mapping.
- Asset Inventory updated with
first_seen,disappeared,reappearedevents. - PDF report with brand cover, executive summary, findings detail, and compliance tab.
- API access to the same data via the public REST API.
- Exploit Path Graph updates if the scan produced chains.
What is in scope
WASViking covers:
- External web applications and APIs (REST, OpenAPI, GraphQL, SOAP/WSDL, WebSocket, JWT-protected endpoints).
- Internal web applications and APIs reachable through a Sentinel agent.
- Software supply chain via SBOM N1 (cloud-side) and N2 (premise-side).
- Secrets in source code and git history via the Sentinel agent.
- SSL/TLS certificate monitoring and TLS configuration.
- Sensitive port and subdomain monitoring with auto-discovery scan.
- Edge adversary traffic correlation via Cloudflare integration.
Next steps
- New to the platform: Your first scan.
- Operating internally: read about the Sentinel agent (full section coming soon).
- Integrating with CI/CD: Sentinel CI gates (full section coming soon).