Quickstart: URL scan (DAST)
Point Pencheff at a live URL and get a verified, exploit-first assessment with OWASP Top 10 mapping in 5-40 minutes depending on the profile. The same engine drives the SaaS dashboard, the CLI, and the MCP tools — pick whichever surface matches your workflow.
⚠️
Authorization is mandatory. Every scan API call carries a
consent_payload. Run only against systems you own or have written
permission to test. Pencheff will refuse to scan otherwise.
1. Pick a target
| Scenario | What to point at | Profile to start with |
|---|---|---|
| Public marketing site | https://acme.com | quick |
| Production web app | https://app.acme.com | standard |
| API behind a token | https://api.acme.com/v1 | standard (with auth header) |
| Stage / pre-prod, exhaustive sweep | https://stage.acme.com | deep |
| Single-page app / SPA | https://app.acme.com | standard (Playwright crawl auto-engages) |
2. Run it
- Open
app.pencheff.com, sign in, click Register target. - Paste the URL, optionally add credentials, scope, and exclude paths.
- Pick a profile (
standardis the default balanced run). - Click Start scan — you’ll be redirected to a live progress page. Stages stream over SSE.
- When it finishes, browse findings by severity, OWASP category, or compliance framework.
3. Read the result
- Findings appear in the unified queue with severity, CVSS v3.1 + v4.0, OWASP category, and compliance fan-out.
- Every finding flagged by a scanner is followed up by
test_endpoint— the report contains onlytrue_positiverows by default. deepprofiles attach a STRIDE / DREAD threat model and a compliance rollup to the scan.- The DOCX report carries an executive summary, the findings register,
the compliance appendix, and (for
deep) the threat model.
Common gotchas
- Cloudflare / WAF returns 403. Add the WAF’s session cookie
via the dashboard’s Headers row on the target.
scan_wafwill detect and tag the WAF; payloads adapt automatically. - SPA returns a blank shell. Use
standardordeep— both trigger the Playwright crawler.quickonly runs the fast HTTP crawler. - Rate-limited target. Use the dashboard’s Throttle card on the target to cap requests-per-second; the engine slows every dispatcher.
- Auth flow is not OIDC. Record a login macro once via the dashboard’s Authentication card; the macro attaches to the target and replays on every scan.
Next
- Tutorial: end-to-end web app — same flow with auth, exclusions, and a customer-ready DOCX.
- Compliance mapping — turn the scan into audit evidence.
- CI/CD integration — gate every PR.