Quick Tour of the User Interface

Option	Description
Scans	This option enables you to view a list of previously run scans, currently run scans, and future scheduled scans. It also allows you to define and schedule new scans, as well as to modify and rerun existing scans. You can save and reuse a set of scan settings as a template to start another scan quickly. For more information, see Managing Scan Templates.
Projects	This option enables you to distribute scanning tasks between different teams of your organization as well as to manage scanning and fixing the detected issues within each team. For more information, see Managing Projects.
Authentications	This option allows you to create an authentication object and connect it for a scan. The authentication object is designed to grant Bright access to the protected parts of a target application. By using the authentication object, you enable complete coverage of a scan target. For more information, see Managing Your Authentications.
Storage	This option enables you to upload files to Bright and to manage your organization’s Bright storage. For more information, see Managing Bright File Storage.
Settings	This option enables you to manage organization-level settings and policies. For more information, see Managing Your Organization.
Audit log	This option displays an audit log that shows user and system actions. The audit log provides multiple links that direct to the scan information across the Bright web application. Each user can only view log items within the scope of their permissions. For more information, see Managing Audit Log.

Create / Invite All Relevant Users to Their Organization

Description: This step should be performed by the administrator or skipped if you're entering an existing organization.
Status: Optional

Flow:

To start using the Bright app, you need to have an account. The account should be connected with an organization.

• To log in to your existing account, visit the sign-in page and select an option from GitHub, Google, email, or use Single Sign-On (SSO) to join your organization. Bright supports Google, Okta, and Microsoft SSO options.

If you need more than 50 users, contact our support team for details. Each user must have a specific role. Bright allows users to select one preconfigured role or customize their own. Users can be organized into groups for easier administration.

To learn general information about user access and organization management, see the following links:

• Managing Your Organization
• Managing Organization Members
• Managing Organization Groups
• Managing Custom Roles

Create a New Target and Provide Its Access/Connectivity

Description: This step describes what a Repeater is and how to set it up.
Status: Optional

Flow:

The Bright Repeater is a scan proxy that provides a secure connection between the Bright Cloud engine and a target on a local network. The Repeater mode enables you to securely scan targets on a local network without having to allowlist the Bright IP address in your firewall for incoming traffic.

To learn how to start a repeater or set up a new one, see Managing Repeaters.

Configure Authentication Flow

Description: To interact with complex targets, you need to have a well-adjusted authentication flow. This step contains authentication descriptions and manuals.
Status: Required

Flow:

The Bright app allows users to use six types of authentication:

1. Recorded Browser-Based Form Authentication (RBBAO)
2. Manual Browser-Based Form Authentication (MBBAO)
3. Header Authentication
4. Custom API Authentication Flow
5. OpenID Connect (OIDC OAuth)
6. NTLM Authentication

To learn how to configure the authentication flow, see the following link:

• String Interpolation Syntax

To learn more about the authentication types in Bright, see the following link:

• Creating an Authentication Object in Bright

Start a Discovery

Description: Map an application to discover its assets.
Status: Required

Flow:

1. Choose and configure discovery type (Crawler and/or HAR/API):
   The Bright app interacts with a target using entrypoints. There are three ways to distribute entrypoints to the Bright app:
   • Finding entrypoints via built-in Crawler
   • Uploading a HAR-file
   • Using an API schema
   • Using a GraphQL schema
2. Run the discovery and wait for the entrypoints to be listed.

To learn how to create and configure a new discovery, see the following link:

• Creating a New Discovery

Start a Scan

Description: Scan entrypoints to detect vulnerabilities.
Status: Required

Flow:

1. Open a project and select existing entrypoints.

2. Select tests:
   All tests are merged into buckets to ease the process of configuring a scan:

   • Client-side attacks: Attacks targeting client UI and client-side code.

   • Server-side attacks: Attacks trying to exploit server-side architecture and code.

   • API attacks: Attacks targeting API-based infrastructure.

   • Legacy attacks: Older attacks not widely exploited recently.

   • CVE tests: Passive CVE signature-based tests.

   • Advanced/Harmful attacks: Potentially disruptive attacks.

   • Business logic attacks: Attacks attempting to bypass application logic constraints.

   📘

   Note:
   To learn more about vulnerabilities and their remediations, see the Vulnerabilities Index.

3. Run a scan and wait for the results.

To learn how to create and configure a new scan, see the following link:

• Creating a New Scan

Analyze Results & Improve the Configuration and Run the Next Scan

Description: You can export the findings and adjust future scans.
Status: Optional

Flow:

• Create and download a scan report:
  Bright allows users to export scan reports and all projects' data. Reports are fully customizable and can be aligned with a variety of requirements.

  • Exporting a Scan
  • Downloading All Projects' Data

• Adjust scan settings for better results:

  • Reviewing Scan Details
  • Modifying Future Scan Settings