QuickstartURL scan (DAST)

Quickstart: URL scan (DAST)

Point Pencheff at a live URL and get a verified, exploit-first assessment with OWASP Top 10 mapping in 5-40 minutes depending on the profile. The same engine drives the SaaS dashboard, the CLI, and the MCP tools — pick whichever surface matches your workflow.

⚠️

Authorization is mandatory. Every scan API call carries a consent_payload. Run only against systems you own or have written permission to test. Pencheff will refuse to scan otherwise.

1. Pick a target

ScenarioWhat to point atProfile to start with
Public marketing sitehttps://acme.comquick
Production web apphttps://app.acme.comstandard
API behind a tokenhttps://api.acme.com/v1standard (with auth header)
Stage / pre-prod, exhaustive sweephttps://stage.acme.comdeep
Single-page app / SPAhttps://app.acme.comstandard (Playwright crawl auto-engages)

2. Run it

  1. Open app.pencheff.com, sign in, click Register target.
  2. Paste the URL, optionally add credentials, scope, and exclude paths.
  3. Pick a profile (standard is the default balanced run).
  4. Click Start scan — you’ll be redirected to a live progress page. Stages stream over SSE.
  5. When it finishes, browse findings by severity, OWASP category, or compliance framework.

3. Read the result

  • Findings appear in the unified queue with severity, CVSS v3.1 + v4.0, OWASP category, and compliance fan-out.
  • Every finding flagged by a scanner is followed up by test_endpoint — the report contains only true_positive rows by default.
  • deep profiles attach a STRIDE / DREAD threat model and a compliance rollup to the scan.
  • The DOCX report carries an executive summary, the findings register, the compliance appendix, and (for deep) the threat model.

Common gotchas

  • Cloudflare / WAF returns 403. Add the WAF’s session cookie via the dashboard’s Headers row on the target. scan_waf will detect and tag the WAF; payloads adapt automatically.
  • SPA returns a blank shell. Use standard or deep — both trigger the Playwright crawler. quick only runs the fast HTTP crawler.
  • Rate-limited target. Use the dashboard’s Throttle card on the target to cap requests-per-second; the engine slows every dispatcher.
  • Auth flow is not OIDC. Record a login macro once via the dashboard’s Authentication card; the macro attaches to the target and replays on every scan.

Next