Skip to content

Run a pentest

This guide covers running a scan against an authorized target: web, API, or authenticated.

Authorized testing only

Only scan systems you own or have explicit written permission to test.

Web scan

  1. Open the console and go to Pentest (/scan).
  2. Enter the target URL (for example https://app.example.com).
  3. Choose a depth: Recon, Full, or AI.
  4. Confirm you are authorized to test the target, then start the scan.

The phase timeline streams live — each phase reports running → done with its duration, so you can see progress and which phases take longest. A coverage indicator shows how much of the target was tested.

API / OpenAPI scan

Vex Raptor attacks documented API endpoints in two ways:

Full / AI pentest (auto-discovery)

At Full or AI depth, the engine auto-discovers OpenAPI/Swagger specs (common paths such as /openapi.json, /swagger, /api-docs) and runs the API Spec phase against documented endpoints. Use your API base URL as the target — no separate upload step in the Pentest form.

Documented endpoints are converted into injection points and tested for IDOR/BOLA, mass assignment, rate limits, and the standard injection classes alongside crawl-derived points.

API Scanner (dedicated view)

For a scan focused on a spec you already know, open API Scanner (/api-scanner), paste the OpenAPI/Swagger URL or upload the spec, and run from there.

Pentest · API mode

/scan?mode=api shows a hint that OpenAPI is auto-discovered at Full/AI depth — it does not replace the API Scanner for explicit spec-driven runs.

Authenticated scan

To test behind a login, expand Authenticated Scan on the Pentest form:

UI field What it does
Bearer token Sets Authorization: Bearer <token> on outbound requests
Login URL + username + password POSTs to your login endpoint and reuses the session cookies

The engine applies credentials to injection phases and verifies the session is live before attacking; if the session looks unauthenticated it warns you in the run metadata.

API-only auth options

The REST API also accepts header_name / header_value and form-field names via auth on POST /api/v1/pentest/scan-stream. The console UI currently exposes bearer token and form login only — not raw cookie paste or custom headers.

While the scan runs

  • Phases are fail-soft and time-boxed — one phase failing will not abort the run.
  • Findings stream in as they are confirmed.
  • For blind classes, enable OOB confirmation (OOB_ENABLED=true) for the deepest coverage.

After the scan