Route management

Routes are the URL paths and endpoints on a site that BestDefense tests. They let you define the scope of a scan — what to cover, and what to leave alone.

• For a web application, a route is a path such as /checkout, /admin, or /api/v1.
• For an API, routes are the individual endpoints, such as /users or /users/{id}.

You manage routes from the Sites page: open a site’s menu and choose Manage routes.

Availability

Route management is available on paid Vortex or Maelstrom plans. On a free or starter plan you’ll see an upgrade prompt instead — see Billing & subscription tiers.

What a route holds

Field	What it does
Path	The URL path, starting with / (for example /api/v1). Path parameters like /users/{id} are allowed.
Name	An optional friendly label.
Description	Optional notes.
Tags	Optional labels (for example API, Authenticated, Critical).
Methods	The HTTP methods that apply (GET, POST, PUT, DELETE, …).
Exact match	Controls whether subpaths are included — see below.

Exact match

Exact match decides how broadly a route applies:

• Off — the route covers the path and everything under it. For example, /api also covers /api/v1 and /api/users.
• On — only the exact path is covered. Best for specific API endpoints.

Adding, editing, and deleting routes

In the Manage routes view you can add a single route (fill in the path and any optional fields), edit an existing route, or delete one. The list is searchable, so you can find a route by path or name.

Bulk import

Rather than adding routes one at a time, you can import many at once. Supported formats:

Format	What it expects
Simple list	One path per line.
CSV	Columns for path, name, description, tags, and exact match.
JSON	An array of route objects.
OpenAPI / Swagger	Endpoints are read from the spec’s paths, with methods as tags.
Postman	Requests are extracted from the collection, including nested folders.

Tip

Imports are capped at 1,000 routes per upload. For very large APIs, split the import into batches. For API sites, uploading an API spec on the site itself also generates routes — see Managing sites.

How routes affect a scan

Routes shape how Vortex scans your site:

• Regular scan — BestDefense seeds the scanner with your saved routes and then crawls outward from them to discover more of the application. Broader coverage.
• Targeted scan — BestDefense tests only your saved routes and skips discovery. Faster and tightly scoped — a good fit for APIs and for re-testing known endpoints.

Findings can be attributed to the routes they were found on, and for Maelstrom load tests, routes are the endpoints your simulated traffic targets.

Linking a site to a repository

Routes define what gets scanned on a site. To tell BestDefense where the code lives — so AI remediation can open pull requests against the right repository and branch — link the site to a repository. That’s done through your version control integration; see Version control.

What’s next

• Run a Vortex scan against your routes.
• Read a Vortex report and act on findings.