Run a pentest¶
This guide covers running a scan against an authorized target: web, API, or authenticated.
Authorized testing only
Only scan systems you own or have explicit written permission to test.
Web scan¶
- Open the console and go to Pentest (
/scan). - Enter the target URL (for example
https://app.example.com). - Choose a depth: Recon, Full, or AI.
- Confirm you are authorized to test the target, then start the scan.
The phase timeline streams live — each phase reports running → done with its duration, so you can see progress and which phases take longest. A coverage indicator shows how much of the target was tested.
API / OpenAPI scan¶
Vex Raptor attacks documented API endpoints in two ways:
Full / AI pentest (auto-discovery)¶
At Full or AI depth, the engine auto-discovers OpenAPI/Swagger specs
(common paths such as /openapi.json, /swagger, /api-docs) and runs the
API Spec phase against documented endpoints. Use your API base URL as the
target — no separate upload step in the Pentest form.
Documented endpoints are converted into injection points and tested for IDOR/BOLA, mass assignment, rate limits, and the standard injection classes alongside crawl-derived points.
API Scanner (dedicated view)¶
For a scan focused on a spec you already know, open API Scanner
(/api-scanner), paste the OpenAPI/Swagger URL or upload the spec, and run from
there.
Pentest · API mode
/scan?mode=api shows a hint that OpenAPI is auto-discovered at Full/AI
depth — it does not replace the API Scanner for explicit spec-driven runs.
Authenticated scan¶
To test behind a login, expand Authenticated Scan on the Pentest form:
| UI field | What it does |
|---|---|
| Bearer token | Sets Authorization: Bearer <token> on outbound requests |
| Login URL + username + password | POSTs to your login endpoint and reuses the session cookies |
The engine applies credentials to injection phases and verifies the session is live before attacking; if the session looks unauthenticated it warns you in the run metadata.
API-only auth options
The REST API also accepts header_name / header_value and form-field
names via auth on POST /api/v1/pentest/scan-stream. The console UI
currently exposes bearer token and form login only — not raw cookie paste or
custom headers.
While the scan runs¶
- Phases are fail-soft and time-boxed — one phase failing will not abort the run.
- Findings stream in as they are confirmed.
- For blind classes, enable OOB confirmation
(
OOB_ENABLED=true) for the deepest coverage.
After the scan¶
- Read the report
- Verify a remediation after you fix something
- Automate it with the CI Gate