Create a Scan

The Create DAST Scan dialog walks you through four steps: Select Mode, Authentication, Crawling & Discovery, and Security Tests. Every page below maps 1:1 to what you see in the UI.

Just want to try it?

The Quickstart runs this flow with all defaults in 5 minutes. Come back here when you need to customize.

Open the dialog

1. Go to Scans → DAST Scans.
2. Click + DAST Scan in the top right.
3. The Create DAST Scan dialog opens on Step 1.

---

Step 1 — Select Mode

Mode

Mode	What it does	When to use
Crawl	Discovers and maps pages only. No payloads sent.	You want an attack-surface map without any active testing.
Scan (recommended)	Crawls and runs passive + active security tests.	Normal security testing.

Name

A descriptive label so you can find this run later. Examples:

• staging-checkout-weekly
• api-v2-post-deploy
• marketing-site-passive

Target URL

The full URL the scan starts from (e.g., https://app.example.com).

Target must be an owned domain

The target domain must match one of your organization's owned domains (shown under the field as a list of regex patterns). Add new domains under Settings → Owned Domains before scanning.

Test Run Environment

• Run on Cloud — Levo's managed infrastructure. No setup. Recommended for anything reachable from the public internet.
• Run on-Premises — Your own Kubernetes worker or Docker worker. Required for targets behind your firewall.

Click Next to continue.

---

Step 2 — Authentication

Key Source

Which LLM API key the scanner uses for AI-powered analysis:

• Levo's Platform Key (default) — use Levo's managed LLM.
• Bring Your Own Key — your own OpenAI or Anthropic key, managed under Settings → API Keys.

Authentication method

Pick one of four methods. See the dedicated Authentication section for in-depth guidance on each.

None

Select for public apps, marketing sites, or open APIs. No extra fields.

Form-based Login

For apps with an HTML login form. Fill in:

• Login URL — the page that hosts the login form.
• Username, Password — a test account. Create one dedicated to scanning.
• Pre-Auth Cookies / Headers / Local Storage — optional; see below.

Token

For APIs that accept a Bearer token, JWT, or API key in the Authorization header. Paste the full token value — the scanner prefixes it with Bearer automatically unless you include your own scheme.

AI-driven (auto-discover) — Beta

The scanner uses an LLM to identify the login flow, fill the form, and verify login. Use when the auth flow is complex, multi-step, or you don't want to hard-code selectors.

Pre-Auth Cookies, Headers, and Local Storage

Values that must be in place before the scanner attempts login — typical use cases:

• Pre-Auth Cookies — CSRF tokens, tenant selectors, feature flags needed on the login page.
• Pre-Auth Headers — custom tenant headers (e.g., X-Tenant-Id), API gateway tokens.
• Local Storage Items — SPA bootstrap data the app reads on first load.
• Local Storage Items (Base64) — same, for apps that store encoded blobs in localStorage.

Add rows with + Add Row. Leave empty if your app doesn't need any of these.

Click Next to continue.

---

Step 3 — Crawling & Discovery

Crawl Mode

• Standard — HTTP-based crawler following links and forms. Fast. Good default.
• AI Assisted — LLM-driven crawler that follows UI flows the Standard crawler misses (wizards, modals, JS-heavy SPAs). Slower, requires a Key Source.

Max Crawl Depth · Max Pages

Bounds on crawl breadth. Defaults (depth 3, 100 pages) suit most apps. Raise both for very large sites; lower them to keep a scheduled run under a time budget.

Satellite URL

For on-prem deployments that route traffic through the Levo Satellite HAProxy. Leave empty if you aren't using a Satellite. See Install Satellite for setup.

Timeout · Max Payloads

• Timeout (seconds) — per-request timeout. Raise for slow backends.
• Max Payloads — upper bound on active-test payloads per endpoint. Lower for production-adjacent targets; raise for thoroughness.

Domain filtering

• Ignore third-party APIs (on by default) — skips external hosts so you don't accidentally scan a vendor.
• Capture Domain Patterns — additional hosts to include. Managed alongside API Discovery settings.
• Exclude Domain Patterns — hosts to skip (CDNs, analytics, anything you don't own).

Click Next to continue.

---

Step 4 — Security Tests

Scan depth

	Speed	Coverage	Use when
Smart (default)	Fast	Common, high-confidence issues	You run scans often (every PR, nightly).
Thorough	Slow	Deep attack surface, more payload variants	Release scans, pen-test prep, weekly deep runs.

Test types

Toggle	Default	What it does
Passive Scanning	On	Inspects responses for misconfigurations. Safe for prod.
Active Scanning	On	Sends injection payloads. Can modify state.
CVE Scanning	Off	Checks for known CVEs. Enables the two toggles below.
JavaScript Libraries	Off	Detects vulnerable client-side library versions.
DOM	Off	Tests DOM-based XSS and client-side injection.

Active scanning on production

Active tests can submit forms, create records, and trigger alerts. Run them against staging. If you must scan production, follow Scanning production safely.

Injection Locations

Where payloads are inserted. All five are on by default — turn off any that don't apply to cut scan time.

• Query — URL query-string params.
• Body — request body params.
• Header — custom headers.
• Cookie — cookie values.
• Path — URL path segments.

HTTP Methods

Which HTTP verbs the scanner will test. GET, POST, PUT are on by default. DELETE, PATCH, HEAD, OPTIONS are off — turn on explicitly if you want them tested.

Enable AI-powered analysis

On by default. Runs LLM validation against findings to reduce false positives. Costs more tokens (against either Levo's platform key or your BYOK key).

---

Create the scan

1. Review settings — use Back to edit earlier steps.
2. Click Create.
3. You're redirected to the scan detail page and the scan starts automatically.

Next steps

• Monitor scan progress
• View and manage findings
• Schedule this scan to re-run
• Automate the same config in CI with levo-dast.yml