Analog scans
An Analog scan is Vortex’s broad dynamic application security test (DAST). It crawls your target the way a browser or client would, then actively probes the surfaces it discovers for vulnerabilities — missing security headers, injectable parameters, exposed data, misconfigurations, and more. It runs against your application from the outside, no source code required.
Analog is available on every plan, which makes it the right place to start with any new target.
When to use it
Section titled “When to use it”- You want broad, fast coverage of a web app or API.
- You’re scanning on a plan that doesn’t include the AI pen-tester.
- You want a baseline before scheduling recurring scans.
- You need a quick check after a deploy.
For deeper, attacker-style exploitation, use an AI pen-test scan instead (or as a follow-up).
Run an Analog scan
Section titled “Run an Analog scan”- Go to Vortex → Run scan.
- Choose your target site, or add one if it isn’t registered yet.
- Set the scan type to Analog.
- Choose an intensity (see below).
- Optionally choose which routes to test — see scan scope.
- Optionally attach test users to scan behind a login — see authenticated scanning.
- Launch.
The report page opens and shows live progress. When the scan completes you’ll see an overview, a severity breakdown, and a grouped findings list — see Reading a Vortex report.
Intensities
Section titled “Intensities”Intensity controls how deep and how aggressive the scan is. Deeper scans find more but take longer.
| Intensity | Depth | Availability |
|---|---|---|
| Quick | Fastest, lightest coverage | Every plan |
| Standard | Balanced coverage | Growth and higher |
| Thorough | Deep coverage | Growth and higher |
| Maximum | Most exhaustive | Growth and higher |
Scan scope and routes
Section titled “Scan scope and routes”If you’ve configured routes for the site, you can control how much of it the scan covers:
- Whole site (regular scan) — Vortex seeds the scanner with your saved routes and then crawls outward to discover more of the application. Broadest coverage.
- Specific routes (targeted scan) — Vortex tests only the routes you select and skips discovery. Faster and tightly scoped — handy for re-checking a particular area after a change.
If a site has no routes configured, the scan simply covers the whole target.
Authenticated scanning
Section titled “Authenticated scanning”Much of an application’s risk lives behind a login. To let Vortex test there, attach one or more test users — pre-saved credentials — when you launch the scan. Vortex signs in with them and exercises the authenticated surfaces of your app. Set test users up ahead of time so they’re ready to attach at launch.
See Authenticated scanning for how to create test users, the available authentication types, and testing credentials.
Targeting a branch
Section titled “Targeting a branch”If your target maps to a repository, a scan can run against a specific branch — there’s a repo default plus an optional per-scan override. This matters most when you plan to use AI remediation, because the resulting pull request is opened against the branch you scanned.