Add an Asset
Before you can start scanning, you need to add and verify ownership of your web application or API. Threatspy uses asset verification to ensure that only authorized users can perform security assessments on their assets.
Prerequisites
Before adding an asset, ensure you have:
- A Threatspy account with an active subscription or trial.
- The URL of the Web Application or API you want to scan.
- Permission to verify ownership of the target domain.
- (For APIs) An API definition file such as OpenAPI (Swagger) or Postman Collection.
Step 1: Enter the Asset URL
Navigate to Assets β Add Asset.
Enter the Base URL of the asset you want to secure.
Supported Asset Types
- π Web Application
- π API
Examples:
Web Application
https://app.example.comAPI
https://api.example.comClick Continue to proceed.
Step 2: Verify Asset Ownership
To prevent unauthorized security testing, Threatspy requires ownership verification before an asset can be scanned.
Choose one of the following verification methods.
Option 1: HTML File Verification (Recommended)
- Download the verification HTML file provided by Threatspy.
- Upload the file to the root directory of your website.
Example:
https://example.com/threatspy-verification.html- Return to Threatspy and click Verify.
Option 2: DNS TXT Record Verification
- Copy the TXT record generated by Threatspy.
- Add the TXT record to your domain's DNS configuration.
- Wait for DNS propagation.
- Click Verify.
Option 3: Meta Tag Verification
- Copy the provided HTML meta tag.
- Paste it inside the `<head>` section of your application's homepage.
- Deploy the changes.
- Return to Threatspy and click Verify.
Once verification succeeds, continue to the scan configuration.
Step 3: Configure the Scan Profile
Select the type of application you want to scan.
- π Web Application
- π API
The configuration differs depending on the selected asset type.
Web Application Scan Profile
Enter a Scan Profile Name to identify this scan configuration.
Example:
Production Web ApplicationAuthentication (Optional)
If your application requires authentication, enable Authenticated Scan.
Threatspy supports:
- Header Token Authentication
- Cookie Authentication
Header Token Authentication
Provide:
- Header Name
Example:
Authorization- Header Value
Example:
Bearer eyJhbGciOi...Cookie Authentication
Provide:
- Cookie Name
Example:
JSESSIONID- Cookie Value
Example:
abc123xyz456If authentication is not configured, Threatspy performs an unauthenticated security assessment.
API Scan Profile
Enter a Scan Profile Name.
Upload your API definition file.
Supported formats include:
- OpenAPI (Swagger)
- Postman Collection
> Note: The uploaded API definition must accurately describe the API endpoints, request methods, headers, and request bodies to ensure complete security coverage.
Authentication (Required)
Authentication is mandatory for API security scans.
Choose one of the following methods:
- Header Token Authentication
- Cookie Authentication
Provide the required credentials.
Header Token Authentication
- Header Name
Example:
Authorization- Header Value
Example:
Bearer eyJhbGciOi...Cookie Authentication
- Cookie Name
Example:
SESSIONID- Cookie Value
Example:
abc123xyz456Threatspy automatically includes these credentials while testing authenticated API endpoints.
Step 4: Verify and Save
Review all the information before creating the asset.
Verify:
- Base URL
- Ownership verification status
- Asset type
- Scan profile
- Authentication settings
- API definition (if applicable)
Click Verify & Save.
Once the asset is successfully added, it will appear in your Assets dashboard and will be ready for manual, scheduled, or CI/CD-triggered security scans.
Next Steps
After successfully adding your asset, you can:
- βΆοΈ Run an on-demand security scan.
- β° Schedule recurring scans.
- π Trigger scans through your CI/CD pipeline.
- π Analyze vulnerabilities with AI-powered insights.
- π Generate comprehensive security reports.
- π€ Collaborate with your team on remediation.
- π― Launch remediation campaigns and automate workflows using Playbooks.