Managing sites

A site is a thing you test with BestDefense — a domain, an IP address, or an application endpoint. Sites are the foundation of the platform: you can’t run a Vortex scan (or a Maelstrom test) without a verified site to point it at.

You manage sites on the Sites page in the app.

Site types

When you add a site you choose its type:

Type	Use it for
Web application	Websites and web apps — general application security scanning.
API	API endpoints. API sites can also import their endpoints as routes from an OpenAPI/Swagger spec or a Postman collection.

You can change a site’s type later.

Adding a site

1. On the Sites page, choose Add site.
2. Enter the site’s URL or hostname (for example example.com, api.example.com, or an IP address).
3. Choose the type — Web application or API.
4. Verify ownership (see below).

BestDefense only scans sites whose ownership you’ve proven, so verification is a required step before a site becomes usable.

Verifying domain ownership

For a domain, you verify ownership with a DNS TXT record:

1. BestDefense gives you a unique TXT record to add to the domain’s DNS (under a _bestdefense host).
2. Add that record at your DNS provider.
3. Return to BestDefense and choose Verify ownership.

Until a site is verified it stays in a pending state, where you can retry verification or cancel it.

Tip

DNS changes typically take 5–15 minutes to propagate, sometimes longer. If verification fails immediately after you add the record, wait a few minutes and retry.

Subdomains verify automatically

If a parent domain is already verified in your organization, subdomains under it verify automatically — no TXT record needed. For example, once example.com is verified, adding api.example.com just works.

IP addresses use a different path: they’re verified by deploying a BestDefense agent at the address rather than via a DNS record.

You can also choose to verify later and finish setting other things up; the site simply stays pending until you complete verification.

Importing API endpoints (API sites)

For an API site, you can upload an OpenAPI/Swagger spec or a Postman collection. BestDefense reads it and creates routes for the endpoints it finds, so you don’t have to enter them by hand.

Caution

Re-uploading an updated spec does not automatically update routes you already have — review and tidy up routes after a re-import.

Editing a site

From a site you can change its type (Web application ↔ API) and, for API sites, upload or replace its API spec.

Removing and restoring sites

Removing a site archives it (a soft delete) rather than destroying its data:

• Archived sites don’t count toward your site limit.
• You can restore an archived site later, as long as you’re within your limit.

Deleting a site with schedules

If a site has scheduled scans, those schedules are left behind when you remove the site. Cancel a site’s schedules before removing it.

Site limits

Your subscription sets how many sites you can have registered at once. Archived (removed) sites don’t count against that limit. If you hit the ceiling, either archive sites you no longer test or upgrade your plan — see Billing & subscription tiers.

What’s next

• Define what gets scanned with route management.
• Run your first Vortex scan.
• Connect a repository so you can use AI remediation: Version control.