How to Set Up a Web App Target

Last updated: June 18, 2026

Introduction

This guide walks you through setting up a web application target after target verification is complete.

Prerequisites

Instructions

  1. Once your target is verified, it moves to the Pending Setup state. This happens either after the target is activated by the client, or after you purchase the target.

    image.png

  2. Click Setup Target.

  3. Add the URL you want the scanner to scan.

  4. Enter a name for the target. Use the official business name, and ensure it matches the name on your pentest certificate. [screenshot]

  5. Select the environment: Production or Staging.

    image.png

  6. Select the domain and URL scope you want to scan. Choose from:

    • Starting URL

    • Subdomain

    • All subdomains

    image.png

  7. Set up Authenticated Scans. Add a login recording along with the credentials so the scanner can crawl your website successfully.

  8. If you use MFA or an authenticator app, add a custom script after completing the login recording, then add the user credentials.

    image.png

  9. Add multiple users if needed.

    1. Set the Coverage for the scan. Add any API documents or additional scopes around the website you want included.

      • Add API definition scopes from Hopscotch, a HAR file, or a Postman collection, along with the relevant URL.

      image.pngimage.png

  10. Add Additional Hosts if needed. You can add multiple hosts along with their authentication details. [screenshot]

  11. Select the scan type:

    • One-time scan

    • Scheduled scan (daily or weekly)

      image.png

  12. Click Start Scan.

Expected Outcome

  • The scan status appears on the right-hand side of the screen, along with vulnerabilities as they are detected and their details.

  • Once the scan is complete, the site map becomes visible, showing all crawled pages along with any vulnerabilities found.

Best Practices

  • Use your official registered business name when naming the target so it matches your pentest certificate.

  • Double-check the environment selection (Production vs. Staging) before starting the scan to avoid scanning the wrong environment.

  • For sites behind MFA, always complete the custom script setup before starting the scan, or the crawler may fail to authenticate.

  • Keep API definition files (Postman collection, JSON, etc.) up to date to ensure full coverage during the scan.