Skip to main content

Unauthenticated Scan

Pick Unauthenticated Scan when your target doesn't require a login — marketing sites, public documentation, open APIs, or the public portion of an app you're just starting to test. The scanner crawls only the publicly reachable pages.

When to use

  • A fully public site (no /login).
  • A public API with no keys or tokens.
  • A first pass on a new target before you invest in login automation.
  • You only want to test the pre-login surface (landing pages, signup form, password reset).

Dashboard

In Create Scan → Step 2, select Unauthenticated Scan at the top of the step and proceed to Step 3. No extra fields.

CLI

shadownet scan https://example.com --auth none

levo-dast.yml

auth:
  strategy: "none"

Pre-Auth fields still apply

Even on an unauthenticated scan, you can use Pre-Auth Cookies / Headers / Local Storage if the app needs a tenant header or cookie to render at all. Leave them empty otherwise.

Tip

If you later discover the interesting pages are behind a login, re-run with Username and password or AI-assisted login — nothing about the scan config is wasted.

Was this page helpful?