Your First Scan
With your assets added and verified, you are ready to run your first security scan. Detectify offers two scanning approaches, each designed for different use cases.
Surface Monitoring vs. Application Scanning
Before starting, it helps to understand the two scanning modes available in Detectify.
Surface Monitoring
Surface Monitoring runs automatically and continuously across your entire attack surface. It discovers subdomains, identifies exposed services, and detects common misconfigurations and vulnerabilities at scale. You do not need to create scan profiles or schedule runs. Surface Monitoring begins working as soon as your assets are verified.
Surface Monitoring is best for:
- Continuous visibility into your external attack surface
- Discovering unknown subdomains and services
- Detecting configuration issues like exposed admin panels, open databases, and certificate problems
Application Scanning
Application Scanning performs deep, targeted vulnerability testing against specific web applications. It crawls pages, submits forms, and fuzzes inputs to find vulnerabilities such as SQL injection, cross-site scripting (XSS), and authentication flaws. Application Scanning requires you to create a scan profile and either start it manually or set up a schedule.
Application Scanning is best for:
- Testing specific web applications before or after deployment
- Deep vulnerability testing that goes beyond surface-level checks
- Scheduled scans as part of your development lifecycle
Creating a Scan Profile
To run an Application Scan, you first need a scan profile that defines what to test.
- Navigate to Application Scanning > Scan Profiles.
- Click Create Scan Profile.
- Enter the target URL (for example,
https://app.example.com). - Configure the scan scope. You can limit the scan to specific paths or allow it to crawl the entire application.
- If your application requires authentication, provide login credentials or session cookies so the scanner can access protected areas.
- Click Save.
Starting Your First Scan
Application Scanning
Once your scan profile is ready:
- Go to Application Scanning > Scan Profiles.
- Select the profile you created.
- Click Start Scan.
The scan begins immediately. Depending on the size and complexity of your application, a scan can take anywhere from a few minutes to several hours.
You can also schedule recurring scans by selecting Schedule on the scan profile and choosing a frequency (daily, weekly, or monthly).
Surface Monitoring
Surface Monitoring starts automatically after your assets are verified. No additional configuration is needed. To check its progress, navigate to Surface Monitoring > Overview, where you can see discovered assets and any findings detected so far.
Understanding Your Results
After a scan completes, Detectify presents findings organized by severity.
| Severity | Description |
|---|---|
| Critical | Vulnerabilities that can be exploited immediately with significant impact, such as remote code execution or authentication bypass. |
| High | Serious issues that could lead to data exposure or unauthorized access with some additional effort. |
| Medium | Vulnerabilities that pose moderate risk, often requiring specific conditions to exploit. |
| Low | Minor issues or informational findings, such as missing security headers or version disclosures. |
For each finding, Detectify provides:
- A description of the vulnerability and why it matters
- The exact location where the issue was found (URL, parameter, or header)
- Steps to reproduce the issue
- Remediation guidance with specific actions to fix the problem
What to Do Next
- Triage critical and high findings first. Focus on the issues with the greatest potential impact.
- Assign findings to the responsible teams. Use integrations to send findings to Jira, Slack, or your preferred workflow tool.
- Rescan after applying fixes. Run a follow-up scan to confirm that vulnerabilities have been resolved.
- Set up scheduled scans to catch new vulnerabilities as your applications change over time.