Scans#

What Scans Are#

A scan is a single execution of SilentBolt's security assessment pipeline against a verified and authorized domain. Each scan automatically discovers subdomains, maps live assets, detects vulnerabilities, computes risk scores, identifies posture drift, and generates reports.

Scans are the core activity in SilentBolt. Everything else — findings, reports, orchestration — flows from scan results.

Why Scans Exist#

Security posture is not static. New subdomains appear, endpoints change, software is updated, and new vulnerabilities are disclosed daily. Regular scanning provides:

  • Continuous visibility into your attack surface.
  • Drift detection — what changed since the last scan.
  • Evidence for compliance — documented, timestamped assessments.
  • Inputs for AI orchestration — completed scans feed into attack orchestration sessions.

Who Uses This#

  • Security analysts — trigger manual scans, monitor progress, review results.
  • Team leads — set up scheduled scans, monitor scan health across domains.
  • MSSP operators — manage scanning cadence across client domains.

Scan Types#

Manual Scans#

Started on-demand by a user from the Scans page or from a domain's detail page. Useful for:

  • First-time scanning of a newly onboarded domain.
  • Re-scanning after a remediation to verify a fix.
  • Ad-hoc checks before a release or audit.

Scheduled Scans#

Configured to run automatically on a recurring schedule defined by a cron expression and timezone. The scheduler checks for due scans every 30 seconds and automatically enqueues them.

Use scheduled scans for:

  • Weekly or monthly posture checks on production domains.
  • Post-maintenance windows to catch regressions.
  • Compliance requirements that mandate periodic scanning.

To set up a scheduled scan:

  1. Navigate to ScansScheduled Scans.
  2. Select the domain, set the cron expression and timezone.
  3. Activate the schedule.

Scan Templates#

Scans can optionally be linked to a scan template — a reusable security playbook that groups tools and test types. SilentBolt includes 8 built-in system templates (Web App Security, API Security, Cloud Security, Kubernetes Security, External Attack Surface, Identity Security, Mobile Security, Phishing Simulation). You can also create custom templates.

When starting a scan, selecting a template associates it with the scan for informational/tracking purposes. The AI can also suggest appropriate templates based on domain characteristics.

Scan Lifecycle#

Every scan progresses through the following statuses:

Status Description
queued Scan created and waiting in the job queue
running Scan pipeline actively executing
done All phases completed successfully
failed Pipeline encountered an unrecoverable error
canceled User manually canceled the scan

What Happens During a Scan#

At a high level, the pipeline executes five phases:

  1. Discovery — subdomain enumeration (discovery engine) → writes scan targets.
  2. WAF Detection — probes for web application firewalls → may downgrade scan profile to stealth.
  3. Surface Mapping — HTTP probing + port scanning + web crawling engines → writes scan assets.
  4. Vulnerability Scanning — template-based detection engine → writes scan findings.
  5. Post-Processing — normalizes data into hosts/endpoints/findings, runs drift detection and risk scoring, generates PDF and JSON reports, emits integration events.

Scan Pages#

Scans List Page#

The main Scans page shows all scans for your company, with:

  • Domain name, scan status, trigger type (manual/scheduled).
  • Start time, completion time, duration.
  • Finding counts by severity.
  • Link to scan detail page.
  • Option to start a new scan.

Scan Detail Page#

The detail page for a single scan shows:

  • Status and timing — current status, start/end times, duration.
  • Event Timeline — real-time feed of scan events (discovery started, targets found, assets mapped, findings detected, etc.).
  • Hosts — list of discovered hosts with metadata (IP, port, TLS, HTTP status).
  • Endpoints — discovered HTTP paths with risk scores and forgotten-endpoint flags.
  • Findings — vulnerability findings with severity, drift labels, and governance status.
  • Reports — download links for PDF and JSON reports.
  • Template — the scan template used (if any).

How to Use Scans#

Starting a Manual Scan#

  1. Navigate to Scans.
  2. Click New Scan.
  3. Select the target domain (must be verified and authorized).
  4. Optionally select a scan template.
  5. Click Start Scan.
  6. The scan enters queued status and begins execution shortly.

Monitoring a Running Scan#

  1. Open the scan detail page.
  2. Watch the Event Timeline for real-time progress updates.
  3. The timeline shows events like "Discovery started", "15 subdomains found", "Surface mapping started", "42 endpoints mapped", "Vulnerability scan started", "23 findings detected".
  4. The scan status will transition from running to done (or failed).

Canceling a Scan#

  1. Open the running scan's detail page.
  2. Click Cancel Scan.
  3. The scan status transitions to canceled. Partial results up to the cancellation point are retained.

Reviewing Scan Results#

Once a scan reaches done:

  1. Review Hosts to understand the live attack surface.
  2. Review Endpoints to see all discovered paths, especially any flagged as forgotten.
  3. Review Findings to see detected vulnerabilities, sorted by severity.
  4. Download the PDF Report for stakeholder distribution.
  5. Compare findings against the previous scan to understand drift.

Scan History and Comparisons#

SilentBolt maintains a full scan history per domain. Each scan records a reference to:

  • Baseline scan — the first scan ever run on the domain.
  • Previous scan — the most recent prior scan.

This enables drift detection: each finding in the current scan is labeled as new, changed, resolved, or regression relative to the baseline and previous scans.

Use scan history to:

  • Track how your attack surface has evolved over time.
  • Verify that remediations are effective (findings move to resolved).
  • Detect regressions (previously resolved findings reappearing).

Common Actions#

Action How
Start a manual scan Scans → New Scan → select domain → Start
View scan results Scans → click scan row → Detail page
Cancel a running scan Scan detail → Cancel Scan
Download PDF report Scan detail → Reports → Download PDF
Download JSON report Scan detail → Reports → Download JSON
Set up a scheduled scan Scans → Scheduled Scans → Create Schedule
View scan history for a domain Targets → select domain → Scan History

Best Practices#

  • Run your first scan manually to verify everything works before setting up schedules.
  • Schedule weekly scans for production domains to maintain continuous visibility.
  • Review scan events if a scan fails — the event timeline usually indicates which phase failed and why.
  • Don't scan too aggressively. If the target has a WAF, SilentBolt will auto-downgrade to stealth mode, but consider the impact on production systems.
  • Use templates to document and standardize the types of assessments you run regularly.
  • Keep scan history — avoid deleting past scans, as they provide baseline data for drift detection.

Edge Cases and Warnings#

  • One scan at a time. The platform processes scans sequentially. If multiple scans are queued, they execute in order.
  • Scan timeout. Each scan has a 1-hour maximum execution time. Very large domains with many subdomains may need optimization.
  • Failed scans retain partial results. You may receive findings from phases that completed before the failure.
  • WAF detection is automatic. If SilentBolt detects a WAF, the scan profile switches to stealth without user intervention to reduce the chance of being blocked.
  • Domain must be authorized. Attempting to scan a domain that is not verified and authorized will be rejected.
  • Monthly scan quota. Your subscription plan defines a maximum number of scans per month. Exceeding the quota blocks new scan creation.

Related Pages

TargetsFindingsReportsAttack Orchestration
PreviousTargets
NextFindings