Getting Started
- Create your account at
/register - Add your first target — enter the URL of your web application
- Choose scan modules — Web, Code, or Cloud
- Select scan depth — Quick (5 min), Normal (20 min), or Deep (45 min)
- Start the scan and monitor progress in the Live Scan Monitor
- Review findings and download your report
Scan Modules
Web Scan
Covers reconnaissance, vulnerability scanning, injection testing, and infrastructure analysis. Checks for SQL injection, XSS, command injection, misconfigurations, SSL/TLS issues, and more.
Code Scan
Covers static analysis, secrets detection, dependency vulnerabilities, and IaC policy validation.
Cloud Scan
Covers cloud posture assessment, CIS benchmarks, and misconfiguration detection.
Scan Depth
Understanding Results
Severity Levels
Risk Grades
Audits receive a letter grade from A (no issues) through F (critical findings) based on the aggregate severity and count of discovered vulnerabilities.
Vulnerability Chains
AI-detected multi-step attack paths that show how individual findings can be combined into exploitable sequences.
Finding Details
Each finding includes a description, evidence, impact assessment, and actionable remediation guidance.
AI Features
Automated deduplication, severity calibration, and false positive detection.
Multi-step attack path analysis combining individual findings.
Context-aware attack payloads generated per finding.
Python proof-of-concept scripts for verified vulnerabilities.
Before/after fix code generation with language-aware patches.
Exploit Prediction Scoring System probability for CVE-based findings.
API Reference
Authentication
Obtain a bearer token via POST /auth/login with your email and password. Include the token in all subsequent requests.
Base URL
Endpoints
| Method | Path | Description |
|---|---|---|
| POST | /audits | Create a new audit |
| GET | /audits | List all audits |
| GET | /audits/:id | Get audit details |
| DELETE | /audits/:id | Delete an audit |
| POST | /audits/:id/stop | Stop a running scan |
| POST | /audits/:id/pause | Pause a running scan |
| POST | /audits/:id/resume | Resume a paused scan |
| POST | /audits/:id/chains | Analyze vulnerability chains |
| POST | /audits/:id/findings/:idx/payload | Generate attack payloads |
| POST | /audits/:id/findings/:idx/poc | Generate proof-of-concept script |
| POST | /audits/:id/findings/:idx/remediation | Generate remediation code |
| GET | /audits/:id/report | Download PDF report |
| POST | /targets | Create a new target |
| GET | /targets | List all targets |
| POST | /targets/:id/scan | Start scan on a target |
Webhooks
Configure webhooks in Settings → API Keys section.
Events
Currently supported: audit.completed
Payload Format
Signature Verification
Every webhook includes an X-Odbrana-Signature header containing an HMAC-SHA256 digest of the request body, signed with your webhook secret.
Authenticated Scanning
ODBRANA supports scanning behind authentication. Configure credentials when creating a target.
Provide login URL, field names, and credentials.
Provide header name and token value.
Provide a cookie string to attach to requests.
Credentials are encrypted at rest and automatically deleted after the scan completes.
Self-Hosting
Requirements
- Docker and Docker Compose
- 4 GB RAM minimum
- 20 GB disk space
Installation
Configuration
Edit .env to configure your database, Redis, Anthropic API key, and domain.
Run
Update
SSL
SSL is automated via Let's Encrypt and Nginx. Ensure your domain's DNS points to your server before starting.